Analysis Overview
SHA256
239c93b0a44ce8723f181a2ec6d17e9fd9516c17241d8f5b2b0212c6d56a9eb2
Threat Level: Known bad
The file b5237a3f0b1db945c1fe3f9ba71e3ff2.exe was found to be: Known bad.
Malicious Activity Summary
SystemBC
SmokeLoader
RedLine
Phobos
Renames multiple (371) files with added filename extension
Deletes shadow copies
Modifies boot configuration data using bcdedit
Downloads MZ/PE file
Blocklisted process makes network request
Modifies Windows Firewall
Deletes backup catalog
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Drops desktop.ini file(s)
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Accesses Microsoft Outlook profiles
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
Program crash
outlook_office_path
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
outlook_win_path
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-26 13:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-26 13:44
Reported
2023-06-26 13:46
Platform
win7-20230621-en
Max time kernel
31s
Max time network
34s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2040 wrote to memory of 1992 | N/A | C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 2040 wrote to memory of 1992 | N/A | C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 2040 wrote to memory of 1992 | N/A | C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 2040 wrote to memory of 1992 | N/A | C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe
"C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Network
Files
memory/2040-54-0x0000000001040000-0x0000000001098000-memory.dmp
memory/2040-55-0x0000000004E10000-0x0000000004E50000-memory.dmp
memory/1992-58-0x00000000021B0000-0x00000000021F0000-memory.dmp
memory/2040-59-0x0000000004E10000-0x0000000004E50000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-26 13:44
Reported
2023-06-26 13:46
Platform
win10v2004-20230621-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Phobos
RedLine
SmokeLoader
SystemBC
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Renames multiple (371) files with added filename extension
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\809A.exe | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\s777mx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8231.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\809A = "C:\\Users\\Admin\\AppData\\Local\\809A.exe" | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\809A = "C:\\Users\\Admin\\AppData\\Local\\809A.exe" | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-2177513644-1903222820-241662473-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-2177513644-1903222820-241662473-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3968 set thread context of 1140 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
| PID 920 set thread context of 3904 | N/A | C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe | C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-runtime-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\resources.pri | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ChakraBridge.dll | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\main.js | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\LightTheme.acrotheme | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File created | C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe.id[EC1FEA35-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl.id[EC1FEA35-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\WideTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.exe.sig.id[EC1FEA35-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-black_scale-200.png | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-400.png | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\offlineUtilities.js | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-100_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-core-kit.jar.id[EC1FEA35-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.id[EC1FEA35-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FPLACE.DLL.id[EC1FEA35-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Grouping.Windows.dll | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_cs.json | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarBadge.scale-100.png | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png.id[EC1FEA35-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as90.xsl | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-150.png | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlOuterCircle.png | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe.id[EC1FEA35-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\SmallTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-100.png | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-80_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-400_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-125_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\search_emptystate.png | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\RetailDemoData.json | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-focus_32.svg | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNB.TTF.id[EC1FEA35-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-synch-l1-2-0.dll | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png.id[EC1FEA35-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\69.png | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\ImportRequest.potx | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.targetsize-24_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar.id[EC1FEA35-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Layout.dll.id[EC1FEA35-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\sr-cyrl-cs\mso.acl | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-oob.xrm-ms.id[EC1FEA35-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinStatusBar.v11.1.dll.id[EC1FEA35-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreBadgeLogo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_retina.png | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar.id[EC1FEA35-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\809A.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\8231.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\809A.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe
"C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
"C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"
C:\Users\Admin\AppData\Local\Temp\s777mx.exe
"C:\Users\Admin\AppData\Local\Temp\s777mx.exe"
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
"C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"
C:\Users\Admin\AppData\Local\Temp\809A.exe
C:\Users\Admin\AppData\Local\Temp\809A.exe
C:\Users\Admin\AppData\Local\Temp\8231.exe
C:\Users\Admin\AppData\Local\Temp\8231.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\809A.exe
"C:\Users\Admin\AppData\Local\Temp\809A.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4412 -ip 4412
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 468
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1364 -ip 1364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 724
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 254.111.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.121.24.20.in-addr.arpa | udp |
| RU | 91.215.85.210:49189 | 91.215.85.210 | tcp |
| US | 8.8.8.8:53 | 210.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dexstat255.xyz | udp |
| DE | 185.234.72.142:46578 | dexstat255.xyz | tcp |
| US | 8.8.8.8:53 | 142.72.234.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sentrex37.xyz | udp |
| DE | 5.182.207.8:80 | sentrex37.xyz | tcp |
| US | 8.8.8.8:53 | 8.207.182.5.in-addr.arpa | udp |
| US | 52.168.117.170:443 | tcp | |
| US | 192.229.221.95:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| GB | 96.16.110.41:443 | tcp | |
| US | 8.8.8.8:53 | 44.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | serverlogs37.xyz | udp |
| US | 8.8.8.8:53 | servblog757.xyz | udp |
| DE | 45.89.127.159:80 | servblog757.xyz | tcp |
| US | 8.8.8.8:53 | admhexlogs25.xyz | udp |
| EE | 159.253.18.136:80 | admhexlogs25.xyz | tcp |
| US | 8.8.8.8:53 | 159.127.89.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.18.253.159.in-addr.arpa | udp |
| DE | 45.89.127.159:80 | servblog757.xyz | tcp |
Files
memory/3396-133-0x0000000000190000-0x00000000001E8000-memory.dmp
memory/3396-134-0x0000000005140000-0x00000000056E4000-memory.dmp
memory/3396-135-0x0000000004C30000-0x0000000004CC2000-memory.dmp
memory/3396-136-0x0000000004B50000-0x0000000004B72000-memory.dmp
memory/3396-137-0x0000000004BF0000-0x0000000004BFA000-memory.dmp
memory/3968-138-0x0000000000BF0000-0x0000000000C26000-memory.dmp
memory/3396-139-0x0000000004E70000-0x0000000004E80000-memory.dmp
memory/3968-140-0x0000000004A80000-0x0000000004A90000-memory.dmp
memory/3968-141-0x0000000004A80000-0x0000000004A90000-memory.dmp
memory/3968-142-0x00000000050C0000-0x00000000056E8000-memory.dmp
memory/3968-143-0x0000000004D50000-0x0000000004DB6000-memory.dmp
memory/3968-144-0x0000000004DC0000-0x0000000004E26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ngbubqwh.bsv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3968-154-0x0000000005C50000-0x0000000005C6E000-memory.dmp
memory/3968-155-0x0000000006040000-0x0000000006084000-memory.dmp
memory/3968-156-0x0000000007070000-0x00000000070E6000-memory.dmp
memory/3968-157-0x0000000004A80000-0x0000000004A90000-memory.dmp
memory/3968-158-0x0000000007770000-0x0000000007DEA000-memory.dmp
memory/3968-159-0x0000000006290000-0x00000000062AA000-memory.dmp
memory/3968-160-0x0000000004A80000-0x0000000004A90000-memory.dmp
memory/3968-161-0x00000000076C0000-0x00000000076E2000-memory.dmp
memory/3968-162-0x0000000004A80000-0x0000000004A90000-memory.dmp
memory/3968-163-0x0000000004A80000-0x0000000004A90000-memory.dmp
memory/1140-164-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1140-165-0x000000001D630000-0x000000001DC48000-memory.dmp
memory/1140-166-0x000000001D160000-0x000000001D26A000-memory.dmp
memory/1140-167-0x000000001D090000-0x000000001D0A2000-memory.dmp
memory/1140-168-0x000000001D0F0000-0x000000001D12C000-memory.dmp
memory/3968-169-0x0000000004A80000-0x0000000004A90000-memory.dmp
memory/1140-170-0x0000000015810000-0x0000000015820000-memory.dmp
memory/3968-171-0x0000000004A80000-0x0000000004A90000-memory.dmp
memory/1140-173-0x000000001E110000-0x000000001E160000-memory.dmp
memory/1140-174-0x000000001F730000-0x000000001F8F2000-memory.dmp
memory/1140-175-0x000000001FE30000-0x000000002035C000-memory.dmp
memory/1140-176-0x0000000015810000-0x0000000015820000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
| MD5 | 9d8a3dd432e255ebb2e890d2a0653ddb |
| SHA1 | 0e5741c323e7c35671333863492743ae0c64f64b |
| SHA256 | 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27 |
| SHA512 | 758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96 |
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
| MD5 | 9d8a3dd432e255ebb2e890d2a0653ddb |
| SHA1 | 0e5741c323e7c35671333863492743ae0c64f64b |
| SHA256 | 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27 |
| SHA512 | 758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96 |
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
| MD5 | 9d8a3dd432e255ebb2e890d2a0653ddb |
| SHA1 | 0e5741c323e7c35671333863492743ae0c64f64b |
| SHA256 | 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27 |
| SHA512 | 758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96 |
C:\Users\Admin\AppData\Local\Temp\s777mx.exe
| MD5 | 8d7ebe871589d79f195f240dcef43a57 |
| SHA1 | f5315edc9bfeb6f37c9df6ad1f10cb3363412d96 |
| SHA256 | 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8 |
| SHA512 | 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd |
C:\Users\Admin\AppData\Local\Temp\s777mx.exe
| MD5 | 8d7ebe871589d79f195f240dcef43a57 |
| SHA1 | f5315edc9bfeb6f37c9df6ad1f10cb3363412d96 |
| SHA256 | 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8 |
| SHA512 | 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd |
C:\Users\Admin\AppData\Local\Temp\s777mx.exe
| MD5 | 8d7ebe871589d79f195f240dcef43a57 |
| SHA1 | f5315edc9bfeb6f37c9df6ad1f10cb3363412d96 |
| SHA256 | 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8 |
| SHA512 | 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd |
memory/3904-203-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
| MD5 | 9d8a3dd432e255ebb2e890d2a0653ddb |
| SHA1 | 0e5741c323e7c35671333863492743ae0c64f64b |
| SHA256 | 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27 |
| SHA512 | 758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96 |
memory/920-205-0x0000000001BC0000-0x0000000001BC9000-memory.dmp
memory/3052-207-0x0000000001CB0000-0x0000000001CB5000-memory.dmp
memory/3904-208-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3904-211-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3116-210-0x0000000002DE0000-0x0000000002DF6000-memory.dmp
memory/3052-215-0x0000000000400000-0x0000000001B38000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\809A.exe
| MD5 | 0f281d2506515a64082d6e774573afb7 |
| SHA1 | 8949f27465913bf475fceb5796b205429083df58 |
| SHA256 | 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb |
| SHA512 | f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622 |
C:\Users\Admin\AppData\Local\Temp\809A.exe
| MD5 | 0f281d2506515a64082d6e774573afb7 |
| SHA1 | 8949f27465913bf475fceb5796b205429083df58 |
| SHA256 | 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb |
| SHA512 | f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622 |
C:\Users\Admin\AppData\Local\Temp\8231.exe
| MD5 | 8d7ebe871589d79f195f240dcef43a57 |
| SHA1 | f5315edc9bfeb6f37c9df6ad1f10cb3363412d96 |
| SHA256 | 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8 |
| SHA512 | 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd |
C:\Users\Admin\AppData\Local\Temp\8231.exe
| MD5 | 8d7ebe871589d79f195f240dcef43a57 |
| SHA1 | f5315edc9bfeb6f37c9df6ad1f10cb3363412d96 |
| SHA256 | 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8 |
| SHA512 | 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd |
C:\Users\Admin\AppData\Local\Temp\809A.exe
| MD5 | 0f281d2506515a64082d6e774573afb7 |
| SHA1 | 8949f27465913bf475fceb5796b205429083df58 |
| SHA256 | 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb |
| SHA512 | f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622 |
memory/2540-236-0x0000000000720000-0x000000000072F000-memory.dmp
memory/2264-235-0x0000000000D90000-0x0000000000DFB000-memory.dmp
memory/2264-237-0x0000000000E00000-0x0000000000E75000-memory.dmp
memory/2264-238-0x0000000000D90000-0x0000000000DFB000-memory.dmp
memory/2660-240-0x0000000000330000-0x000000000033C000-memory.dmp
memory/2660-244-0x0000000000330000-0x000000000033C000-memory.dmp
memory/2264-260-0x0000000000D90000-0x0000000000DFB000-memory.dmp
memory/3260-261-0x0000000000170000-0x0000000000179000-memory.dmp
memory/3260-262-0x0000000000180000-0x0000000000184000-memory.dmp
memory/3260-263-0x0000000000170000-0x0000000000179000-memory.dmp
memory/4412-264-0x0000000000400000-0x0000000000695000-memory.dmp
memory/3208-265-0x0000000000930000-0x000000000093B000-memory.dmp
memory/3208-266-0x0000000000930000-0x000000000093B000-memory.dmp
memory/4936-267-0x0000000000370000-0x000000000037B000-memory.dmp
memory/4936-268-0x0000000000380000-0x0000000000387000-memory.dmp
memory/4936-269-0x0000000000370000-0x000000000037B000-memory.dmp
memory/2168-270-0x0000000000310000-0x000000000031F000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\809A.exe
| MD5 | 0f281d2506515a64082d6e774573afb7 |
| SHA1 | 8949f27465913bf475fceb5796b205429083df58 |
| SHA256 | 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb |
| SHA512 | f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622 |
memory/2168-307-0x0000000000310000-0x000000000031F000-memory.dmp
memory/2168-293-0x0000000000320000-0x0000000000329000-memory.dmp
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[EC1FEA35-3483].[[email protected]].8base
| MD5 | 02f3ba42ef35ccaacb201eb0eac399d5 |
| SHA1 | 89123a0480d270c558dcafdf8bcb237b91f4cff5 |
| SHA256 | b7817f4af379fa1dc543da21f96c069bd17008e045e193ceedab157d29e586b5 |
| SHA512 | e1a2935b6aaf00cf4bd640f9ee470bf42624c1c6c6f678ba2bb38be64040f6b2c5bd85a84e2aff06db4d6d1a350ab88f141ab4ee9c95f21d46366ccab53d050e |
memory/4284-421-0x0000000000D80000-0x0000000000D89000-memory.dmp
memory/4308-480-0x00000000005F0000-0x00000000005FC000-memory.dmp
memory/4284-494-0x0000000000D90000-0x0000000000D95000-memory.dmp
memory/4284-497-0x0000000000D80000-0x0000000000D89000-memory.dmp
memory/4308-498-0x0000000000800000-0x0000000000806000-memory.dmp
memory/4308-511-0x00000000005F0000-0x00000000005FC000-memory.dmp
memory/1808-529-0x0000000000680000-0x0000000000689000-memory.dmp
memory/2540-584-0x0000000000400000-0x0000000000695000-memory.dmp
memory/1808-604-0x0000000000680000-0x0000000000689000-memory.dmp
memory/1808-595-0x0000000000690000-0x0000000000694000-memory.dmp
memory/1424-650-0x0000000000140000-0x0000000000149000-memory.dmp
memory/1364-607-0x0000000000400000-0x0000000001B38000-memory.dmp
memory/1424-652-0x0000000000150000-0x0000000000155000-memory.dmp
memory/1424-655-0x0000000000140000-0x0000000000149000-memory.dmp
memory/1852-743-0x00000000008D0000-0x00000000008F7000-memory.dmp
memory/1852-749-0x00000000008D0000-0x00000000008F7000-memory.dmp
memory/1852-800-0x0000000000900000-0x0000000000921000-memory.dmp
memory/1680-818-0x0000000000B80000-0x0000000000B89000-memory.dmp
memory/1680-820-0x0000000000B90000-0x0000000000B95000-memory.dmp
memory/1680-821-0x0000000000B80000-0x0000000000B89000-memory.dmp
memory/1816-827-0x0000000000E70000-0x0000000000E7B000-memory.dmp
memory/1816-836-0x0000000000E80000-0x0000000000E86000-memory.dmp
memory/1816-837-0x0000000000E70000-0x0000000000E7B000-memory.dmp
memory/2932-858-0x0000000000590000-0x000000000059D000-memory.dmp
memory/2932-878-0x00000000005A0000-0x00000000005A7000-memory.dmp
memory/2932-880-0x0000000000590000-0x000000000059D000-memory.dmp
memory/3364-897-0x0000000000520000-0x000000000052B000-memory.dmp
memory/3260-1013-0x0000000000180000-0x0000000000184000-memory.dmp
memory/2540-1575-0x0000000000400000-0x0000000000695000-memory.dmp
memory/2540-2438-0x0000000000400000-0x0000000000695000-memory.dmp
memory/2540-3923-0x0000000000400000-0x0000000000695000-memory.dmp
memory/2540-4496-0x0000000000400000-0x0000000000695000-memory.dmp
memory/2540-5188-0x0000000000400000-0x0000000000695000-memory.dmp
memory/1364-5454-0x0000000000400000-0x0000000001B38000-memory.dmp
memory/2540-5924-0x0000000000400000-0x0000000000695000-memory.dmp
memory/2540-6518-0x0000000000400000-0x0000000000695000-memory.dmp
memory/2540-7987-0x0000000000400000-0x0000000000695000-memory.dmp