Malware Analysis Report

2024-11-16 12:20

Sample ID 230714-3lptbsgd58
Target 2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5
SHA256 2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5
Tags
lumma phobos rhadamanthys smokeloader systembc 0nf summ backdoor collection discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5

Threat Level: Known bad

The file 2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5 was found to be: Known bad.

Malicious Activity Summary

lumma phobos rhadamanthys smokeloader systembc 0nf summ backdoor collection discovery evasion persistence ransomware spyware stealer trojan

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

SmokeLoader

SystemBC

Phobos

Lumma Stealer

Detect rhadamanthys stealer shellcode

Modifies boot configuration data using bcdedit

Deletes shadow copies

Renames multiple (321) files with added filename extension

Modifies Windows Firewall

Deletes backup catalog

Downloads MZ/PE file

Executes dropped EXE

Drops startup file

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Checks installed software on the system

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Program crash

Unsigned PE

outlook_office_path

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-14 23:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-14 23:36

Reported

2023-07-14 23:38

Platform

win10v2004-20230703-en

Max time kernel

138s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1204 created 3168 N/A C:\Users\Admin\AppData\Local\Temp\EBD7.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (321) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\mVw7.exe C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mVw7 = "C:\\Users\\Admin\\AppData\\Local\\mVw7.exe" C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mVw7 = "C:\\Users\\Admin\\AppData\\Local\\mVw7.exe" C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1722984668-1829624581-3022101259-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1722984668-1829624581-3022101259-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{15E4DF08-97B7-45CB-9F5E-A87A13CD10AF}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat C:\Windows\System32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2748 set thread context of 2184 N/A C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\verify.dll.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected][94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Data.Edm.dll C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-private-l1-1-0.dll.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.Office.Tools.Excel.dll C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLL C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\klist.exe C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-80.png.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL104.XML C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\WIND.WAV C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.boot.tree.dat.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\INDUST.ELM.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\lib\security\java.policy.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.AnalysisServices.Common.dll.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWAD.TTF.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NAME.DLL C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSUPLD.DLL.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\bin\gstreamer-lite.dll.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ppd.xrm-ms.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-phn.xrm-ms.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-core-localization-l1-2-0.dll.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\j2pcsc.dll C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-ppd.xrm-ms.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MEDIA\CASHREG.WAV.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ppd.xrm-ms.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy.jar.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzmappings C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.reportviewer.common.dll.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\msmdlocal.dll.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms.id[94C36C57-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3168 wrote to memory of 1204 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EBD7.exe
PID 3168 wrote to memory of 1204 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EBD7.exe
PID 3168 wrote to memory of 1204 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EBD7.exe
PID 3168 wrote to memory of 1364 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F628.exe
PID 3168 wrote to memory of 1364 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F628.exe
PID 3168 wrote to memory of 1364 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F628.exe
PID 3168 wrote to memory of 812 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 812 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 812 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 812 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 4908 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3168 wrote to memory of 4908 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3168 wrote to memory of 4908 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3168 wrote to memory of 4544 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 4544 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 4544 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 4544 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 4040 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3168 wrote to memory of 4040 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3168 wrote to memory of 4040 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3168 wrote to memory of 3440 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 3440 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 3440 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 3440 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 2180 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 2180 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 2180 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 2180 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 4500 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 4500 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 4500 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 4500 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 4632 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3168 wrote to memory of 4632 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3168 wrote to memory of 4632 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3168 wrote to memory of 1548 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 1548 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 1548 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3168 wrote to memory of 1548 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1204 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\EBD7.exe C:\Windows\system32\certreq.exe
PID 1204 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\EBD7.exe C:\Windows\system32\certreq.exe
PID 1204 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\EBD7.exe C:\Windows\system32\certreq.exe
PID 1204 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\EBD7.exe C:\Windows\system32\certreq.exe
PID 2748 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe
PID 2748 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe
PID 2748 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe
PID 2748 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe
PID 2748 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe
PID 2748 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe
PID 888 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe C:\Windows\system32\cmd.exe
PID 888 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe C:\Windows\system32\cmd.exe
PID 888 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe C:\Windows\system32\cmd.exe
PID 888 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe C:\Windows\system32\cmd.exe
PID 1364 wrote to memory of 3984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1364 wrote to memory of 3984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1476 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1476 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1364 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1364 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1476 wrote to memory of 4768 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1476 wrote to memory of 4768 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1476 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1476 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1476 wrote to memory of 3912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5.exe

"C:\Users\Admin\AppData\Local\Temp\2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Users\Admin\AppData\Local\Temp\EBD7.exe

C:\Users\Admin\AppData\Local\Temp\EBD7.exe

C:\Users\Admin\AppData\Local\Temp\F628.exe

C:\Users\Admin\AppData\Local\Temp\F628.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1204 -ip 1204

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1204 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1364 -ip 1364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 3488

C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe

"C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe"

C:\Users\Admin\AppData\Local\Microsoft\W7m7ft.exe

"C:\Users\Admin\AppData\Local\Microsoft\W7m7ft.exe"

C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe

"C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe"

C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe

"C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe"

C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe

"C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3060 -ip 3060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 468

C:\Users\Admin\AppData\Local\Temp\7864.exe

C:\Users\Admin\AppData\Local\Temp\7864.exe

C:\Users\Admin\AppData\Local\Temp\7AE6.exe

C:\Users\Admin\AppData\Local\Temp\7AE6.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 177.17.30.184.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 135.5.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 stalagmijesarl.com udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 31.153.50.194.in-addr.arpa udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 admxlogs25.xyz udp
EE 46.36.218.224:80 admxlogs25.xyz tcp
US 8.8.8.8:53 224.218.36.46.in-addr.arpa udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 github.com udp
US 140.82.113.4:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 4.113.82.140.in-addr.arpa udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 gstatic-node.io udp
US 188.114.96.0:80 gstatic-node.io tcp
US 8.8.8.8:53 254.136.241.8.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 188.114.96.0:80 gstatic-node.io tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 8.8.8.8:53 admlogs195.xyz udp
EE 46.36.219.3:80 admlogs195.xyz tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 8.8.8.8:53 3.219.36.46.in-addr.arpa udp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
EE 46.36.219.3:80 admlogs195.xyz tcp
EE 46.36.219.3:80 admlogs195.xyz tcp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
EE 46.36.219.3:80 admlogs195.xyz tcp
US 8.8.8.8:53 serverxlogs21.xyz udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 cexsad917.xyz udp
EE 46.36.218.224:80 cexsad917.xyz tcp
US 8.8.8.8:53 120.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 210.80.50.20.in-addr.arpa udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp

Files

memory/484-134-0x00000000006B0000-0x00000000007B0000-memory.dmp

memory/484-135-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/484-136-0x0000000000650000-0x0000000000659000-memory.dmp

memory/484-138-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/3168-139-0x0000000002B20000-0x0000000002B36000-memory.dmp

memory/484-140-0x0000000000400000-0x00000000004E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wsuA577.tmp

MD5 c01eaa0bdcd7c30a42bbb35a9acbf574
SHA1 0aee3e1b873e41d040f1991819d0027b6cc68f54
SHA256 32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40
SHA512 d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 8a5ff1beb7de1cfa32cdac90082151ee
SHA1 7796e35aa79ef1565fc04d538383c06348da0214
SHA256 269f617008efe3238703b9317f32abd0be260d626cc705767d292ab35c9b27be
SHA512 74d817b31b74f66e2a53e2c1195a00425571c80a85c43cb5973926299de533e14d7b22d6e301b2bc0fe918917fc219458c927d056748f4d236ebd4a36c6032ca

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 105275ec8ae532f4fa1df61eea0e6faf
SHA1 0770ccf6593890256d35c35a14f17cbf34187d6e
SHA256 178be379134ecde3997939805e28353f7b9edae60c20ab1055d8120e03a7346e
SHA512 88f5a0ceba2121fde79263238e40a340731bb192245d21215bcf44c7a9459f146d7dd7c12aa4bc06fc08d1ea62ce8f57a913361ad8c76a9e65d3254d61b78d36

C:\Users\Admin\AppData\Local\Temp\EBD7.exe

MD5 aaf3d68aeea347268ede50e621ca21ce
SHA1 0e7c0e38a200a9ea3af663dfd33941cc5e1657c9
SHA256 09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416
SHA512 61416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0

C:\Users\Admin\AppData\Local\Temp\EBD7.exe

MD5 aaf3d68aeea347268ede50e621ca21ce
SHA1 0e7c0e38a200a9ea3af663dfd33941cc5e1657c9
SHA256 09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416
SHA512 61416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0

C:\Users\Admin\AppData\Local\Temp\F628.exe

MD5 6d35d4cb11e99f8645441b0f1f96da3d
SHA1 3b6e12da0c1c37d38db867ab6330ace34461c56a
SHA256 9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204
SHA512 01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

C:\Users\Admin\AppData\Local\Temp\F628.exe

MD5 6d35d4cb11e99f8645441b0f1f96da3d
SHA1 3b6e12da0c1c37d38db867ab6330ace34461c56a
SHA256 9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204
SHA512 01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

memory/812-218-0x0000000001220000-0x0000000001227000-memory.dmp

memory/812-219-0x0000000001210000-0x000000000121B000-memory.dmp

memory/812-220-0x0000000001210000-0x000000000121B000-memory.dmp

memory/4908-221-0x0000000000DE0000-0x0000000000DEF000-memory.dmp

memory/4908-222-0x0000000000DE0000-0x0000000000DEF000-memory.dmp

memory/4544-223-0x0000000000E30000-0x0000000000E39000-memory.dmp

memory/4544-224-0x0000000000E40000-0x0000000000E45000-memory.dmp

memory/4544-225-0x0000000000E30000-0x0000000000E39000-memory.dmp

memory/4040-226-0x0000000001030000-0x000000000103C000-memory.dmp

memory/4040-227-0x0000000001040000-0x0000000001046000-memory.dmp

memory/4040-228-0x0000000001030000-0x000000000103C000-memory.dmp

memory/3440-230-0x00000000012C0000-0x00000000012E2000-memory.dmp

memory/3440-229-0x0000000001290000-0x00000000012B7000-memory.dmp

memory/3440-231-0x0000000001290000-0x00000000012B7000-memory.dmp

memory/812-232-0x0000000001220000-0x0000000001227000-memory.dmp

memory/2180-233-0x0000000000C40000-0x0000000000C49000-memory.dmp

memory/2180-234-0x0000000000C50000-0x0000000000C55000-memory.dmp

memory/2180-235-0x0000000000C40000-0x0000000000C49000-memory.dmp

memory/4500-236-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

memory/4500-238-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

memory/4908-237-0x0000000001210000-0x000000000121B000-memory.dmp

memory/4632-239-0x0000000000FE0000-0x0000000000FED000-memory.dmp

memory/4632-241-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

memory/4544-240-0x0000000000E40000-0x0000000000E45000-memory.dmp

memory/4632-242-0x0000000000FE0000-0x0000000000FED000-memory.dmp

memory/1204-243-0x0000000002090000-0x0000000002101000-memory.dmp

memory/1204-244-0x0000000000620000-0x0000000000720000-memory.dmp

memory/1204-245-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1548-247-0x0000000000F70000-0x0000000000F7B000-memory.dmp

memory/4040-246-0x0000000001040000-0x0000000001046000-memory.dmp

memory/1548-248-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1548-249-0x0000000000F70000-0x0000000000F7B000-memory.dmp

memory/3440-250-0x00000000012C0000-0x00000000012E2000-memory.dmp

memory/1204-251-0x00000000005D0000-0x00000000005D7000-memory.dmp

memory/1204-252-0x0000000002440000-0x0000000002840000-memory.dmp

memory/1204-253-0x0000000002440000-0x0000000002840000-memory.dmp

memory/1204-254-0x0000000002440000-0x0000000002840000-memory.dmp

memory/2180-255-0x0000000000C50000-0x0000000000C55000-memory.dmp

memory/1204-256-0x0000000002440000-0x0000000002840000-memory.dmp

memory/1364-263-0x0000000002190000-0x00000000021E5000-memory.dmp

memory/1364-264-0x0000000000400000-0x0000000000502000-memory.dmp

memory/1364-265-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/4500-269-0x0000000000C40000-0x0000000000C49000-memory.dmp

memory/1204-270-0x0000000002090000-0x0000000002101000-memory.dmp

memory/4632-277-0x0000000000BE0000-0x0000000000BEB000-memory.dmp

memory/2272-281-0x000001B10DED0000-0x000001B10DED3000-memory.dmp

memory/1204-285-0x0000000000620000-0x0000000000720000-memory.dmp

memory/1204-286-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1548-287-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1204-288-0x0000000003240000-0x0000000003276000-memory.dmp

memory/1204-301-0x0000000003240000-0x0000000003276000-memory.dmp

memory/1204-302-0x0000000002440000-0x0000000002840000-memory.dmp

memory/1204-307-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1204-308-0x0000000002440000-0x0000000002840000-memory.dmp

memory/1364-312-0x0000000000400000-0x0000000000502000-memory.dmp

memory/1364-316-0x00000000007B0000-0x00000000008B0000-memory.dmp

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 05d92126753690303abb22f8d787c6c4
SHA1 e46b8e3305889bdf62a4927a767461ef0af7766b
SHA256 626166d13955f6ac670e78b3833b50cb379cd4a35983245435e5cf0e3d334701
SHA512 44cf8f468a9b43f0b4c1b21471e2103c1da27ecd3a91181e6f395e2f7c1f541212d414427a87bc1c133b525d8451daa8576f5e35ba9fb36b7b8ed5a60f12159c

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 145163ea3adab902263d196de813a8e5
SHA1 b0f398bfd83cbed208b265b4ed8d904c963ad7d4
SHA256 e2572d6b5a433d65a8863b41d120239a597f6e61b48fae1ee4a03f566a4746e6
SHA512 e6b1c1de333998d8998dbe380b9c6127642f3f7221a343657b78314e4b02baeb055875f78a56190442254708a62639cc3a2c85b23860eeb03eaa890390cd1b41

memory/2272-363-0x000001B10DED0000-0x000001B10DED3000-memory.dmp

memory/2272-364-0x000001B10E290000-0x000001B10E297000-memory.dmp

memory/2272-369-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

memory/1364-368-0x0000000000400000-0x0000000000502000-memory.dmp

memory/2272-370-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

memory/2272-371-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

memory/2272-372-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

memory/2272-374-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

memory/2272-379-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

memory/2272-380-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

memory/2272-381-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

memory/2272-382-0x00007FFD75C30000-0x00007FFD75E25000-memory.dmp

memory/2272-386-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

memory/2272-393-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

memory/2272-397-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

memory/2272-401-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

memory/2272-417-0x00007FF42E790000-0x00007FF42E8BD000-memory.dmp

memory/2272-427-0x00007FFD75C30000-0x00007FFD75E25000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe

MD5 de348ef9eed7ccdaed5a70ae15796a86
SHA1 42914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256 a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512 605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe

MD5 de348ef9eed7ccdaed5a70ae15796a86
SHA1 42914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256 a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512 605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

C:\Users\Admin\AppData\Local\Microsoft\W7m7ft.exe

MD5 6ac14216327dcfb60b33ebd914f62769
SHA1 d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b
SHA256 25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9
SHA512 6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

C:\Users\Admin\AppData\Local\Microsoft\W7m7ft.exe

MD5 6ac14216327dcfb60b33ebd914f62769
SHA1 d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b
SHA256 25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9
SHA512 6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe

MD5 09d7f30d2f8432be6087038562a029dd
SHA1 07fc20446a03a20c191e750ef21737ec948d9544
SHA256 8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512 abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe

MD5 09d7f30d2f8432be6087038562a029dd
SHA1 07fc20446a03a20c191e750ef21737ec948d9544
SHA256 8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512 abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

memory/2272-468-0x00007FFD75C30000-0x00007FFD75E25000-memory.dmp

memory/2272-467-0x000001B10E290000-0x000001B10E295000-memory.dmp

memory/888-469-0x0000000000740000-0x0000000000840000-memory.dmp

memory/888-470-0x0000000000570000-0x000000000057F000-memory.dmp

memory/888-471-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1028-472-0x0000000000680000-0x0000000000780000-memory.dmp

memory/1028-473-0x0000000000530000-0x0000000000535000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\mVw7.exe

MD5 de348ef9eed7ccdaed5a70ae15796a86
SHA1 42914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256 a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512 605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

memory/1028-474-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/2748-478-0x00000000005B0000-0x00000000006B0000-memory.dmp

memory/2748-479-0x0000000000540000-0x0000000000549000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\yKz21.exe

MD5 09d7f30d2f8432be6087038562a029dd
SHA1 07fc20446a03a20c191e750ef21737ec948d9544
SHA256 8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512 abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

memory/2184-480-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2184-482-0x0000000000400000-0x0000000000409000-memory.dmp

memory/888-496-0x0000000000740000-0x0000000000840000-memory.dmp

memory/1028-501-0x0000000000680000-0x0000000000780000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[94C36C57-3483].[[email protected]].8base

MD5 dc8578bd2c89c3a86191e2c33d9df294
SHA1 9f367bdf2832636603bbafaf0070d79e1524ea49
SHA256 eaaec65280d881ffbe92c56a2e81f4a04ca3b03cf03cf73a189d242074ee65e3
SHA512 9bc61fa9ed0617d0490cf15bbf5633ec8f5c5793a556c027069d93abe433400029009f07c90591a50dbf0a47da515a84aba4ecd028afb0cf9da71d104c229e14

memory/3168-891-0x00000000084C0000-0x00000000084D6000-memory.dmp

memory/2184-936-0x0000000000400000-0x0000000000409000-memory.dmp

memory/888-2755-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/3060-2772-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/3060-2771-0x0000000000770000-0x0000000000870000-memory.dmp

memory/888-4696-0x0000000000400000-0x00000000004E3000-memory.dmp

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 90f4e2bff65c55b1635a8ab7eb977792
SHA1 55eb159812a5ded17489f96b578c802484e329c7
SHA256 3109a2a788ff21024ff7c2762718450d5e6a8c2a6daf5ac3981992b04e8c2879
SHA512 4df8dc060ce385b303052e817c409cdf942ba5cd357c25efdc796ba1e77d6351ef75c4a4515847d1a183f898ff3ba61d224f5b60667e31ad1acce68e871d0814

C:\Users\Admin\AppData\Local\Temp\7864.exe

MD5 de348ef9eed7ccdaed5a70ae15796a86
SHA1 42914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256 a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512 605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

C:\Users\Admin\AppData\Local\Temp\7864.exe

MD5 de348ef9eed7ccdaed5a70ae15796a86
SHA1 42914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256 a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512 605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

C:\Users\Admin\AppData\Local\Temp\7864.exe

MD5 de348ef9eed7ccdaed5a70ae15796a86
SHA1 42914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256 a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512 605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

C:\Users\Admin\AppData\Local\Temp\7AE6.exe

MD5 6ac14216327dcfb60b33ebd914f62769
SHA1 d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b
SHA256 25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9
SHA512 6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

C:\Users\Admin\AppData\Local\Temp\7AE6.exe

MD5 6ac14216327dcfb60b33ebd914f62769
SHA1 d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b
SHA256 25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9
SHA512 6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

memory/5956-6192-0x0000000000960000-0x00000000009CB000-memory.dmp

memory/888-6193-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/5956-6194-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/5948-6196-0x0000000000B40000-0x0000000000B4C000-memory.dmp

memory/5956-6200-0x0000000000960000-0x00000000009CB000-memory.dmp

memory/5948-6202-0x0000000000B40000-0x0000000000B4C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\cookies.sqlite.id[94C36C57-3483].[[email protected]].8base

MD5 f241b91d1b80a347375b5b4c074920e6
SHA1 7ad0a47e7af308d5d3eed2895be0da462186183a
SHA256 cd7d39f37dca3602362efe180ba42eb249f68137af30cda21f6a2ae53241fad7
SHA512 a2686be30dbd1f27c03bd0fbd3e0d91fbb2268c3f87ac881dc68083609a0f95858508c66825b510c82d10a7bcf271f0ddf0698a1195650da9c94f1c98890ffb4

memory/3092-6278-0x0000000000960000-0x0000000000969000-memory.dmp

memory/1872-6281-0x0000000000960000-0x000000000096B000-memory.dmp