Malware Analysis Report

2024-11-16 12:16

Sample ID 230713-yy9baabg8t
Target cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb
SHA256 cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb
Tags
phobos rhadamanthys smokeloader summ backdoor collection evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb

Threat Level: Known bad

The file cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb was found to be: Known bad.

Malicious Activity Summary

phobos rhadamanthys smokeloader summ backdoor collection evasion persistence ransomware spyware stealer trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

Phobos

Rhadamanthys

Detect rhadamanthys stealer shellcode

SmokeLoader

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (91) files with added filename extension

Deletes backup catalog

Downloads MZ/PE file

Modifies Windows Firewall

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Accesses Microsoft Outlook profiles

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Program crash

outlook_office_path

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Interacts with shadow copies

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Checks processor information in registry

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-13 20:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-13 20:12

Reported

2023-07-13 20:15

Platform

win10v2004-20230703-en

Max time kernel

151s

Max time network

156s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1572 created 3216 N/A C:\Users\Admin\AppData\Local\Temp\1582.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (91) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\[email protected] C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0@uTpSMbKn = "C:\\Users\\Admin\\AppData\\Local\\[email protected]" C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0@uTpSMbKn = "C:\\Users\\Admin\\AppData\\Local\\[email protected]" C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1498570331-2313266200-788959944-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1498570331-2313266200-788959944-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3148 set thread context of 4732 N/A C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\calendars.properties C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jp2iexp.dll C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\7-Zip\Lang\ba.txt C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_zh_CN.jar C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core_visualvm.jar C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\MANIFEST.MF C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-templates.jar C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jre1.8.0_66\lib\management\jmxremote.access.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\prism_d3d.dll.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\Xusage.txt.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-options.xml C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\jfr\profile.jfc C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jni.h C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\JavaAccessBridge-64.dll.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-execution_ja.jar C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jre1.8.0_66\lib\amd64\jvm.cfg.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-explorer.xml.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-io.jar.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\7-Zip\Lang\kab.txt.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jdwp.dll C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_ja.jar.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-awt.jar.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-explorer.jar.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jre1.8.0_66\bin\prism_common.dll.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di.extensions_0.12.0.v20140417-2033.jar C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar.id[1D613CA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\7-Zip\Lang\af.txt C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3216 wrote to memory of 1572 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1582.exe
PID 3216 wrote to memory of 1572 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1582.exe
PID 3216 wrote to memory of 1572 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1582.exe
PID 3216 wrote to memory of 4840 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 4840 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 4840 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 4840 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 3256 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3216 wrote to memory of 3256 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3216 wrote to memory of 3256 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3216 wrote to memory of 4372 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 4372 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 4372 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 4372 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 4632 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3216 wrote to memory of 4632 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3216 wrote to memory of 4632 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3216 wrote to memory of 3268 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 3268 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 3268 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 3268 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 2572 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 2572 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 2572 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 2572 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 4348 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 4348 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 4348 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 4348 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 3272 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3216 wrote to memory of 3272 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3216 wrote to memory of 3272 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3216 wrote to memory of 2032 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 2032 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 2032 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3216 wrote to memory of 2032 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1572 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\1582.exe C:\Windows\system32\certreq.exe
PID 1572 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\1582.exe C:\Windows\system32\certreq.exe
PID 1572 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\1582.exe C:\Windows\system32\certreq.exe
PID 1572 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\1582.exe C:\Windows\system32\certreq.exe
PID 3148 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe
PID 3148 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe
PID 3148 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe
PID 3148 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe
PID 3148 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe
PID 3148 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe
PID 1588 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] C:\Windows\system32\cmd.exe
PID 1588 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] C:\Windows\system32\cmd.exe
PID 1588 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] C:\Windows\system32\cmd.exe
PID 1588 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] C:\Windows\system32\cmd.exe
PID 3592 wrote to memory of 3960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3592 wrote to memory of 3960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4024 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4024 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4024 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4024 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3592 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3592 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4024 wrote to memory of 4184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4024 wrote to memory of 4184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4024 wrote to memory of 452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4024 wrote to memory of 452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4024 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4024 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb.exe

"C:\Users\Admin\AppData\Local\Temp\cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb.exe"

C:\Users\Admin\AppData\Local\Temp\1582.exe

C:\Users\Admin\AppData\Local\Temp\1582.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1572 -ip 1572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 976

C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe

"C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe"

C:\Users\Admin\AppData\Local\Microsoft\[email protected]

"C:\Users\Admin\AppData\Local\Microsoft\[email protected]"

C:\Users\Admin\AppData\Local\Microsoft\6lqvz.exe

"C:\Users\Admin\AppData\Local\Microsoft\6lqvz.exe"

C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe

"C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe"

C:\Users\Admin\AppData\Local\Microsoft\[email protected]

"C:\Users\Admin\AppData\Local\Microsoft\[email protected]"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4268 -ip 4268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 464

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Users\Admin\AppData\Roaming\eubugbd

C:\Users\Admin\AppData\Roaming\eubugbd

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 126.139.241.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 stalagmijesarl.com udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 31.153.50.194.in-addr.arpa udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 fs24.fex.net udp
DE 193.109.240.5:443 fs24.fex.net tcp
US 8.8.8.8:53 fex.net udp
UA 194.106.216.70:443 fex.net tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 5.240.109.193.in-addr.arpa udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 70.216.106.194.in-addr.arpa udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 admlogs85.xyz udp
DE 45.89.127.23:80 admlogs85.xyz tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 23.127.89.45.in-addr.arpa udp
US 8.8.8.8:53 servblog25.xyz udp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 61.66.131.45.in-addr.arpa udp
DE 45.131.66.61:80 servblog25.xyz tcp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 serverxlogs21.xyz udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp

Files

memory/3848-134-0x0000000000800000-0x0000000000900000-memory.dmp

memory/3848-135-0x00000000021D0000-0x00000000021D9000-memory.dmp

memory/3848-136-0x0000000000400000-0x0000000000489000-memory.dmp

memory/3216-137-0x00000000031C0000-0x00000000031D6000-memory.dmp

memory/3848-138-0x0000000000400000-0x0000000000489000-memory.dmp

memory/3848-141-0x00000000021D0000-0x00000000021D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1582.exe

MD5 7041b5e6716fbc3d51516bfc782b1adf
SHA1 8a7188931e6d548c1c717be4386df5a19e04b51f
SHA256 caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87
SHA512 75800515735a33a6479791bf628951cafc8d6b09119ebbc80e5570731ee3d343d7386c8e2ac07c14ae7fa34ee5b5bf16264b804ab7e2ad7f667335d918e95709

C:\Users\Admin\AppData\Local\Temp\1582.exe

MD5 7041b5e6716fbc3d51516bfc782b1adf
SHA1 8a7188931e6d548c1c717be4386df5a19e04b51f
SHA256 caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87
SHA512 75800515735a33a6479791bf628951cafc8d6b09119ebbc80e5570731ee3d343d7386c8e2ac07c14ae7fa34ee5b5bf16264b804ab7e2ad7f667335d918e95709

memory/4840-153-0x0000000000120000-0x0000000000127000-memory.dmp

memory/4840-155-0x0000000000110000-0x000000000011B000-memory.dmp

memory/3256-156-0x00000000009A0000-0x00000000009AF000-memory.dmp

memory/3256-157-0x00000000009B0000-0x00000000009B9000-memory.dmp

memory/3256-158-0x00000000009A0000-0x00000000009AF000-memory.dmp

memory/4372-159-0x00000000005C0000-0x00000000005C9000-memory.dmp

memory/4372-160-0x00000000005D0000-0x00000000005D5000-memory.dmp

memory/4372-161-0x00000000005C0000-0x00000000005C9000-memory.dmp

memory/4632-162-0x0000000000590000-0x000000000059C000-memory.dmp

memory/4632-163-0x00000000005A0000-0x00000000005A6000-memory.dmp

memory/4632-164-0x0000000000590000-0x000000000059C000-memory.dmp

memory/3268-165-0x0000000000510000-0x0000000000537000-memory.dmp

memory/3268-166-0x0000000000540000-0x0000000000562000-memory.dmp

memory/3268-167-0x0000000000510000-0x0000000000537000-memory.dmp

memory/2572-168-0x0000000001440000-0x0000000001449000-memory.dmp

memory/4840-169-0x0000000000120000-0x0000000000127000-memory.dmp

memory/2572-171-0x0000000001440000-0x0000000001449000-memory.dmp

memory/2572-170-0x0000000001450000-0x0000000001455000-memory.dmp

memory/4840-173-0x0000000000110000-0x000000000011B000-memory.dmp

memory/1572-174-0x0000000004790000-0x0000000004801000-memory.dmp

memory/1572-175-0x0000000002CF0000-0x0000000002DF0000-memory.dmp

memory/3256-176-0x00000000009B0000-0x00000000009B9000-memory.dmp

memory/1572-177-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/4348-178-0x0000000000CF0000-0x0000000000CFB000-memory.dmp

memory/4372-179-0x00000000005D0000-0x00000000005D5000-memory.dmp

memory/4348-180-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/4348-181-0x0000000000CF0000-0x0000000000CFB000-memory.dmp

memory/3272-182-0x0000000000190000-0x000000000019D000-memory.dmp

memory/4632-183-0x00000000005A0000-0x00000000005A6000-memory.dmp

memory/3272-184-0x0000000000CF0000-0x0000000000CFB000-memory.dmp

memory/3272-185-0x0000000000190000-0x000000000019D000-memory.dmp

memory/1572-186-0x0000000004820000-0x0000000004827000-memory.dmp

memory/1572-188-0x0000000004D00000-0x0000000005100000-memory.dmp

memory/2032-189-0x00000000006F0000-0x00000000006FB000-memory.dmp

memory/1572-190-0x0000000004D00000-0x0000000005100000-memory.dmp

memory/1572-187-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/3268-191-0x0000000000540000-0x0000000000562000-memory.dmp

memory/2032-192-0x00000000006F0000-0x00000000006FB000-memory.dmp

memory/1572-193-0x0000000004D00000-0x0000000005100000-memory.dmp

memory/1572-194-0x0000000004D00000-0x0000000005100000-memory.dmp

memory/2572-195-0x0000000001450000-0x0000000001455000-memory.dmp

memory/1572-196-0x0000000004790000-0x0000000004801000-memory.dmp

memory/1572-197-0x0000000002CF0000-0x0000000002DF0000-memory.dmp

memory/3428-198-0x000001BB3C0A0000-0x000001BB3C0A3000-memory.dmp

memory/4348-200-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/1572-201-0x0000000004B40000-0x0000000004B76000-memory.dmp

memory/1572-207-0x0000000004B40000-0x0000000004B76000-memory.dmp

memory/1572-208-0x0000000004D00000-0x0000000005100000-memory.dmp

memory/2032-210-0x0000000000190000-0x000000000019D000-memory.dmp

memory/1572-211-0x0000000004D00000-0x0000000005100000-memory.dmp

memory/1572-212-0x0000000004D00000-0x0000000005100000-memory.dmp

memory/1572-213-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/1572-214-0x0000000004D00000-0x0000000005100000-memory.dmp

memory/3428-215-0x000001BB3C0A0000-0x000001BB3C0A3000-memory.dmp

memory/3428-216-0x000001BB3E160000-0x000001BB3E167000-memory.dmp

memory/3428-217-0x00007FF422D30000-0x00007FF422E5D000-memory.dmp

memory/3428-218-0x00007FF422D30000-0x00007FF422E5D000-memory.dmp

memory/3428-219-0x00007FF422D30000-0x00007FF422E5D000-memory.dmp

memory/3428-220-0x00007FF422D30000-0x00007FF422E5D000-memory.dmp

memory/3428-221-0x00007FF422D30000-0x00007FF422E5D000-memory.dmp

memory/3428-225-0x00007FF422D30000-0x00007FF422E5D000-memory.dmp

memory/3428-223-0x00007FF422D30000-0x00007FF422E5D000-memory.dmp

memory/3428-227-0x00007FF422D30000-0x00007FF422E5D000-memory.dmp

memory/3428-226-0x00007FF422D30000-0x00007FF422E5D000-memory.dmp

memory/3216-229-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3216-230-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3216-231-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3216-232-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3216-233-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3428-228-0x00007FF882250000-0x00007FF882445000-memory.dmp

memory/3216-234-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3216-235-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3216-239-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3216-237-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3216-240-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3216-243-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3428-241-0x00007FF422D30000-0x00007FF422E5D000-memory.dmp

memory/3216-245-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3216-250-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3428-248-0x00007FF422D30000-0x00007FF422E5D000-memory.dmp

memory/3216-251-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3428-253-0x00007FF882250000-0x00007FF882445000-memory.dmp

memory/3216-254-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3216-252-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3428-247-0x00007FF422D30000-0x00007FF422E5D000-memory.dmp

memory/3216-246-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3216-258-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3216-256-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3216-255-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3216-259-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3216-260-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3216-261-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3216-262-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3216-263-0x00000000013B0000-0x00000000013C0000-memory.dmp

memory/3428-264-0x00007FF422D30000-0x00007FF422E5D000-memory.dmp

memory/3428-265-0x00007FF422D30000-0x00007FF422E5D000-memory.dmp

memory/3428-266-0x00007FF422D30000-0x00007FF422E5D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe

MD5 f56ab31379d92b546875eff976ec9148
SHA1 79ba7f22410a64adf18e36005cfa98179f128053
SHA256 d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0
SHA512 650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258

C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe

MD5 f56ab31379d92b546875eff976ec9148
SHA1 79ba7f22410a64adf18e36005cfa98179f128053
SHA256 d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0
SHA512 650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258

C:\Users\Admin\AppData\Local\Microsoft\[email protected]

MD5 e2c05722293b07319cfd5bb1fef74f44
SHA1 d3f4f66861f8bf6aae657e475bcb8222c77a2770
SHA256 f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4
SHA512 92c0a3d6bf1708c82f17c8236c3e23ba66f0c3788fcf5c66553353765f3ba657c1a69a092493a71c4dbeac01e235da2c91f93ce19718f1728ffc1c29e3e64037

C:\Users\Admin\AppData\Local\Microsoft\[email protected]

MD5 e2c05722293b07319cfd5bb1fef74f44
SHA1 d3f4f66861f8bf6aae657e475bcb8222c77a2770
SHA256 f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4
SHA512 92c0a3d6bf1708c82f17c8236c3e23ba66f0c3788fcf5c66553353765f3ba657c1a69a092493a71c4dbeac01e235da2c91f93ce19718f1728ffc1c29e3e64037

C:\Users\Admin\AppData\Local\Microsoft\6lqvz.exe

MD5 e411054bf19f624a88719981c5eb22d6
SHA1 943df640e6c34757e60dbcb98129f3550bec7f38
SHA256 046b6de02d3af494896a540bd5189faf6f2f9f75d00c59657071ff0aa5ed94a0
SHA512 39d647fa6158ae5453a6a448881e5f86ab9d1ea54047997eb358e40a1dd2d44a7b5665e7ff206013512e071cc4ce616accdad661bd2d1aafad8f8d224577700a

C:\Users\Admin\AppData\Local\Microsoft\6lqvz.exe

MD5 e411054bf19f624a88719981c5eb22d6
SHA1 943df640e6c34757e60dbcb98129f3550bec7f38
SHA256 046b6de02d3af494896a540bd5189faf6f2f9f75d00c59657071ff0aa5ed94a0
SHA512 39d647fa6158ae5453a6a448881e5f86ab9d1ea54047997eb358e40a1dd2d44a7b5665e7ff206013512e071cc4ce616accdad661bd2d1aafad8f8d224577700a

memory/3428-276-0x000001BB3E160000-0x000001BB3E165000-memory.dmp

memory/3428-277-0x00007FF882250000-0x00007FF882445000-memory.dmp

memory/4732-283-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\O2OTSsoz9r.exe

MD5 f56ab31379d92b546875eff976ec9148
SHA1 79ba7f22410a64adf18e36005cfa98179f128053
SHA256 d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0
SHA512 650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258

C:\Users\Admin\AppData\Local\Microsoft\[email protected]

MD5 e2c05722293b07319cfd5bb1fef74f44
SHA1 d3f4f66861f8bf6aae657e475bcb8222c77a2770
SHA256 f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4
SHA512 92c0a3d6bf1708c82f17c8236c3e23ba66f0c3788fcf5c66553353765f3ba657c1a69a092493a71c4dbeac01e235da2c91f93ce19718f1728ffc1c29e3e64037

memory/3216-295-0x0000000007720000-0x0000000007736000-memory.dmp

memory/4732-296-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[1D613CA1-3483].[[email protected]].8base

MD5 5ae6cb08d91391ef79c4407b15011ac4
SHA1 175c5fec97d1250fb13793b6c36e74f05782d03a
SHA256 c402fe4d8f17e8b26aecd5c679369ee572becf214a0d0d954a01911a1128b20f
SHA512 3d4f938e0dd30a4313cea572d6dbf02406579b83f9a99fffd0ac8fa0b48f4dc612773c6a89ad45923e39a806ed63eac3817a520c70371e70d23844310c451f5e

C:\Users\Admin\AppData\Roaming\eubugbd

MD5 b50821fcc6d29b82bc232849e5b98c3a
SHA1 c99bbfe0ed81d6625820bd8d659303a09f9100f8
SHA256 cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb
SHA512 d8f9beca0a583803e6fd5c7476bbb7839f5b350992709f46d770dffb79f74d5f7717e0cd3ae8d9cbbf72cde5296349a55b65856103a91be1bf988d435832956b

C:\Users\Admin\AppData\Roaming\eubugbd

MD5 b50821fcc6d29b82bc232849e5b98c3a
SHA1 c99bbfe0ed81d6625820bd8d659303a09f9100f8
SHA256 cb5834ff88fd8e818ddd26ae5e6a080be8b5e17ee4238df66080175a5cf802eb
SHA512 d8f9beca0a583803e6fd5c7476bbb7839f5b350992709f46d770dffb79f74d5f7717e0cd3ae8d9cbbf72cde5296349a55b65856103a91be1bf988d435832956b