Malware Analysis Report

2024-11-16 12:20

Sample ID 230714-3kpryagd55
Target c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db
SHA256 c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db
Tags
lumma phobos rhadamanthys smokeloader summ backdoor collection discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db

Threat Level: Known bad

The file c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db was found to be: Known bad.

Malicious Activity Summary

lumma phobos rhadamanthys smokeloader summ backdoor collection discovery evasion persistence ransomware spyware stealer trojan

Phobos

SmokeLoader

Detect rhadamanthys stealer shellcode

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Lumma Stealer

Deletes shadow copies

Renames multiple (65) files with added filename extension

Modifies boot configuration data using bcdedit

Modifies Windows Firewall

Downloads MZ/PE file

Deletes backup catalog

Drops startup file

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Executes dropped EXE

Adds Run key to start application

Drops desktop.ini file(s)

Checks installed software on the system

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Unsigned PE

Checks SCSI registry key(s)

Checks processor information in registry

Uses Volume Shadow Copy service COM API

outlook_office_path

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-14 23:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-14 23:34

Reported

2023-07-14 23:37

Platform

win10v2004-20230703-en

Max time kernel

145s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3128 created 3240 N/A C:\Users\Admin\AppData\Local\Temp\3FE2.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (65) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\y6[Gi4`1.exe C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\y6[Gi4`1 = "C:\\Users\\Admin\\AppData\\Local\\y6[Gi4`1.exe" C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\y6[Gi4`1 = "C:\\Users\\Admin\\AppData\\Local\\y6[Gi4`1.exe" C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1498570331-2313266200-788959944-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1498570331-2313266200-788959944-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2316 set thread context of 2816 N/A C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyrun.jar.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\net.dll.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack.dll C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunpkcs11.jar C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\default.jfc C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.event_1.3.100.v20140115-1647.jar C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\msdaps.dll C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveDrop32x32.gif C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\jvm.hprof.txt.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.properties.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\cpyr.htm C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-util-lookup.jar.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_CN.jar.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\7-Zip\Lang\nn.txt.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\glass.dll C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_sv.properties.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.jdp_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mn.txt C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages.properties.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\net.dll C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\meta-index C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_ja_4.4.0.v20140623020002.jar.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_zh_CN.jar C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\BackupHide.xhtml C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\ConfirmRepair.shtml C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoCanary.png.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\invalid32x32.gif.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr.jar.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\an.txt C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\CloseExpand.mpe.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml.id[08233F11-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3240 wrote to memory of 3128 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3FE2.exe
PID 3240 wrote to memory of 3128 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3FE2.exe
PID 3240 wrote to memory of 3128 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3FE2.exe
PID 3240 wrote to memory of 3900 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\488E.exe
PID 3240 wrote to memory of 3900 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\488E.exe
PID 3240 wrote to memory of 3900 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\488E.exe
PID 3240 wrote to memory of 2108 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 2108 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 2108 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 2108 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 3876 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3240 wrote to memory of 3876 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3240 wrote to memory of 3876 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3240 wrote to memory of 1712 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 1712 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 1712 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 1712 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 1832 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3240 wrote to memory of 1832 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3240 wrote to memory of 1832 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3240 wrote to memory of 4332 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 4332 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 4332 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 4332 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 2164 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 2164 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 2164 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 2164 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 2468 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 2468 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 2468 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 2468 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 1568 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3240 wrote to memory of 1568 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3240 wrote to memory of 1568 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3240 wrote to memory of 1704 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 1704 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 1704 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3240 wrote to memory of 1704 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3128 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\3FE2.exe C:\Windows\system32\certreq.exe
PID 3128 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\3FE2.exe C:\Windows\system32\certreq.exe
PID 3128 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\3FE2.exe C:\Windows\system32\certreq.exe
PID 3128 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\3FE2.exe C:\Windows\system32\certreq.exe
PID 2316 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe
PID 2316 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe
PID 2316 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe
PID 2316 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe
PID 2316 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe
PID 2316 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe
PID 3896 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe C:\Windows\system32\cmd.exe
PID 3896 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe C:\Windows\system32\cmd.exe
PID 3896 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe C:\Windows\system32\cmd.exe
PID 3896 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 3904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2244 wrote to memory of 3904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3948 wrote to memory of 1368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3948 wrote to memory of 1368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3948 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3948 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2244 wrote to memory of 3616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2244 wrote to memory of 3616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3948 wrote to memory of 4168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3948 wrote to memory of 4168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3948 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db.exe

"C:\Users\Admin\AppData\Local\Temp\c9666af965998eddcc1f1e03f97040435bf00ff0a557945cba96cbff93c286db.exe"

C:\Users\Admin\AppData\Local\Temp\3FE2.exe

C:\Users\Admin\AppData\Local\Temp\3FE2.exe

C:\Users\Admin\AppData\Local\Temp\488E.exe

C:\Users\Admin\AppData\Local\Temp\488E.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3128 -ip 3128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3900 -ip 3900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 3336

C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe

"C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe"

C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe

"C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe"

C:\Users\Admin\AppData\Local\Microsoft\tSsr`r.exe

"C:\Users\Admin\AppData\Local\Microsoft\tSsr`r.exe"

C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe

"C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe"

C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe

"C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4984 -ip 4984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 428

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 254.151.241.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 stalagmijesarl.com udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 31.153.50.194.in-addr.arpa udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 admxlogs25.xyz udp
EE 46.36.218.224:80 admxlogs25.xyz tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 224.218.36.46.in-addr.arpa udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 github.com udp
US 140.82.113.4:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 4.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 gstatic-node.io udp
US 188.114.97.0:80 gstatic-node.io tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 8.8.8.8:53 admlogs195.xyz udp
EE 46.36.219.3:80 admlogs195.xyz tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 8.8.8.8:53 3.219.36.46.in-addr.arpa udp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
EE 46.36.219.3:80 admlogs195.xyz tcp
EE 46.36.219.3:80 admlogs195.xyz tcp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/216-134-0x00000000005C0000-0x00000000006C0000-memory.dmp

memory/216-135-0x0000000002230000-0x0000000002239000-memory.dmp

memory/216-136-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/3240-137-0x0000000002F00000-0x0000000002F16000-memory.dmp

memory/216-138-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/216-141-0x0000000002230000-0x0000000002239000-memory.dmp

memory/3240-142-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-143-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-144-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/3240-145-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-146-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-147-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-148-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-149-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-151-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-150-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-154-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-153-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-156-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-155-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

memory/3240-157-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

memory/3240-158-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-160-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-162-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-161-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-164-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-166-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

memory/3240-165-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-167-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-168-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-170-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-171-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-172-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-174-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-175-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-176-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3FE2.exe

MD5 aaf3d68aeea347268ede50e621ca21ce
SHA1 0e7c0e38a200a9ea3af663dfd33941cc5e1657c9
SHA256 09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416
SHA512 61416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0

C:\Users\Admin\AppData\Local\Temp\3FE2.exe

MD5 aaf3d68aeea347268ede50e621ca21ce
SHA1 0e7c0e38a200a9ea3af663dfd33941cc5e1657c9
SHA256 09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416
SHA512 61416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0

C:\Users\Admin\AppData\Local\Temp\488E.exe

MD5 6d35d4cb11e99f8645441b0f1f96da3d
SHA1 3b6e12da0c1c37d38db867ab6330ace34461c56a
SHA256 9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204
SHA512 01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

C:\Users\Admin\AppData\Local\Temp\488E.exe

MD5 6d35d4cb11e99f8645441b0f1f96da3d
SHA1 3b6e12da0c1c37d38db867ab6330ace34461c56a
SHA256 9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204
SHA512 01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

memory/2108-194-0x0000000000640000-0x0000000000647000-memory.dmp

memory/2108-195-0x0000000000630000-0x000000000063B000-memory.dmp

memory/3876-196-0x00000000010F0000-0x00000000010FF000-memory.dmp

memory/3876-197-0x0000000001100000-0x0000000001109000-memory.dmp

memory/3876-198-0x00000000010F0000-0x00000000010FF000-memory.dmp

memory/1712-200-0x0000000000630000-0x0000000000640000-memory.dmp

memory/1712-199-0x0000000000620000-0x0000000000629000-memory.dmp

memory/1712-201-0x0000000000620000-0x0000000000629000-memory.dmp

memory/1832-202-0x0000000000430000-0x000000000043C000-memory.dmp

memory/1832-203-0x0000000000440000-0x0000000000446000-memory.dmp

memory/1832-204-0x0000000000430000-0x000000000043C000-memory.dmp

memory/4332-205-0x0000000000FC0000-0x0000000000FE7000-memory.dmp

memory/4332-206-0x0000000001200000-0x0000000001222000-memory.dmp

memory/4332-207-0x0000000000FC0000-0x0000000000FE7000-memory.dmp

memory/2164-208-0x0000000000E30000-0x0000000000E39000-memory.dmp

memory/2108-209-0x0000000000640000-0x0000000000647000-memory.dmp

memory/2164-210-0x0000000000E40000-0x0000000000E45000-memory.dmp

memory/2108-211-0x0000000000630000-0x000000000063B000-memory.dmp

memory/2468-212-0x0000000000450000-0x000000000045B000-memory.dmp

memory/3876-213-0x0000000001100000-0x0000000001109000-memory.dmp

memory/2468-214-0x0000000000460000-0x0000000000466000-memory.dmp

memory/2468-215-0x0000000000450000-0x000000000045B000-memory.dmp

memory/1712-217-0x0000000000630000-0x0000000000640000-memory.dmp

memory/1568-216-0x0000000000BB0000-0x0000000000BBD000-memory.dmp

memory/1568-219-0x0000000000BB0000-0x0000000000BBD000-memory.dmp

memory/1568-218-0x0000000000BC0000-0x0000000000BC7000-memory.dmp

memory/1832-221-0x0000000000440000-0x0000000000446000-memory.dmp

memory/1704-220-0x0000000000E30000-0x0000000000E3B000-memory.dmp

memory/1704-223-0x0000000000E30000-0x0000000000E3B000-memory.dmp

memory/1704-222-0x0000000000E40000-0x0000000000E48000-memory.dmp

memory/4332-224-0x0000000001200000-0x0000000001222000-memory.dmp

memory/2164-225-0x0000000000E30000-0x0000000000E39000-memory.dmp

memory/3128-227-0x0000000000720000-0x0000000000820000-memory.dmp

memory/1568-226-0x0000000000BC0000-0x0000000000BC7000-memory.dmp

memory/3128-228-0x0000000000680000-0x00000000006F1000-memory.dmp

memory/3128-229-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1704-230-0x0000000000E40000-0x0000000000E48000-memory.dmp

memory/3900-231-0x0000000000630000-0x0000000000730000-memory.dmp

memory/3900-232-0x00000000021A0000-0x00000000021F5000-memory.dmp

memory/3900-233-0x0000000000400000-0x0000000000502000-memory.dmp

memory/3128-234-0x00000000021C0000-0x00000000021C7000-memory.dmp

memory/3128-235-0x00000000023A0000-0x00000000027A0000-memory.dmp

memory/3128-236-0x0000000000400000-0x0000000000517000-memory.dmp

memory/3128-237-0x00000000023A0000-0x00000000027A0000-memory.dmp

memory/3128-238-0x00000000023A0000-0x00000000027A0000-memory.dmp

memory/3128-239-0x00000000023A0000-0x00000000027A0000-memory.dmp

memory/3128-241-0x0000000000680000-0x00000000006F1000-memory.dmp

memory/3128-242-0x0000000000720000-0x0000000000820000-memory.dmp

memory/4240-243-0x00000261F5060000-0x00000261F5063000-memory.dmp

memory/3900-244-0x0000000000630000-0x0000000000730000-memory.dmp

memory/3900-245-0x00000000021A0000-0x00000000021F5000-memory.dmp

memory/3128-246-0x0000000003160000-0x0000000003196000-memory.dmp

memory/3128-253-0x00000000023A0000-0x00000000027A0000-memory.dmp

memory/3128-252-0x0000000003160000-0x0000000003196000-memory.dmp

memory/3128-255-0x0000000000400000-0x0000000000517000-memory.dmp

memory/3128-256-0x00000000023A0000-0x00000000027A0000-memory.dmp

memory/3900-257-0x0000000000400000-0x0000000000502000-memory.dmp

memory/4240-259-0x00000261F5060000-0x00000261F5063000-memory.dmp

memory/4240-260-0x00000261F5300000-0x00000261F5307000-memory.dmp

memory/4240-261-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

memory/4240-262-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

memory/4240-264-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

memory/4240-263-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

memory/4240-266-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

memory/4240-265-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

memory/4240-268-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

memory/4240-269-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

memory/4240-270-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

memory/4240-271-0x00007FFF06410000-0x00007FFF06605000-memory.dmp

memory/4240-272-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

memory/3240-273-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-276-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-278-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/3240-281-0x0000000002FE0000-0x0000000002FF0000-memory.dmp

memory/4240-282-0x00007FF4D46A0000-0x00007FF4D47CD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe

MD5 09d7f30d2f8432be6087038562a029dd
SHA1 07fc20446a03a20c191e750ef21737ec948d9544
SHA256 8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512 abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe

MD5 09d7f30d2f8432be6087038562a029dd
SHA1 07fc20446a03a20c191e750ef21737ec948d9544
SHA256 8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512 abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe

MD5 de348ef9eed7ccdaed5a70ae15796a86
SHA1 42914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256 a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512 605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe

MD5 de348ef9eed7ccdaed5a70ae15796a86
SHA1 42914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256 a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512 605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

C:\Users\Admin\AppData\Local\Microsoft\tSsr`r.exe

MD5 6ac14216327dcfb60b33ebd914f62769
SHA1 d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b
SHA256 25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9
SHA512 6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

C:\Users\Admin\AppData\Local\Microsoft\tSsr`r.exe

MD5 6ac14216327dcfb60b33ebd914f62769
SHA1 d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b
SHA256 25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9
SHA512 6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

C:\Users\Admin\AppData\Local\Microsoft\vm[R1ZQW.exe

MD5 09d7f30d2f8432be6087038562a029dd
SHA1 07fc20446a03a20c191e750ef21737ec948d9544
SHA256 8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512 abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

C:\Users\Admin\AppData\Local\Microsoft\y6[Gi4`1.exe

MD5 de348ef9eed7ccdaed5a70ae15796a86
SHA1 42914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256 a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512 605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[08233F11-3483].[[email protected]].8base

MD5 7687e74daa74f44efabb51f5efe72bc3
SHA1 d87a3a810e0caa2d95210c0eaff1061973094b27
SHA256 647eb7d6cb9777be0fdac10fa0b8c919127f781936e26658020cc8cb9f1a1961
SHA512 e676a69fd8d42f0d21f7e85078910075fa741344868f92295a6749d757451e2497b1b54f538032845f7505efbe71fd53b0bb640ca96a76728e6db053b74a9058