Malware Analysis Report

2024-11-16 12:16

Sample ID 230713-1a9m9abc72
Target b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642
SHA256 b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642
Tags
phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642

Threat Level: Known bad

The file b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642 was found to be: Known bad.

Malicious Activity Summary

phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan

Detect rhadamanthys stealer shellcode

SmokeLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

Phobos

SystemBC

Rhadamanthys

Modifies boot configuration data using bcdedit

Renames multiple (460) files with added filename extension

Deletes shadow copies

Deletes backup catalog

Modifies Windows Firewall

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Drops desktop.ini file(s)

Accesses Microsoft Outlook profiles

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Unsigned PE

Checks SCSI registry key(s)

Checks processor information in registry

Modifies registry class

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-13 21:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-13 21:27

Reported

2023-07-13 21:30

Platform

win10v2004-20230703-en

Max time kernel

121s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2708 created 3140 N/A C:\Users\Admin\AppData\Local\Temp\b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (460) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\Sdy%]L57db.exe C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sdy%]L57db = "C:\\Users\\Admin\\AppData\\Local\\Sdy%]L57db.exe" C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sdy%]L57db = "C:\\Users\\Admin\\AppData\\Local\\Sdy%]L57db.exe" C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1104 set thread context of 1244 N/A C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\cy.txt C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyoptionaltools.jar C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jp2iexp.dll C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-72_altform-unplated.png C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedSplash.scale-100.png C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalMedTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\ui-strings.js C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][324C6089-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Coverage.ps1 C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugin.js C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_fw.png.id[324C6089-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar.id[324C6089-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.id[324C6089-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.dll.id[324C6089-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\NamedUrls.HxK.id[324C6089-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\Microsoft.PowerShell.PackageManagement.resources.dll C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-200.png C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tr.gif.id[324C6089-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-140.png.id[324C6089-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS.id[324C6089-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_replace_signer_18.svg C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nothumbnail_34.svg.id[324C6089-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\kok.pak C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ms_get.svg C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.V7.dll C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg3_thumb.png C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar.id[324C6089-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-40_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\rna-main.js.id[324C6089-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml.id[324C6089-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libposterize_plugin.dll.id[324C6089-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\commerce\sms_failure_illustration.png C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-16.png C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\spectrum_spinner_process.svg.id[324C6089-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-400_contrast-black.png C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-250.png C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar.id[324C6089-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms.id[324C6089-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\animations\OneNoteAudio_RecordingPlayback.gif C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\SmallLogo.png.DATA.id[324C6089-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.id[324C6089-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][324C6089-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationSensorCalibrationFigure.png C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_xd.svg.id[324C6089-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-48.png C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-down.png C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2708 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe C:\Windows\system32\certreq.exe
PID 2708 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe C:\Windows\system32\certreq.exe
PID 2708 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe C:\Windows\system32\certreq.exe
PID 2708 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe C:\Windows\system32\certreq.exe
PID 1104 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe
PID 1104 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe
PID 1104 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe
PID 1104 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe
PID 1104 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe
PID 1104 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe
PID 1524 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe C:\Windows\system32\cmd.exe
PID 1524 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe C:\Windows\system32\cmd.exe
PID 1524 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe C:\Windows\system32\cmd.exe
PID 1524 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe C:\Windows\system32\cmd.exe
PID 4112 wrote to memory of 4964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4112 wrote to memory of 4964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4344 wrote to memory of 316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4344 wrote to memory of 316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4112 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4112 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4344 wrote to memory of 3080 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4344 wrote to memory of 3080 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4344 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4344 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4344 wrote to memory of 3424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4344 wrote to memory of 3424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4344 wrote to memory of 728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4344 wrote to memory of 728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3140 wrote to memory of 3448 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D1.exe
PID 3140 wrote to memory of 3448 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D1.exe
PID 3140 wrote to memory of 3448 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D1.exe
PID 3140 wrote to memory of 2788 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 2788 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 2788 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 2788 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 5112 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3140 wrote to memory of 5112 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3140 wrote to memory of 5112 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3140 wrote to memory of 1740 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 1740 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 1740 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 1740 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 4988 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 4988 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 4988 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 4988 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 4164 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 4164 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 4164 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 4164 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 5000 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3140 wrote to memory of 5000 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3140 wrote to memory of 5000 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3140 wrote to memory of 4404 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 4404 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 4404 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 4404 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 3516 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3140 wrote to memory of 3516 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3140 wrote to memory of 3516 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3140 wrote to memory of 1652 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 1652 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 1652 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 1652 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe

"C:\Users\Admin\AppData\Local\Temp\b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe"

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2708 -ip 2708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 964

C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe

"C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe"

C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe

"C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe"

C:\Users\Admin\AppData\Local\Microsoft\uT`[email protected]

"C:\Users\Admin\AppData\Local\Microsoft\uT`[email protected]"

C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe

"C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe"

C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe

"C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2652 -ip 2652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 468

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Users\Admin\AppData\Local\Temp\D1.exe

C:\Users\Admin\AppData\Local\Temp\D1.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3448 -ip 3448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 492

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Users\Admin\AppData\Roaming\vtdcetg

C:\Users\Admin\AppData\Roaming\vtdcetg

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 254.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 servblog25.xyz udp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 61.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 77.121.18.2.in-addr.arpa udp
DE 45.131.66.61:80 servblog25.xyz tcp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 serverxlogs21.xyz udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 cexsad917.xyz udp
DE 45.89.125.136:80 cexsad917.xyz tcp
US 8.8.8.8:53 120.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 136.125.89.45.in-addr.arpa udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp

Files

memory/2708-134-0x0000000002D40000-0x0000000002E40000-memory.dmp

memory/2708-135-0x00000000047E0000-0x0000000004851000-memory.dmp

memory/2708-136-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/2708-137-0x0000000002D00000-0x0000000002D07000-memory.dmp

memory/2708-138-0x0000000004B00000-0x0000000004F00000-memory.dmp

memory/2708-140-0x0000000004B00000-0x0000000004F00000-memory.dmp

memory/2708-139-0x0000000004B00000-0x0000000004F00000-memory.dmp

memory/2708-141-0x0000000004B00000-0x0000000004F00000-memory.dmp

memory/2708-142-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/2708-143-0x0000000002D40000-0x0000000002E40000-memory.dmp

memory/3056-144-0x000001CA7FDB0000-0x000001CA7FDB3000-memory.dmp

memory/2708-145-0x00000000047E0000-0x0000000004851000-memory.dmp

memory/2708-146-0x0000000004A30000-0x0000000004A66000-memory.dmp

memory/2708-152-0x0000000004A30000-0x0000000004A66000-memory.dmp

memory/2708-153-0x0000000004B00000-0x0000000004F00000-memory.dmp

memory/2708-155-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/2708-156-0x0000000004B00000-0x0000000004F00000-memory.dmp

memory/3056-157-0x000001CA7FDB0000-0x000001CA7FDB3000-memory.dmp

memory/3056-158-0x000001CA01E80000-0x000001CA01E87000-memory.dmp

memory/3056-160-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

memory/3056-159-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

memory/3056-161-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

memory/3056-162-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

memory/3056-163-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

memory/3056-165-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

memory/3056-167-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

memory/3056-168-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

memory/3056-169-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

memory/3056-170-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

memory/3056-171-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

memory/3056-172-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

memory/3056-173-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

memory/3056-174-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

memory/3056-175-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe

MD5 f56ab31379d92b546875eff976ec9148
SHA1 79ba7f22410a64adf18e36005cfa98179f128053
SHA256 d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0
SHA512 650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258

C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe

MD5 f56ab31379d92b546875eff976ec9148
SHA1 79ba7f22410a64adf18e36005cfa98179f128053
SHA256 d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0
SHA512 650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258

C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe

MD5 e2c05722293b07319cfd5bb1fef74f44
SHA1 d3f4f66861f8bf6aae657e475bcb8222c77a2770
SHA256 f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4
SHA512 92c0a3d6bf1708c82f17c8236c3e23ba66f0c3788fcf5c66553353765f3ba657c1a69a092493a71c4dbeac01e235da2c91f93ce19718f1728ffc1c29e3e64037

C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe

MD5 e2c05722293b07319cfd5bb1fef74f44
SHA1 d3f4f66861f8bf6aae657e475bcb8222c77a2770
SHA256 f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4
SHA512 92c0a3d6bf1708c82f17c8236c3e23ba66f0c3788fcf5c66553353765f3ba657c1a69a092493a71c4dbeac01e235da2c91f93ce19718f1728ffc1c29e3e64037

memory/3056-182-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\uT`[email protected]

MD5 e411054bf19f624a88719981c5eb22d6
SHA1 943df640e6c34757e60dbcb98129f3550bec7f38
SHA256 046b6de02d3af494896a540bd5189faf6f2f9f75d00c59657071ff0aa5ed94a0
SHA512 39d647fa6158ae5453a6a448881e5f86ab9d1ea54047997eb358e40a1dd2d44a7b5665e7ff206013512e071cc4ce616accdad661bd2d1aafad8f8d224577700a

memory/1104-186-0x0000000002EB0000-0x0000000002FB0000-memory.dmp

memory/1104-188-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

memory/1524-189-0x0000000002C60000-0x0000000002C6F000-memory.dmp

memory/1524-190-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe

MD5 f56ab31379d92b546875eff976ec9148
SHA1 79ba7f22410a64adf18e36005cfa98179f128053
SHA256 d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0
SHA512 650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258

memory/1244-191-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1524-193-0x0000000000400000-0x0000000002B46000-memory.dmp

memory/1244-194-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe

MD5 e2c05722293b07319cfd5bb1fef74f44
SHA1 d3f4f66861f8bf6aae657e475bcb8222c77a2770
SHA256 f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4
SHA512 92c0a3d6bf1708c82f17c8236c3e23ba66f0c3788fcf5c66553353765f3ba657c1a69a092493a71c4dbeac01e235da2c91f93ce19718f1728ffc1c29e3e64037

memory/3056-197-0x000001CA01E80000-0x000001CA01E85000-memory.dmp

memory/3056-198-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

memory/3140-199-0x00000000007B0000-0x00000000007C6000-memory.dmp

memory/1244-201-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[324C6089-3483].[[email protected]].8base

MD5 7176bbf11837b6acf2f8830894012a16
SHA1 c2eac7dda754ca518d4405d7a2410b905ba7f661
SHA256 20496ba30a617b7e68da143d26123ca46d02ec6e15b325389d63e89433547a5f
SHA512 cd8914e54e2996780fa4e514b78aa59926805ba443d16e9a6073e0f894b01eaa3a88929db03c1a6bfcd3c8448b92180db8db62717e0bb2e33b9d1438364a0e87

memory/1524-577-0x0000000002C60000-0x0000000002C6F000-memory.dmp

memory/1524-609-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

memory/2260-700-0x0000000000400000-0x0000000002B45000-memory.dmp

memory/2652-735-0x0000000002CA0000-0x0000000002DA0000-memory.dmp

memory/2652-802-0x0000000000400000-0x0000000002B46000-memory.dmp

memory/1524-1217-0x0000000000400000-0x0000000002B46000-memory.dmp

memory/1524-1431-0x0000000000400000-0x0000000002B46000-memory.dmp

memory/1524-2611-0x0000000000400000-0x0000000002B46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D1.exe

MD5 b2243260d077693972cc92b7302cb372
SHA1 1699650e3e6b1ab94de7d7d6630aa73ace143422
SHA256 281481eb8f1579206e55232754f47587a61bbe1460fc1f3b06157f31d214a290
SHA512 39f60638f5306205132e32f1e179598036cdb688c976cc7e169f304c180fceaeeb9b612862c57957241b4f3d6588bd4faf6c2ab36b9d76ac3d57a93f6649eed3

C:\Users\Admin\AppData\Local\Temp\D1.exe

MD5 b2243260d077693972cc92b7302cb372
SHA1 1699650e3e6b1ab94de7d7d6630aa73ace143422
SHA256 281481eb8f1579206e55232754f47587a61bbe1460fc1f3b06157f31d214a290
SHA512 39f60638f5306205132e32f1e179598036cdb688c976cc7e169f304c180fceaeeb9b612862c57957241b4f3d6588bd4faf6c2ab36b9d76ac3d57a93f6649eed3

memory/5112-4239-0x00000000003F0000-0x00000000003FC000-memory.dmp

memory/5112-4284-0x00000000003F0000-0x00000000003FC000-memory.dmp

memory/2788-4309-0x0000000000440000-0x00000000004AB000-memory.dmp

memory/1524-4240-0x0000000000400000-0x0000000002B46000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\cookies.sqlite.id[324C6089-3483].[[email protected]].8base

MD5 18571f0c2e6aa37a196cd84285087def
SHA1 4723efc495fd5ed0192530144f30bb72b1dfa9d5
SHA256 dac43dfcea84311a498a36c28108f8111470ba237bf8369f24e98ace331d7f71
SHA512 80872c621eedd4b187f94eb6cf5472f45742e4081e9b785f7305d8c84e3a857abb11e5af3dd0c4987645cacb44be929b6a53d5d7a2dc5b6b41698b0166d6dfb0

memory/2788-4344-0x0000000000440000-0x00000000004AB000-memory.dmp

memory/1740-4355-0x0000000000730000-0x0000000000739000-memory.dmp

memory/1740-4386-0x0000000000740000-0x0000000000744000-memory.dmp

memory/1740-4337-0x0000000000730000-0x0000000000739000-memory.dmp

memory/2788-4332-0x00000000004B0000-0x0000000000525000-memory.dmp

memory/4988-4511-0x0000000000600000-0x000000000060B000-memory.dmp

memory/4988-4479-0x0000000000610000-0x000000000061A000-memory.dmp

memory/2788-4480-0x0000000000440000-0x00000000004AB000-memory.dmp

memory/4988-4477-0x0000000000600000-0x000000000060B000-memory.dmp

memory/4164-4553-0x00000000005F0000-0x00000000005F7000-memory.dmp

memory/4164-4563-0x00000000005E0000-0x00000000005EB000-memory.dmp

memory/5000-4713-0x0000000000AB0000-0x0000000000AB9000-memory.dmp

memory/5000-4727-0x0000000000AA0000-0x0000000000AAF000-memory.dmp

memory/4404-4896-0x0000000001400000-0x0000000001405000-memory.dmp

memory/4404-4892-0x00000000011F0000-0x00000000011F9000-memory.dmp

memory/4404-4914-0x00000000011F0000-0x00000000011F9000-memory.dmp

memory/3516-5094-0x0000000000B50000-0x0000000000B5C000-memory.dmp

memory/3516-5131-0x0000000000B60000-0x0000000000B66000-memory.dmp

memory/3516-5132-0x0000000000B50000-0x0000000000B5C000-memory.dmp

memory/3448-5133-0x0000000002E20000-0x0000000002F20000-memory.dmp

memory/1652-5158-0x00000000011F0000-0x00000000011F9000-memory.dmp

memory/3448-5237-0x0000000000400000-0x0000000002B45000-memory.dmp

memory/3076-5356-0x0000000000710000-0x0000000000719000-memory.dmp

memory/1652-5430-0x00000000011F0000-0x00000000011F9000-memory.dmp

memory/3076-5431-0x0000000000720000-0x0000000000725000-memory.dmp

memory/3076-5432-0x0000000000710000-0x0000000000719000-memory.dmp

memory/1740-5439-0x0000000000740000-0x0000000000744000-memory.dmp

memory/1416-5517-0x0000000000540000-0x0000000000567000-memory.dmp

memory/1416-5506-0x0000000000540000-0x0000000000567000-memory.dmp

memory/4988-5512-0x0000000000600000-0x000000000060B000-memory.dmp

memory/1524-5521-0x0000000000400000-0x0000000002B46000-memory.dmp

memory/1416-5641-0x0000000000570000-0x0000000000591000-memory.dmp

memory/2920-5664-0x0000000001190000-0x0000000001195000-memory.dmp

memory/2920-5675-0x0000000001180000-0x0000000001189000-memory.dmp

memory/2920-5663-0x0000000001180000-0x0000000001189000-memory.dmp

memory/1432-5778-0x0000000001130000-0x000000000113B000-memory.dmp

memory/4164-5829-0x00000000005F0000-0x00000000005F7000-memory.dmp

memory/1432-5855-0x0000000001140000-0x0000000001146000-memory.dmp

memory/1432-5876-0x0000000001130000-0x000000000113B000-memory.dmp

memory/4164-5888-0x00000000005E0000-0x00000000005EB000-memory.dmp

memory/5000-5916-0x0000000000AA0000-0x0000000000AAF000-memory.dmp

memory/5112-5942-0x00000000001D0000-0x00000000001D7000-memory.dmp

memory/5112-5929-0x00000000001C0000-0x00000000001CD000-memory.dmp

memory/4404-6085-0x0000000001400000-0x0000000001405000-memory.dmp

memory/316-6121-0x0000000000C30000-0x0000000000C38000-memory.dmp

memory/316-6122-0x0000000000C20000-0x0000000000C2B000-memory.dmp

memory/3516-6123-0x0000000000B60000-0x0000000000B66000-memory.dmp

memory/3076-6124-0x0000000000720000-0x0000000000725000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000027.db.id[324C6089-3483].[[email protected]].8base

MD5 0fbc1a578ebf73f69e8e0f1b2c742207
SHA1 053eab511c8d7fa53d06a168fe05c606c49edae2
SHA256 fd108957a6a64a37a4241846ea910c54e65d6a4610dc4b9190012d1f009f0212
SHA512 2e103382b81a2b92b97bc8340940ae0c8e3861e84d3608553f3a5d8e044f9f759da9512b3eb5379502266e0b7879145a932a288bb4d985aebbf7f8bb578f9ca5

C:\Users\Admin\AppData\Local\Microsoft\uT`[email protected]

MD5 e411054bf19f624a88719981c5eb22d6
SHA1 943df640e6c34757e60dbcb98129f3550bec7f38
SHA256 046b6de02d3af494896a540bd5189faf6f2f9f75d00c59657071ff0aa5ed94a0
SHA512 39d647fa6158ae5453a6a448881e5f86ab9d1ea54047997eb358e40a1dd2d44a7b5665e7ff206013512e071cc4ce616accdad661bd2d1aafad8f8d224577700a

C:\Users\Admin\AppData\Local\Temp\2C94\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll

MD5 43ad1dd044c719f378d171baecf3a91c
SHA1 a55fcb4e09d4b0f73669187f47a5229e831659a9
SHA256 b88f4c053e4323b49f839298fc44244d91927045de807634308a850bb409b4ab
SHA512 1944977ae24c3ef47aef9cc2e51735e7d9e7cbe47c277f85bc3a822cf8b55d40de520710c4d81678a0361a1c1effaf30c5ef795e1d2f32abc898087fc0e2d7d8

C:\Users\Admin\AppData\Local\Temp\2C94\C\Windows\SysWOW64\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\2C94\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Local\Temp\2C94\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\2C94\C\Windows\System32\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Local\Temp\2C94\C\Windows\System32\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\2C94\C\Windows\System32\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\2C94\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

MD5 108f130067a9df1719c590316a5245f7
SHA1 79bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256 c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512 d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

C:\Users\Admin\AppData\Local\Temp\2C94\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

MD5 94f90fcd2b8f7f1df69224f845d9e9b7
SHA1 a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256 a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA512 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

C:\Users\Admin\AppData\Local\Temp\2C94\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

MD5 108f130067a9df1719c590316a5245f7
SHA1 79bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256 c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512 d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

C:\Users\Admin\AppData\Local\Temp\2C94\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

MD5 94f90fcd2b8f7f1df69224f845d9e9b7
SHA1 a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256 a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA512 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

C:\Users\Admin\AppData\Local\Temp\2C94\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe

MD5 cfe72ed40a076ae4f4157940ce0c5d44
SHA1 8010f7c746a7ba4864785f798f46ec05caae7ece
SHA256 6868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32
SHA512 f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0

C:\Users\Admin\AppData\Roaming\agieddb

MD5 0d076a7af7087f966f922c4049681e43
SHA1 583bb93f7954c5c54b1da9318902c4ddc1c50182
SHA256 13e7e6b74ef3146b9cca697ad8c101a0d18849edabc78e10dadf6f74a1218ccd
SHA512 7ec362d3d6c8384e2c195eaedcf754a609e7a34fa74b2df4f3cc0425207e3e1ce9ee9d96221343beb06c11bc07f2aee1eadcf5074c651b3d565cfcf5597e5497

C:\Users\Admin\AppData\Roaming\vtdcetg

MD5 f56ab31379d92b546875eff976ec9148
SHA1 79ba7f22410a64adf18e36005cfa98179f128053
SHA256 d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0
SHA512 650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258

C:\info.hta

MD5 bf040e72e2259324c298ce34a0364807
SHA1 404be060ee0767791669ac511b6afbf0f72ef340
SHA256 046df92c8e84e224ab0e4bd176943d44e4392ee35fb60162185779cec3e90417
SHA512 0549aa0e1c47c0a95b5d6872553394fa886ec092d0e6bc2e4874e20a6c5f623e51fc98431c6225d5a4acb3a1a9c0ba46e6adbe913f93ba75df94d44083f5f47f

C:\Users\Admin\Desktop\info.hta

MD5 bf040e72e2259324c298ce34a0364807
SHA1 404be060ee0767791669ac511b6afbf0f72ef340
SHA256 046df92c8e84e224ab0e4bd176943d44e4392ee35fb60162185779cec3e90417
SHA512 0549aa0e1c47c0a95b5d6872553394fa886ec092d0e6bc2e4874e20a6c5f623e51fc98431c6225d5a4acb3a1a9c0ba46e6adbe913f93ba75df94d44083f5f47f

C:\users\public\desktop\info.hta

MD5 bf040e72e2259324c298ce34a0364807
SHA1 404be060ee0767791669ac511b6afbf0f72ef340
SHA256 046df92c8e84e224ab0e4bd176943d44e4392ee35fb60162185779cec3e90417
SHA512 0549aa0e1c47c0a95b5d6872553394fa886ec092d0e6bc2e4874e20a6c5f623e51fc98431c6225d5a4acb3a1a9c0ba46e6adbe913f93ba75df94d44083f5f47f

F:\info.hta

MD5 bf040e72e2259324c298ce34a0364807
SHA1 404be060ee0767791669ac511b6afbf0f72ef340
SHA256 046df92c8e84e224ab0e4bd176943d44e4392ee35fb60162185779cec3e90417
SHA512 0549aa0e1c47c0a95b5d6872553394fa886ec092d0e6bc2e4874e20a6c5f623e51fc98431c6225d5a4acb3a1a9c0ba46e6adbe913f93ba75df94d44083f5f47f

C:\info.hta

MD5 bf040e72e2259324c298ce34a0364807
SHA1 404be060ee0767791669ac511b6afbf0f72ef340
SHA256 046df92c8e84e224ab0e4bd176943d44e4392ee35fb60162185779cec3e90417
SHA512 0549aa0e1c47c0a95b5d6872553394fa886ec092d0e6bc2e4874e20a6c5f623e51fc98431c6225d5a4acb3a1a9c0ba46e6adbe913f93ba75df94d44083f5f47f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.id[324C6089-3483].[[email protected]].8base

MD5 fefaab7fa27d143a61af7e58f5a1887f
SHA1 fea646ffe33034100aa106421e09df9f3af228bb
SHA256 e9d5debca8b4d0634d586ae69fe93024600cf15d5f397918313d0d8484f2ab7b
SHA512 c0e6d9d60682e2a4436c4cb3a1f5d6c6e2fd2e3126fbfc29d8020da62f069ac3f82501b9c4b059c70c78e14afd6594200c438d56e46e455a6a54d97af4786924

C:\Users\Admin\AppData\Roaming\vtdcetg

MD5 f56ab31379d92b546875eff976ec9148
SHA1 79ba7f22410a64adf18e36005cfa98179f128053
SHA256 d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0
SHA512 650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258