Malware Analysis Report

2024-11-16 12:20

Sample ID 230714-h6mt9acf32
Target dc80d05184fe7f0757caefa3d0c96682.exe
SHA256 ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c
Tags
phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c

Threat Level: Known bad

The file dc80d05184fe7f0757caefa3d0c96682.exe was found to be: Known bad.

Malicious Activity Summary

phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan

SmokeLoader

Phobos

SystemBC

Rhadamanthys

Detect rhadamanthys stealer shellcode

Suspicious use of NtCreateUserProcessOtherParentProcess

Renames multiple (482) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (291) files with added filename extension

Deletes shadow copies

Downloads MZ/PE file

Modifies Windows Firewall

Deletes backup catalog

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Deletes itself

Drops startup file

Accesses Microsoft Outlook profiles

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

outlook_win_path

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Modifies registry class

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-14 07:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-14 07:21

Reported

2023-07-14 07:23

Platform

win7-20230712-en

Max time kernel

150s

Max time network

125s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2288 created 1244 N/A C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (291) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\certreq.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\R1(2W.exe C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\R1(2W = "C:\\Users\\Admin\\AppData\\Local\\R1(2W.exe" C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\R1(2W = "C:\\Users\\Admin\\AppData\\Local\\R1(2W.exe" C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\61RGOPZI\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QJPXW13N\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4D1Y35FL\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\BFSAI1GT\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KARJZ4LW\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1014134971-2480516131-292343513-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y846BQT9\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I2238624\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\85OZ229T\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1014134971-2480516131-292343513-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1736 set thread context of 2360 N/A C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR34F.GIF C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\QuizShow.potx C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files\Java\jre7\lib\alt-rt.jar.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.rst.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01848_.WMF.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEW.JS.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\LightSpirit.css C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\shvlzm.exe.mui.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00100_.WMF C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02141_.WMF.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00934_.WMF C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATE.JPG.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_postage_Thumbnail.bmp C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application-views.jar.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01301_.GIF.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\vlc.mo.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBWZINT.REST.IDX_DLL.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\BG_ADOBE.GIF.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CONTACTINFOBB.DPV C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\currency.css C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_zh_4.4.0.v20140623020002.jar.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\slideShow.css C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Composite.xml C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21390_.GIF C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Users.accdt.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR48B.GIF C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jawt.dll C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\gadget.xml C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099205.WMF.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\FONTSCHM.INI C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_mid.gif C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.bat.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\clock.css C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\PREVIEW.GIF C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\management.dll.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Tucuman.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Design.resources.dll C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\libxslt.dll C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\SUMIPNTG.ELM.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR18F.GIF.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR6B.GIF C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarViewButtonImages.jpg C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)redStateIcon.png C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\settings.html C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-nodes.jar.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Saipan C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libwave_plugin.dll.id[781A5B0B-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe C:\Windows\system32\certreq.exe
PID 2288 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe C:\Windows\system32\certreq.exe
PID 2288 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe C:\Windows\system32\certreq.exe
PID 2288 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe C:\Windows\system32\certreq.exe
PID 2288 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe C:\Windows\system32\certreq.exe
PID 2288 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe C:\Windows\system32\certreq.exe
PID 2844 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe C:\Windows\system32\cmd.exe
PID 2500 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2500 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2500 wrote to memory of 2252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1316 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1316 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1316 wrote to memory of 636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1736 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe
PID 1736 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe
PID 1736 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe
PID 1736 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe
PID 1736 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe
PID 1736 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe
PID 1736 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe
PID 2500 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2500 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2500 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1244 wrote to memory of 2804 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1F24.exe
PID 1244 wrote to memory of 2804 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1F24.exe
PID 1244 wrote to memory of 2804 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1F24.exe
PID 1244 wrote to memory of 2804 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\1F24.exe
PID 1244 wrote to memory of 2876 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1244 wrote to memory of 2876 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1244 wrote to memory of 2876 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1244 wrote to memory of 2876 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1244 wrote to memory of 2876 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1244 wrote to memory of 2220 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1244 wrote to memory of 2220 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1244 wrote to memory of 2220 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1244 wrote to memory of 2220 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1244 wrote to memory of 1204 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1244 wrote to memory of 1204 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1244 wrote to memory of 1204 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1244 wrote to memory of 1204 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1244 wrote to memory of 1204 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1316 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1316 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1316 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1244 wrote to memory of 1548 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1244 wrote to memory of 1548 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1244 wrote to memory of 1548 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1244 wrote to memory of 1548 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1244 wrote to memory of 1548 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1244 wrote to memory of 924 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1244 wrote to memory of 924 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1244 wrote to memory of 924 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1244 wrote to memory of 924 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1244 wrote to memory of 924 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1316 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1316 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1316 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe

"C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe"

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe

"C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe"

C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe

"C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe"

C:\Users\Admin\AppData\Local\Microsoft\caP.exe

"C:\Users\Admin\AppData\Local\Microsoft\caP.exe"

C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe

"C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe

"C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Users\Admin\AppData\Local\Temp\1F24.exe

C:\Users\Admin\AppData\Local\Temp\1F24.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 servblog25.xyz udp
DE 45.131.66.61:80 servblog25.xyz tcp
DE 45.131.66.61:80 servblog25.xyz tcp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 serverxlogs21.xyz udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 fexstat257.xyz udp
DE 45.89.125.136:80 fexstat257.xyz tcp

Files

memory/2288-54-0x00000000005C0000-0x00000000006C0000-memory.dmp

memory/2288-55-0x0000000000320000-0x0000000000391000-memory.dmp

memory/2288-56-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2288-58-0x0000000001F70000-0x0000000002370000-memory.dmp

memory/2288-59-0x0000000001F70000-0x0000000002370000-memory.dmp

memory/2288-57-0x0000000000230000-0x0000000000237000-memory.dmp

memory/2288-60-0x0000000001F70000-0x0000000002370000-memory.dmp

memory/2288-61-0x0000000001F70000-0x0000000002370000-memory.dmp

memory/2288-62-0x00000000005C0000-0x00000000006C0000-memory.dmp

memory/2788-63-0x0000000000060000-0x0000000000063000-memory.dmp

memory/2288-64-0x0000000000320000-0x0000000000391000-memory.dmp

memory/2288-65-0x0000000002940000-0x0000000002976000-memory.dmp

memory/2288-71-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2288-72-0x0000000002940000-0x0000000002976000-memory.dmp

memory/2288-74-0x0000000001F70000-0x0000000002370000-memory.dmp

memory/2288-76-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2288-77-0x0000000001F70000-0x0000000002370000-memory.dmp

memory/2788-78-0x0000000000060000-0x0000000000063000-memory.dmp

memory/2788-79-0x00000000002B0000-0x00000000002B7000-memory.dmp

memory/2788-81-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2788-80-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2788-83-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2788-82-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2788-84-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2788-86-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2788-88-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2788-89-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2788-90-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2788-91-0x0000000077A40000-0x0000000077BE9000-memory.dmp

memory/2788-92-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2788-93-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2788-94-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2788-95-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2788-96-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe

MD5 1b2b02b4b524fe02b8b96bd781c8eceb
SHA1 36e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256 e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA512 80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

C:\Users\Admin\AppData\Local\Microsoft\caP.exe

MD5 3524139d7687147f53dc7df4f4867093
SHA1 77a6308dc4981ac164a887ed54a0e01c63c17c63
SHA256 954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081
SHA512 48df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3

memory/2788-106-0x0000000077A40000-0x0000000077BE9000-memory.dmp

memory/2788-107-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2788-108-0x0000000077A40000-0x0000000077BE9000-memory.dmp

memory/2844-109-0x0000000000540000-0x0000000000640000-memory.dmp

memory/2844-110-0x0000000000220000-0x000000000022F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

memory/2844-112-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\R1(2W.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[781A5B0B-3483].[[email protected]].8base

MD5 39f38a098057ee79e63c6f406fbc0d44
SHA1 8f0eb9823540a22b6490c740f81bbb379764d708
SHA256 9eba60d5fdb91cc8574d90fbad985ee793920b1a5111ca8a440f89c85497f672
SHA512 8c4af3333fd4857d9cb09bf007a492efc5e823835ef15ba33ed7ce8a1abcf964a9277d4c0305006914f577e799ebd3021b22d482e9275cf1e103eed402368b9d

memory/2844-150-0x0000000000540000-0x0000000000640000-memory.dmp

memory/1736-156-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1736-155-0x00000000005E0000-0x00000000006E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe

MD5 1b2b02b4b524fe02b8b96bd781c8eceb
SHA1 36e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256 e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA512 80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

memory/2360-165-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2360-181-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\yF0`@v).exe

MD5 1b2b02b4b524fe02b8b96bd781c8eceb
SHA1 36e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256 e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA512 80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

memory/2844-192-0x0000000000400000-0x000000000049A000-memory.dmp

memory/2360-203-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2820-212-0x00000000002B0000-0x00000000003B0000-memory.dmp

memory/2820-213-0x00000000001B0000-0x00000000001B5000-memory.dmp

memory/2820-225-0x0000000000400000-0x000000000049A000-memory.dmp

memory/2844-354-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1244-362-0x0000000002A00000-0x0000000002A16000-memory.dmp

memory/2360-371-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2292-453-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/2292-457-0x0000000000400000-0x000000000049A000-memory.dmp

memory/2820-460-0x00000000001B0000-0x00000000001B5000-memory.dmp

memory/2820-459-0x00000000002B0000-0x00000000003B0000-memory.dmp

memory/2844-761-0x0000000000400000-0x000000000049A000-memory.dmp

memory/2292-1194-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1F24.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

C:\Users\Admin\AppData\Local\Temp\1F24.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

memory/2844-2087-0x0000000000400000-0x000000000049A000-memory.dmp

memory/2876-2356-0x00000000000F0000-0x0000000000165000-memory.dmp

memory/2876-2363-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/2220-2380-0x0000000000070000-0x0000000000077000-memory.dmp

memory/2220-2379-0x0000000000060000-0x000000000006C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6ckk0niq.default-release\cookies.sqlite.id[781A5B0B-3483].[[email protected]].8base

MD5 e014cb424f3f97e5f01451f431027f9f
SHA1 f1cdeb5987a00c0f956b86cc848f42cd99bff890
SHA256 cef42d282e624d28f539d6281f12469f0af0c6f5799312334bbd12651185d288
SHA512 95c52ab37ad6e5cb841fa4cfdc003632f273647cb3d6cc3911d82eead93a1ce159107835fe3432b5e5edd1b16ace2ccb9e29ece672c0b2d0092f369a6c63bb64

memory/2876-2412-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/2220-2393-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1204-2494-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1204-2509-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1204-2506-0x00000000000D0000-0x00000000000D4000-memory.dmp

memory/1548-2722-0x0000000000080000-0x000000000008B000-memory.dmp

memory/1548-2726-0x0000000000080000-0x000000000008B000-memory.dmp

memory/1548-2725-0x0000000000090000-0x000000000009A000-memory.dmp

memory/924-2963-0x0000000000080000-0x000000000008B000-memory.dmp

memory/924-2964-0x0000000000090000-0x0000000000097000-memory.dmp

memory/924-2966-0x0000000000080000-0x000000000008B000-memory.dmp

memory/1540-2975-0x0000000000060000-0x000000000006F000-memory.dmp

memory/1540-2976-0x0000000000080000-0x000000000008B000-memory.dmp

memory/1540-2980-0x0000000000060000-0x000000000006F000-memory.dmp

memory/2304-3031-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2304-3032-0x0000000000090000-0x0000000000095000-memory.dmp

memory/2304-3033-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2292-3089-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1204-3090-0x00000000000D0000-0x00000000000D4000-memory.dmp

memory/2292-3096-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2292-3102-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1748-3225-0x00000000000D0000-0x00000000000D4000-memory.dmp

memory/1748-3224-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/1576-3228-0x0000000000060000-0x0000000000069000-memory.dmp

memory/2844-3229-0x0000000000400000-0x000000000049A000-memory.dmp

memory/924-3233-0x0000000000090000-0x0000000000097000-memory.dmp

memory/1576-3241-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/1576-3245-0x0000000000060000-0x0000000000069000-memory.dmp

memory/1760-3286-0x0000000000080000-0x00000000000A7000-memory.dmp

memory/1760-3285-0x00000000000F0000-0x0000000000111000-memory.dmp

memory/1760-3284-0x0000000000080000-0x00000000000A7000-memory.dmp

memory/1760-3289-0x0000000000080000-0x00000000000A7000-memory.dmp

memory/2304-3292-0x0000000000090000-0x0000000000095000-memory.dmp

memory/2684-3291-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/2684-3293-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/2216-3379-0x0000000000080000-0x000000000008B000-memory.dmp

memory/2216-3376-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/2292-3371-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2216-3367-0x0000000000080000-0x000000000008B000-memory.dmp

memory/2940-3562-0x0000000000060000-0x000000000006D000-memory.dmp

memory/2940-3570-0x0000000000070000-0x0000000000077000-memory.dmp

memory/2940-3575-0x0000000000060000-0x000000000006D000-memory.dmp

memory/2968-3667-0x0000000000080000-0x000000000008B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\caP.exe

MD5 3524139d7687147f53dc7df4f4867093
SHA1 77a6308dc4981ac164a887ed54a0e01c63c17c63
SHA256 954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081
SHA512 48df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3

C:\Users\Admin\AppData\Local\Temp\1F24.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-14 07:21

Reported

2023-07-14 07:23

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3640 created 3116 N/A C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (482) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ZLfFF.exe C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[15276114-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZLfFF = "C:\\Users\\Admin\\AppData\\Local\\ZLfFF.exe" C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZLfFF = "C:\\Users\\Admin\\AppData\\Local\\ZLfFF.exe" C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1722984668-1829624581-3022101259-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4976 set thread context of 4136 N/A C:\Users\Admin\AppData\Local\Microsoft\88r.exe C:\Users\Admin\AppData\Local\Microsoft\88r.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-256.png C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.id[15276114-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageAppList.scale-125.png C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp.id[15276114-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d4.png C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons.png.id[15276114-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\ui-strings.js C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\ui-strings.js C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\gstreamer-lite.dll C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PEOPLEDATAHANDLER.DLL C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\EDGE.ELM C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\SplashWideTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d9.png C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.id[15276114-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_imem_plugin.dll C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-24.png C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\skchui.dll C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\fr.pak C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ca-Es-VALENCIA.pak.DATA C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak.id[15276114-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\axvlc.dll C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradfun_plugin.dll C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\6445_48x48x32.png C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF.id[15276114-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.id[15276114-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\WidescreenPresentation.potx C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\ARCTIC.ELM C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\ui-strings.js C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-80.png C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\xaml\onenote\CaptureUI.xaml C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\faf_field_grabber.png C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\ui-strings.js.id[15276114-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\liberase_plugin.dll.id[15276114-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\154.png C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_shared.gif C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OSFPROXY.DLL C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\CONCRETE.ELM C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Microsoft.BigPark.Utilities.winmd C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-125.png C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\selector.js C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar.id[15276114-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\SETUP.CHM C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dirac_plugin.dll C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Velocity\FeatureStaging-SnipAndSketch.xml C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-125.png C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\NIRMALAB.TTF C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\SmallTile.scale-200.png C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Services\verisign.bmp C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-150_contrast-black.png C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\88r.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\88r.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\88r.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\88r.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\88r.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3640 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe C:\Windows\system32\certreq.exe
PID 3640 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe C:\Windows\system32\certreq.exe
PID 3640 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe C:\Windows\system32\certreq.exe
PID 3640 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe C:\Windows\system32\certreq.exe
PID 4976 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Microsoft\88r.exe C:\Users\Admin\AppData\Local\Microsoft\88r.exe
PID 4976 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Microsoft\88r.exe C:\Users\Admin\AppData\Local\Microsoft\88r.exe
PID 4976 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Microsoft\88r.exe C:\Users\Admin\AppData\Local\Microsoft\88r.exe
PID 4976 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Microsoft\88r.exe C:\Users\Admin\AppData\Local\Microsoft\88r.exe
PID 4976 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Microsoft\88r.exe C:\Users\Admin\AppData\Local\Microsoft\88r.exe
PID 4976 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Microsoft\88r.exe C:\Users\Admin\AppData\Local\Microsoft\88r.exe
PID 1620 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe C:\Windows\system32\cmd.exe
PID 1620 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe C:\Windows\system32\cmd.exe
PID 1620 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe C:\Windows\system32\cmd.exe
PID 1620 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe C:\Windows\system32\cmd.exe
PID 2276 wrote to memory of 1748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2276 wrote to memory of 1748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4736 wrote to memory of 1108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4736 wrote to memory of 1108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2276 wrote to memory of 1052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2276 wrote to memory of 1052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4736 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4736 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4736 wrote to memory of 540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4736 wrote to memory of 540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4736 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4736 wrote to memory of 2436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4736 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4736 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3116 wrote to memory of 2400 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\CEF3.exe
PID 3116 wrote to memory of 2400 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\CEF3.exe
PID 3116 wrote to memory of 2400 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\CEF3.exe
PID 3116 wrote to memory of 2320 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 2320 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 2320 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 2320 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 4132 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3116 wrote to memory of 4132 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3116 wrote to memory of 4132 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3116 wrote to memory of 2624 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 2624 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 2624 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 2624 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 4900 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 4900 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 4900 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 4900 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 112 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 112 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 112 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 112 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 4060 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3116 wrote to memory of 4060 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3116 wrote to memory of 4060 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3116 wrote to memory of 3068 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 3068 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 3068 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 3068 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 1128 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3116 wrote to memory of 1128 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3116 wrote to memory of 1128 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3116 wrote to memory of 2248 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 2248 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 2248 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 2248 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe

"C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe"

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3640 -ip 3640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 944

C:\Users\Admin\AppData\Local\Microsoft\88r.exe

"C:\Users\Admin\AppData\Local\Microsoft\88r.exe"

C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe

"C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe"

C:\Users\Admin\AppData\Local\Microsoft\V[x12S.exe

"C:\Users\Admin\AppData\Local\Microsoft\V[x12S.exe"

C:\Users\Admin\AppData\Local\Microsoft\88r.exe

"C:\Users\Admin\AppData\Local\Microsoft\88r.exe"

C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe

"C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4488 -ip 4488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 340

C:\Users\Admin\AppData\Local\Temp\CEF3.exe

C:\Users\Admin\AppData\Local\Temp\CEF3.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2400 -ip 2400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 292

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 servblog25.xyz udp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 61.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 45.131.66.61:80 servblog25.xyz tcp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 serverxlogs21.xyz udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 120.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 fexstat257.xyz udp
DE 45.89.125.136:80 fexstat257.xyz tcp
US 8.8.8.8:53 136.125.89.45.in-addr.arpa udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/3640-134-0x0000000000530000-0x0000000000630000-memory.dmp

memory/3640-135-0x00000000020E0000-0x0000000002151000-memory.dmp

memory/3640-136-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3640-137-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3640-138-0x0000000002190000-0x0000000002197000-memory.dmp

memory/3640-139-0x00000000023D0000-0x00000000027D0000-memory.dmp

memory/3640-140-0x00000000023D0000-0x00000000027D0000-memory.dmp

memory/3640-141-0x00000000023D0000-0x00000000027D0000-memory.dmp

memory/3640-142-0x00000000023D0000-0x00000000027D0000-memory.dmp

memory/3640-143-0x0000000000530000-0x0000000000630000-memory.dmp

memory/3944-144-0x000001E4347B0000-0x000001E4347B3000-memory.dmp

memory/3640-145-0x00000000020E0000-0x0000000002151000-memory.dmp

memory/3640-146-0x00000000031D0000-0x0000000003206000-memory.dmp

memory/3640-152-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3640-154-0x00000000023D0000-0x00000000027D0000-memory.dmp

memory/3640-153-0x00000000031D0000-0x0000000003206000-memory.dmp

memory/3640-156-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/3640-157-0x00000000023D0000-0x00000000027D0000-memory.dmp

memory/3944-158-0x000001E4347B0000-0x000001E4347B3000-memory.dmp

memory/3944-159-0x000001E434A50000-0x000001E434A57000-memory.dmp

memory/3944-160-0x00007FF419640000-0x00007FF41976D000-memory.dmp

memory/3944-161-0x00007FF419640000-0x00007FF41976D000-memory.dmp

memory/3944-162-0x00007FF419640000-0x00007FF41976D000-memory.dmp

memory/3944-163-0x00007FF419640000-0x00007FF41976D000-memory.dmp

memory/3944-164-0x00007FF419640000-0x00007FF41976D000-memory.dmp

memory/3944-165-0x00007FF419640000-0x00007FF41976D000-memory.dmp

memory/3944-167-0x00007FF419640000-0x00007FF41976D000-memory.dmp

memory/3944-169-0x00007FF419640000-0x00007FF41976D000-memory.dmp

memory/3944-168-0x00007FF419640000-0x00007FF41976D000-memory.dmp

memory/3944-170-0x00007FFF8A010000-0x00007FFF8A205000-memory.dmp

memory/3944-171-0x00007FF419640000-0x00007FF41976D000-memory.dmp

memory/3944-172-0x00007FF419640000-0x00007FF41976D000-memory.dmp

memory/3944-173-0x00007FF419640000-0x00007FF41976D000-memory.dmp

memory/3944-174-0x00007FF419640000-0x00007FF41976D000-memory.dmp

memory/3944-175-0x00007FF419640000-0x00007FF41976D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\88r.exe

MD5 1b2b02b4b524fe02b8b96bd781c8eceb
SHA1 36e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256 e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA512 80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

C:\Users\Admin\AppData\Local\Microsoft\88r.exe

MD5 1b2b02b4b524fe02b8b96bd781c8eceb
SHA1 36e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256 e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA512 80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

memory/3944-184-0x00007FFF8A010000-0x00007FFF8A205000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\V[x12S.exe

MD5 3524139d7687147f53dc7df4f4867093
SHA1 77a6308dc4981ac164a887ed54a0e01c63c17c63
SHA256 954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081
SHA512 48df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3

C:\Users\Admin\AppData\Local\Microsoft\V[x12S.exe

MD5 3524139d7687147f53dc7df4f4867093
SHA1 77a6308dc4981ac164a887ed54a0e01c63c17c63
SHA256 954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081
SHA512 48df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3

memory/3944-189-0x000001E434A50000-0x000001E434A55000-memory.dmp

memory/3944-190-0x00007FFF8A010000-0x00007FFF8A205000-memory.dmp

memory/4976-191-0x00000000007A0000-0x00000000008A0000-memory.dmp

memory/4976-192-0x0000000000700000-0x0000000000709000-memory.dmp

memory/4136-193-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\88r.exe

MD5 1b2b02b4b524fe02b8b96bd781c8eceb
SHA1 36e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256 e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA512 80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

memory/3716-197-0x00000000004E0000-0x00000000004E5000-memory.dmp

memory/4136-198-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1620-195-0x00000000005B0000-0x00000000005BF000-memory.dmp

memory/3716-199-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1620-194-0x0000000000780000-0x0000000000880000-memory.dmp

memory/3716-200-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1620-201-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

memory/4136-207-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3116-206-0x0000000002AA0000-0x0000000002AB6000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[15276114-3483].[[email protected]].8base

MD5 744828e0387880282aac52761b6213d4
SHA1 af11d4f60733871e203443dfabfc61f03e1ee9c1
SHA256 58fa281db807fb9c15a9ba5c6e9eeaaac0518d60b1a8d3e2ab80fbbc66722dc2
SHA512 a4bc27ac17de9fbc5529cc980d9bc82f5fb1ead114a457fc40ddd8757f99fcdfe3902fbba52ba74d74ea181649a47754564d7660a11c2c1da915f8042126623b

memory/1620-1189-0x0000000000780000-0x0000000000880000-memory.dmp

memory/1620-1216-0x00000000005B0000-0x00000000005BF000-memory.dmp

memory/3716-2040-0x0000000000510000-0x0000000000610000-memory.dmp

memory/1620-2041-0x0000000000400000-0x000000000049A000-memory.dmp

memory/4488-2080-0x0000000000730000-0x0000000000830000-memory.dmp

memory/4488-2081-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1620-2142-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CEF3.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

C:\Users\Admin\AppData\Local\Temp\CEF3.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

C:\Users\Admin\AppData\Local\Temp\CEF3.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

memory/2320-3227-0x0000000000160000-0x00000000001CB000-memory.dmp

memory/2320-3324-0x0000000000400000-0x0000000000475000-memory.dmp

memory/2320-3374-0x0000000000160000-0x00000000001CB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\cookies.sqlite.id[15276114-3483].[[email protected]].8base

MD5 3144002cf1ac7556f1702ab950214792
SHA1 8d535c9fbce27ee02c3ec9001ab1d97a4c18b00f
SHA256 725cdec996467bf580046cc64f18209637e94838a9e00efefa1e08057ed91960
SHA512 34566e471474196ed87d42eb0efb9752e4dcd0ff7e8285f792a60c0fec164c982ffbaa0c34dd7dc1d2167ab90fdade54b54273a4018df33fad3f3f3374f2a98c

memory/4132-3813-0x0000000000D10000-0x0000000000D1C000-memory.dmp

memory/4132-3817-0x0000000000D20000-0x0000000000D27000-memory.dmp

memory/1620-3823-0x0000000000400000-0x000000000049A000-memory.dmp

memory/4132-3824-0x0000000000D10000-0x0000000000D1C000-memory.dmp

memory/2320-3872-0x0000000000160000-0x00000000001CB000-memory.dmp

memory/2624-3988-0x0000000000B20000-0x0000000000B29000-memory.dmp

memory/2624-4026-0x0000000000B30000-0x0000000000B34000-memory.dmp

memory/2624-4028-0x0000000000B20000-0x0000000000B29000-memory.dmp

memory/4900-4253-0x0000000000C10000-0x0000000000C1A000-memory.dmp

memory/4900-4256-0x0000000000C00000-0x0000000000C0B000-memory.dmp

memory/4900-4264-0x0000000000C00000-0x0000000000C0B000-memory.dmp

memory/112-4412-0x00000000009C0000-0x00000000009CB000-memory.dmp

memory/112-4413-0x00000000009D0000-0x00000000009D7000-memory.dmp

memory/112-4414-0x00000000009C0000-0x00000000009CB000-memory.dmp

memory/4060-4415-0x0000000000FE0000-0x0000000000FE9000-memory.dmp

memory/4060-4417-0x0000000000FD0000-0x0000000000FDF000-memory.dmp

memory/3068-4418-0x0000000000E70000-0x0000000000E79000-memory.dmp

memory/3068-4419-0x0000000000E80000-0x0000000000E85000-memory.dmp

memory/3068-4420-0x0000000000E70000-0x0000000000E79000-memory.dmp

memory/1128-4570-0x0000000000F90000-0x0000000000F9C000-memory.dmp

memory/2624-4575-0x0000000000B30000-0x0000000000B34000-memory.dmp

memory/1128-4604-0x0000000000FA0000-0x0000000000FA6000-memory.dmp

memory/1128-4611-0x0000000000F90000-0x0000000000F9C000-memory.dmp

memory/2248-4967-0x0000000000B40000-0x0000000000B49000-memory.dmp

memory/2248-4968-0x0000000000B40000-0x0000000000B49000-memory.dmp

memory/4700-5087-0x0000000000800000-0x0000000000809000-memory.dmp

memory/112-5093-0x00000000009D0000-0x00000000009D7000-memory.dmp

memory/4700-5104-0x0000000000810000-0x0000000000815000-memory.dmp

memory/4700-5106-0x0000000000800000-0x0000000000809000-memory.dmp

memory/964-5160-0x00000000003B0000-0x00000000003D7000-memory.dmp

memory/4060-5161-0x0000000000FD0000-0x0000000000FDF000-memory.dmp

memory/964-5162-0x0000000000600000-0x0000000000621000-memory.dmp

memory/964-5163-0x00000000003B0000-0x00000000003D7000-memory.dmp

memory/964-5164-0x00000000003B0000-0x00000000003D7000-memory.dmp

memory/1620-5395-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3068-5398-0x0000000000E80000-0x0000000000E85000-memory.dmp

memory/4788-5409-0x0000000000E60000-0x0000000000E69000-memory.dmp

memory/4788-5442-0x0000000000E70000-0x0000000000E75000-memory.dmp

memory/4788-5443-0x0000000000E60000-0x0000000000E69000-memory.dmp

memory/4960-5528-0x0000000000AB0000-0x0000000000ABB000-memory.dmp

memory/4960-5533-0x0000000000AC0000-0x0000000000AC6000-memory.dmp

memory/4960-5556-0x0000000000AB0000-0x0000000000ABB000-memory.dmp

memory/1444-5757-0x0000000001010000-0x000000000101D000-memory.dmp

memory/1444-5762-0x0000000001020000-0x0000000001027000-memory.dmp

memory/1444-5780-0x0000000001010000-0x000000000101D000-memory.dmp

memory/3948-5916-0x00000000009F0000-0x00000000009FB000-memory.dmp

memory/3948-5917-0x0000000000C00000-0x0000000000C08000-memory.dmp

memory/1620-6486-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000027.db.id[15276114-3483].[[email protected]].8base

MD5 a5f95b63a660b91ab0dc178c35804653
SHA1 4292571880a23cbe5b570eaea862c87bfb635469
SHA256 b4fd164e510d35a3fb14dc59af215023c4b6a5e7a5bc79fd5f71bf5818418ed6
SHA512 8759866b896e6e84896e2edc5016ab13cde96a2f671a1f847a2e51cdea762e72220ade76e868f49d3e3ca208bb916f8a10c8ee7013063bda66f9d475443a2ecb

C:\Users\Admin\AppData\Local\Temp\F7D8\C\Windows\SysWOW64\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\F7D8\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Local\Temp\F7D8\C\Windows\System32\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Local\Temp\F7D8\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

MD5 108f130067a9df1719c590316a5245f7
SHA1 79bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256 c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512 d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

C:\Users\Admin\AppData\Local\Temp\F7D8\C\Windows\System32\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\F7D8\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

MD5 108f130067a9df1719c590316a5245f7
SHA1 79bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256 c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512 d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

C:\Users\Admin\AppData\Local\Temp\F7D8\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

MD5 94f90fcd2b8f7f1df69224f845d9e9b7
SHA1 a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256 a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA512 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

C:\Users\Admin\AppData\Local\Temp\F7D8\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

MD5 94f90fcd2b8f7f1df69224f845d9e9b7
SHA1 a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256 a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA512 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

C:\Users\Admin\AppData\Local\Temp\F7D8\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe

MD5 cfe72ed40a076ae4f4157940ce0c5d44
SHA1 8010f7c746a7ba4864785f798f46ec05caae7ece
SHA256 6868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32
SHA512 f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0

C:\Users\Admin\AppData\Local\Temp\F7D8\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll

MD5 5febe5be74c3c3794161d573554d3fd5
SHA1 c2323c09b0a975fad7c9b367f9d63da80826b855
SHA256 4ce6ab20a14a8d3d0d3d80501d373dee2162512b2fceac9f959e04c750008348
SHA512 c0a2c99b60a265ad233faad7af032a388590c1c06541128aca3fd2fbf33c870400cf04169d2f8fbc49ab1bcf56648ff5467b6ba97ae07bea8a25573b7c04bf57

C:\Users\Admin\AppData\Local\Temp\F7D8\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\F7D8\C\Windows\System32\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Roaming\bebfchg

MD5 1b2b02b4b524fe02b8b96bd781c8eceb
SHA1 36e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256 e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA512 80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

C:\Users\Admin\AppData\Roaming\sgrvuai

MD5 ab328465a82e23bbb2408e58d4c0aa9e
SHA1 5eb017fc7b905c8bcd00e27dcd975b5c19943724
SHA256 a8744c3bc34417275f0e0f6da50dd10017e565f0b300936aa530193735dced09
SHA512 adda5c933d889edd4d4502e4907522721fb8c375597f6bf0f13935087aa54a7f6a7178a294dd55d73fe4b07e8833eae42694ed78958c9bfc43961cb673015600

C:\info.hta

MD5 8b483c23ae26df9760d7d4954a1d2de1
SHA1 4ae54cbe87e54190636bc63f0022caa1aedabf9c
SHA256 d9c3574eef12a0291e33df69958ba59f75b24fd20ec812e49e4d1569c6ec2a15
SHA512 92fb9e33fd77e359b6859447ad9813975044f568c3ce1edeb4cbaf9fb8e7e0eff132cfae41a5ce95f9b50acd1a2d7e2c75d159dde66684de069c053b467f948a

C:\Users\Admin\Desktop\info.hta

MD5 8b483c23ae26df9760d7d4954a1d2de1
SHA1 4ae54cbe87e54190636bc63f0022caa1aedabf9c
SHA256 d9c3574eef12a0291e33df69958ba59f75b24fd20ec812e49e4d1569c6ec2a15
SHA512 92fb9e33fd77e359b6859447ad9813975044f568c3ce1edeb4cbaf9fb8e7e0eff132cfae41a5ce95f9b50acd1a2d7e2c75d159dde66684de069c053b467f948a

C:\users\public\desktop\info.hta

MD5 8b483c23ae26df9760d7d4954a1d2de1
SHA1 4ae54cbe87e54190636bc63f0022caa1aedabf9c
SHA256 d9c3574eef12a0291e33df69958ba59f75b24fd20ec812e49e4d1569c6ec2a15
SHA512 92fb9e33fd77e359b6859447ad9813975044f568c3ce1edeb4cbaf9fb8e7e0eff132cfae41a5ce95f9b50acd1a2d7e2c75d159dde66684de069c053b467f948a

C:\info.hta

MD5 8b483c23ae26df9760d7d4954a1d2de1
SHA1 4ae54cbe87e54190636bc63f0022caa1aedabf9c
SHA256 d9c3574eef12a0291e33df69958ba59f75b24fd20ec812e49e4d1569c6ec2a15
SHA512 92fb9e33fd77e359b6859447ad9813975044f568c3ce1edeb4cbaf9fb8e7e0eff132cfae41a5ce95f9b50acd1a2d7e2c75d159dde66684de069c053b467f948a

F:\info.hta

MD5 8b483c23ae26df9760d7d4954a1d2de1
SHA1 4ae54cbe87e54190636bc63f0022caa1aedabf9c
SHA256 d9c3574eef12a0291e33df69958ba59f75b24fd20ec812e49e4d1569c6ec2a15
SHA512 92fb9e33fd77e359b6859447ad9813975044f568c3ce1edeb4cbaf9fb8e7e0eff132cfae41a5ce95f9b50acd1a2d7e2c75d159dde66684de069c053b467f948a