Malware Analysis Report

2024-11-16 12:16

Sample ID 230714-ha7jsacd78
Target 7041b5e6716fbc3d51516bfc782b1adf.exe
SHA256 caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87
Tags
phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87

Threat Level: Known bad

The file 7041b5e6716fbc3d51516bfc782b1adf.exe was found to be: Known bad.

Malicious Activity Summary

phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan

SystemBC

SmokeLoader

Phobos

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Detect rhadamanthys stealer shellcode

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (316) files with added filename extension

Renames multiple (476) files with added filename extension

Modifies Windows Firewall

Downloads MZ/PE file

Deletes backup catalog

Checks computer location settings

Deletes itself

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: MapViewOfSection

outlook_win_path

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

Modifies Internet Explorer settings

outlook_office_path

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-14 06:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-14 06:33

Reported

2023-07-14 06:35

Platform

win7-20230712-en

Max time kernel

150s

Max time network

146s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2220 created 1264 N/A C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (316) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\certreq.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\V4CA2s.exe C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\V4CA2s = "C:\\Users\\Admin\\AppData\\Local\\V4CA2s.exe" C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\V4CA2s = "C:\\Users\\Admin\\AppData\\Local\\V4CA2s.exe" C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4159544280-4273523227-683900707-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AHGITVNI\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\WIDEASP2\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X9E2G857\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-4159544280-4273523227-683900707-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AGGB2CV6\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\7ZTW56T0\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C6QXVUGA\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\SZYC34HS\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2688 set thread context of 3008 N/A C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Managua.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00320_.WMF.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309664.JPG.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01239K.JPG.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107152.WMF.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\HEADER.GIF C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Phone.accft.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\it-IT\sbdrop.dll.mui C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105294.WMF.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\SAEXT.DLL.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CLASSIC2.WMF.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02028_.WMF.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02233_.WMF C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Majuro C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\Pohnpei.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00130_.WMF.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\slideShow.css C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00078_.WMF.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_COL.HXC C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Beirut C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Pontianak C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\logo.png C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\settings.js C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\42.png C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195260.WMF C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Aspect.eftx.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00152_.WMF.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceme35.dll C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\JavaAccessBridge-64.dll C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_top.png C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ado\en-US\msader15.dll.mui C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01169_.WMF.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299611.WMF.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14870_.GIF.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\validation.js C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00601_.WMF.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143753.GIF C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14656_.GIF.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.JPG C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Cayman.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Routing.dll C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\default.vlt C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01635_.WMF.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14981_.GIF.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SPANISH.LNG C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPWMI.MOF C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\glass.dll C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\CST6CDT.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libhttp_plugin.dll C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files\UndoAssert.ico.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\IPMS.ICO.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\sidebar.exe C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files\Java\jre7\lib\security\US_export_policy.jar.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\Microsoft.Build.Engine.resources.dll C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll.id[50665DDC-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\SignedManagedObjects.cer C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe C:\Windows\system32\certreq.exe
PID 2220 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe C:\Windows\system32\certreq.exe
PID 2220 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe C:\Windows\system32\certreq.exe
PID 2220 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe C:\Windows\system32\certreq.exe
PID 2220 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe C:\Windows\system32\certreq.exe
PID 2220 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe C:\Windows\system32\certreq.exe
PID 2688 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe
PID 2688 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe
PID 2688 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe
PID 2688 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe
PID 2688 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe
PID 2688 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe
PID 2688 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe
PID 1304 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe C:\Windows\system32\cmd.exe
PID 1304 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe C:\Windows\system32\cmd.exe
PID 1304 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe C:\Windows\system32\cmd.exe
PID 1304 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe C:\Windows\system32\cmd.exe
PID 1320 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1320 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1320 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1304 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe C:\Windows\system32\cmd.exe
PID 1304 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe C:\Windows\system32\cmd.exe
PID 1304 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe C:\Windows\system32\cmd.exe
PID 1304 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe C:\Windows\system32\cmd.exe
PID 1676 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1676 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1676 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1676 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1676 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1676 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1264 wrote to memory of 1676 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\BE40.exe
PID 1264 wrote to memory of 1676 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\BE40.exe
PID 1264 wrote to memory of 1676 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\BE40.exe
PID 1264 wrote to memory of 1676 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\BE40.exe
PID 1264 wrote to memory of 2368 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 2368 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 2368 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 2368 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 2368 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 2556 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1264 wrote to memory of 2556 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1264 wrote to memory of 2556 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1264 wrote to memory of 2556 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1264 wrote to memory of 704 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 704 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 704 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 704 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 704 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 2644 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 2644 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 2644 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 2644 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 2644 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 2520 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 2520 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 2520 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 2520 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 2520 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 1640 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1264 wrote to memory of 1640 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1264 wrote to memory of 1640 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1264 wrote to memory of 1640 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1264 wrote to memory of 2504 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1264 wrote to memory of 2504 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe

"C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe"

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe

"C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe"

C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe

"C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe"

C:\Users\Admin\AppData\Local\Microsoft\DW_JmF.exe

"C:\Users\Admin\AppData\Local\Microsoft\DW_JmF.exe"

C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe

"C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe"

C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe

"C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Users\Admin\AppData\Local\Temp\BE40.exe

C:\Users\Admin\AppData\Local\Temp\BE40.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 servblog25.xyz udp
DE 45.131.66.61:80 servblog25.xyz tcp
DE 45.131.66.61:80 servblog25.xyz tcp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 serverxlogs21.xyz udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 fexstat257.xyz udp
DE 45.89.125.136:80 fexstat257.xyz tcp

Files

memory/2220-55-0x0000000000290000-0x0000000000390000-memory.dmp

memory/2220-56-0x0000000002B80000-0x0000000002BF1000-memory.dmp

memory/2220-57-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/2220-58-0x00000000001D0000-0x00000000001D7000-memory.dmp

memory/2220-59-0x0000000004550000-0x0000000004950000-memory.dmp

memory/2220-61-0x0000000004550000-0x0000000004950000-memory.dmp

memory/2220-60-0x0000000004550000-0x0000000004950000-memory.dmp

memory/2220-62-0x0000000004550000-0x0000000004950000-memory.dmp

memory/2220-63-0x0000000000290000-0x0000000000390000-memory.dmp

memory/2952-64-0x0000000000060000-0x0000000000063000-memory.dmp

memory/2220-65-0x0000000002B80000-0x0000000002BF1000-memory.dmp

memory/2220-66-0x00000000044A0000-0x00000000044D6000-memory.dmp

memory/2220-69-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/2220-74-0x0000000004550000-0x0000000004950000-memory.dmp

memory/2220-73-0x00000000044A0000-0x00000000044D6000-memory.dmp

memory/2220-76-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/2220-77-0x0000000004550000-0x0000000004950000-memory.dmp

memory/2952-78-0x0000000000060000-0x0000000000063000-memory.dmp

memory/2952-79-0x00000000002A0000-0x00000000002A7000-memory.dmp

memory/2952-81-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2952-80-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2952-82-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2952-83-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2952-85-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2952-87-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2952-88-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2952-89-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2952-90-0x0000000077740000-0x00000000778E9000-memory.dmp

memory/2952-91-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2952-92-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2952-93-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2952-94-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe

MD5 1b2b02b4b524fe02b8b96bd781c8eceb
SHA1 36e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256 e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA512 80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

memory/2952-102-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\DW_JmF.exe

MD5 3524139d7687147f53dc7df4f4867093
SHA1 77a6308dc4981ac164a887ed54a0e01c63c17c63
SHA256 954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081
SHA512 48df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3

memory/2952-105-0x0000000077740000-0x00000000778E9000-memory.dmp

memory/2952-106-0x00000000002A0000-0x00000000002A2000-memory.dmp

memory/2952-107-0x0000000077740000-0x00000000778E9000-memory.dmp

memory/1304-108-0x00000000005E0000-0x00000000006E0000-memory.dmp

memory/1304-109-0x0000000000220000-0x000000000022F000-memory.dmp

memory/1304-111-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

C:\Users\Admin\AppData\Local\Microsoft\V4CA2s.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

memory/2688-114-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/2688-115-0x0000000000220000-0x0000000000229000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe

MD5 1b2b02b4b524fe02b8b96bd781c8eceb
SHA1 36e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256 e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA512 80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

memory/3008-117-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\rhD3.exe

MD5 1b2b02b4b524fe02b8b96bd781c8eceb
SHA1 36e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256 e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA512 80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

memory/3008-119-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3008-121-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1472-122-0x0000000000250000-0x0000000000350000-memory.dmp

memory/1472-123-0x00000000001B0000-0x00000000001B5000-memory.dmp

memory/1472-124-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1304-128-0x00000000005E0000-0x00000000006E0000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.id[50665DDC-3483].[[email protected]].8base

MD5 ebf8c37d63c50396054da8fdb143a8f0
SHA1 35261dbeff1d80852803bd165d83932fc4f35d3b
SHA256 07eae79ff65dee596be3ea4258213c29faa1d0abb09ddb8afd6135e1457174aa
SHA512 35464e944e09376f184e6d235f6bc4aa478579112386dfbc08cba77f602575cb15aeaab2414290878e4cb66504986a2cb986b3d5e9642d9470658b7973c850ae

memory/1304-167-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1264-400-0x0000000002BC0000-0x0000000002BD6000-memory.dmp

memory/3008-403-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1472-774-0x0000000000250000-0x0000000000350000-memory.dmp

memory/1472-899-0x00000000001B0000-0x00000000001B5000-memory.dmp

memory/1304-1456-0x0000000000400000-0x000000000049A000-memory.dmp

memory/636-1478-0x0000000000400000-0x000000000049A000-memory.dmp

memory/636-1462-0x0000000000610000-0x0000000000710000-memory.dmp

memory/1304-2991-0x0000000000400000-0x000000000049A000-memory.dmp

memory/636-2999-0x0000000000610000-0x0000000000710000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BE40.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

C:\Users\Admin\AppData\Local\Temp\BE40.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

memory/2368-3388-0x00000000000F0000-0x0000000000165000-memory.dmp

memory/2368-3400-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/2368-3387-0x0000000000080000-0x00000000000EB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zlzfh75j.default-release\cookies.sqlite.id[50665DDC-3483].[[email protected]].8base

MD5 caa50e0ecc75e2f27345f6f9c5acf288
SHA1 d109196fe39965297efc1434d3c3c9cf4bc860c0
SHA256 7f86ce2a0db2f1c241b95c1310364012af1bba84b2bdcd65a49bfb4c193db188
SHA512 9e470323262e5ba61ad644120aed1b2245735511d47b00aa0e16e1f53edaa4ee120e92fc937d0afcfeab54cf2a2afc5fe70fce3ad67208dc2524e6cb497ca1ec

memory/2556-3422-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2368-3433-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/2556-3423-0x0000000000070000-0x0000000000077000-memory.dmp

memory/2556-3435-0x0000000000060000-0x000000000006C000-memory.dmp

memory/704-3500-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/704-3501-0x00000000000D0000-0x00000000000D4000-memory.dmp

memory/704-3502-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/2644-3609-0x0000000000090000-0x000000000009A000-memory.dmp

memory/2644-3608-0x0000000000080000-0x000000000008B000-memory.dmp

memory/2644-3610-0x0000000000080000-0x000000000008B000-memory.dmp

memory/2520-3777-0x00000000000C0000-0x00000000000CB000-memory.dmp

memory/1304-3792-0x0000000000400000-0x000000000049A000-memory.dmp

memory/2520-3826-0x0000000000080000-0x000000000008B000-memory.dmp

memory/2520-3827-0x00000000000C0000-0x00000000000CB000-memory.dmp

memory/1640-3829-0x0000000000070000-0x0000000000079000-memory.dmp

memory/1640-3830-0x0000000000060000-0x000000000006F000-memory.dmp

memory/1640-3828-0x0000000000060000-0x000000000006F000-memory.dmp

memory/2504-3854-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2504-3855-0x00000000000D0000-0x00000000000D5000-memory.dmp

memory/2504-3856-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1988-3933-0x00000000000E0000-0x00000000000EC000-memory.dmp

memory/704-3939-0x00000000000D0000-0x00000000000D4000-memory.dmp

memory/1988-3940-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1988-3941-0x00000000000E0000-0x00000000000EC000-memory.dmp

memory/2644-3946-0x0000000000080000-0x000000000008B000-memory.dmp

memory/3004-3967-0x00000000000E0000-0x00000000000EC000-memory.dmp

memory/3004-3945-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/3004-3970-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/1616-4235-0x0000000000060000-0x0000000000069000-memory.dmp

memory/2520-4239-0x0000000000080000-0x000000000008B000-memory.dmp

memory/1616-4284-0x0000000000060000-0x0000000000069000-memory.dmp

memory/1616-4253-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/1640-4374-0x0000000000070000-0x0000000000079000-memory.dmp

memory/3060-4373-0x0000000000080000-0x00000000000A7000-memory.dmp

memory/3060-4395-0x0000000000080000-0x00000000000A7000-memory.dmp

memory/3060-4394-0x0000000000060000-0x0000000000069000-memory.dmp

memory/2504-4569-0x00000000000D0000-0x00000000000D5000-memory.dmp

memory/304-4568-0x0000000000080000-0x0000000000089000-memory.dmp

memory/304-4591-0x0000000000080000-0x00000000000A7000-memory.dmp

memory/304-4598-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2100-4662-0x0000000000080000-0x000000000008B000-memory.dmp

memory/1988-4676-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2100-4681-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2100-4682-0x0000000000080000-0x000000000008B000-memory.dmp

memory/1620-4774-0x0000000000070000-0x0000000000077000-memory.dmp

memory/1620-4773-0x0000000000060000-0x000000000006D000-memory.dmp

memory/1676-4975-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1676-4977-0x0000000000642000-0x0000000000658000-memory.dmp

memory/1304-4976-0x0000000000400000-0x000000000049A000-memory.dmp

memory/2648-5042-0x0000000000060000-0x000000000006D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\DW_JmF.exe

MD5 3524139d7687147f53dc7df4f4867093
SHA1 77a6308dc4981ac164a887ed54a0e01c63c17c63
SHA256 954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081
SHA512 48df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3

C:\Users\Admin\AppData\Local\Temp\BE40.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

C:\Users\Admin\AppData\Roaming\djrcfiv

MD5 674057e2e862e3a3cf869610ab8a667b
SHA1 fb20a3bd75c4a41a406628204875cb3a05e27897
SHA256 08e3eaeac0b7c5e2e13917581a064a550d24f2545a1038f1f0b0fbc9a9a278d1
SHA512 808aaa209c1afb1097e61ed319732c51457b866e0ea00c54daad05c6e2803b0dbfb528a1f8bf9c4bf76fd156d456b9493a46e5de49dba19671e19096e7ac8d9b

C:\Users\Admin\AppData\Roaming\agfaggf

MD5 1b2b02b4b524fe02b8b96bd781c8eceb
SHA1 36e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256 e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA512 80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

C:\Users\Admin\Desktop\AssertUpdate.otf.id[50665DDC-3483].[[email protected]].8base

MD5 c7a676f447a345cb25fa0ad78cf7e3fb
SHA1 b2bdc64b6d8119f6f5c19c6cf9f8b4cc7fd9e699
SHA256 f20114c51628ca2e20d343eb42416a3b6e222a8aab8c5f49d4fadaaa1c73bb05
SHA512 d9a1eb2bee127bc597c05ecbb6d1a7bcd8a3a61afb6e3caf101400f0564c8a959deeda8326e955279bd6eab9207382c913051263daf6a9ab084fb4e8c153d342

C:\Users\Admin\Desktop\WaitRead.mht.id[50665DDC-3483].[[email protected]].8base

MD5 624f936f0d90458ac9a81ad9e5222e94
SHA1 75e62b3c53f3708819612857897aa8116b223d28
SHA256 3f82cb5716bf992a142f99f75ae8e05b02c6b8a48a54f1a6b4205c70953d6603
SHA512 908095a54d73999ad929d40c09cbcfc38cf0fad341cccfd1cb9bd48ee90e7b2443a8b7dee88d149f9baaef5f08a532e7c158ebb3da189d8aa96e9cc36e3dc910

C:\Users\Admin\Desktop\ResumeMeasure.svgz.id[50665DDC-3483].[[email protected]].8base

MD5 fa9bbc74d9640fedd928697179bdac38
SHA1 8f65ad7aa9400224153f0245af3e0aad6a2ac85f
SHA256 9961dd0d3e8c4ccd014e738962caccb7861f73bc9e6c3cbd39e9464f9d92eb31
SHA512 598a8c7191e64b6de8b27e1df17c9f6244e230e195ba45003bdce9f19468b895b7799d2929b637ea3c03cca32fdef9378fbbe5a62d09b3b7ed3d50f48cfee812

C:\Users\Admin\Desktop\CompleteProtect.vb.id[50665DDC-3483].[[email protected]].8base

MD5 6b14f051c73d5560656a960c851834ce
SHA1 1e1ce94b5b8a24c802825f93699287fab57dc2ea
SHA256 286664ae45726acd61c14cafc301bc5881662a24fc588c0fdaf0fe87a4e02261
SHA512 484d479be92926334e3814e2fe47fbdb949326a0f19a7063d8a35d28f121edc05847ac3122ba58d7cdb32328e3b49aced8f66438ce2362ddf1f162a5d2137793

C:\Users\Admin\Desktop\BlockExport.pptm.id[50665DDC-3483].[[email protected]].8base

MD5 0325049618ce7beaf645499e24df65f7
SHA1 d51df204d71ca346162bada7ac0c8fd09547fa0a
SHA256 dbdbeeb2c2d0361e087293d3c0ddd0424da68b0e51fd5ea1a99097a12d0dec2d
SHA512 47ac340b8d6bc9b5405e8a51b8060659f650bc3d7a443d51bfb15e523f3b0a3e6496d2921b23292ff07f9fcf427dd5138649d83e70488e12c8e68b6306032aeb

C:\Users\Admin\Desktop\CopyOpen.M2T.id[50665DDC-3483].[[email protected]].8base

MD5 25f9d3c9fba4c91a6eb3331828049351
SHA1 af85d9495066a52eb5fa69b1b936e43219c5a0bc
SHA256 dc93199ec9ae1a5586ce0522065837b45625bc2bfc60027be768acd86bd78574
SHA512 7c49fdc2b14e1fdb2bfe9377570718c70585157b46f31fa8322e63ee84ecedce59a525f05a71f8e2a4aca3880d2456c3c5fa680636d53fac1ed3190357cce974

C:\Users\Admin\Desktop\DebugPublish.tif.id[50665DDC-3483].[[email protected]].8base

MD5 948997c0a6dd99d06f95e6f631f7dc0e
SHA1 29e8c3623ba602f9bc475b484583c804f1d5f6fd
SHA256 adaa6ac12d272866c6b1dc155624cdd11e20168b41f84e5b48dd25a413c0fcf7
SHA512 d4e8fc50bf250a2b00cf399f66cdc130469fee951af5236e1cafaf73427b7ce8ce49ed79dd22b2ac56dfdfa344a606b42a4e86a71d0823b7539c4deb9be953e4

C:\Users\Admin\Desktop\DenyExpand.vdw.id[50665DDC-3483].[[email protected]].8base

MD5 0f00dad671027c8398b44b189a30d1c9
SHA1 244714effac95fc3b35b8d18d7d97c6720b18932
SHA256 77f10623e43a77cf2a1fb004f9f8e37142940555a7a2ddfc1810e9da64b1d203
SHA512 ada07d35c2487c6b4550e1a443162f97f827b7e07ac04271dea8bc1cfecb79957c8d9e70b0958cc45fb07507a7ca16622bcb0be7c675b0f74ae9b161565b4d96

C:\Users\Admin\Desktop\EnableSuspend.rtf.id[50665DDC-3483].[[email protected]].8base

MD5 d2158168c86e5868252a6170d9fa6f15
SHA1 7226653c2b984d987be2437422b0e49252632d20
SHA256 718787632503d20a370e6fcdd9c9422f07e63263c15a2ab1c13cb349e3d667ef
SHA512 c4f5bb97f2393fe40257ce7d9879803406fdc4e9d07d2042156340134e47cd523bae49e9f42b4c7f2010e71e62c7f753fd9913b77275a6a8bd5853cff14c8314

C:\Users\Admin\Desktop\GrantStop.tiff.id[50665DDC-3483].[[email protected]].8base

MD5 abed36e62ab8427dc9cb7e3f3f860666
SHA1 48cec0df2684333f9b8e2134bb503c0e6f5a24ce
SHA256 a34e01a78346fa0d7299742527be7ccb8beb49a1d600f7e04a14b83cba17e763
SHA512 3e714d1bad6e0e434335a16f63d95ea6ca6ec3975ee233189f67b3a289e10311153197efafff629ec04d5009cb36e2b919e1b173627d4ad39d2ec11a8a4b0e75

C:\Users\Admin\Desktop\GrantUpdate.lock.id[50665DDC-3483].[[email protected]].8base

MD5 ddbebc5eda03910617e4e681cf62537e
SHA1 06d89b5dbfc6700b3945158baa238060ddd35a60
SHA256 caa38d2e6442326ac22edca0f172a32ba9c696caaa006532363c6d8ee0e2333f
SHA512 07f46cf53aeb040ee6c39f4e98c7aeb67ab74bb74a8849ed4ca8530fa1dfe2014db6615bfe6f01dca57a01f337b30f56154e428e88c97fa867b3531bbdf303ea

C:\Users\Admin\Desktop\HideRevoke.jfif.id[50665DDC-3483].[[email protected]].8base

MD5 b8fc9608fe6a090f391c57a6d336cee6
SHA1 a367791fd829876cc5c6f40d0fb2656e9c08dd4e
SHA256 48ccaeb8c38061d5bfe4212810aba160dc4c657181ec1258bb9af523f3b05b17
SHA512 3b44c71e9a4b7ef1e6145fccfcf62c1d415a13b2b9b427913a325b9e70f515dde30a41971d452361b9a027eecc8d06e0ed541948850844634d22c42228f91bf0

C:\Users\Admin\Desktop\MeasureCompare.tif.id[50665DDC-3483].[[email protected]].8base

MD5 b7fa5d0b84c36c4766bba32fc48eefcc
SHA1 b99bd03b8c2ffb2b41d052b32cc0dce16765541f
SHA256 3a645ea4d8422fd107c043c180e165fd72e7abcc55c873f2688033cbfc02c6e4
SHA512 e0a4e64f76c247a486445ba9028d668e6a3b719f8d2fbe9a4756090c0c070360e09b78b1da14451a5f15b1a273512cf3b4d62f1baa310780ce82593e252d3ecd

C:\Users\Admin\Desktop\RedoCompress.tif.id[50665DDC-3483].[[email protected]].8base

MD5 02c95aae2483efc5af8023f374d5ab1a
SHA1 2fa1b031162cb247a3d1556b7f8089c27cf21888
SHA256 096ddd21eb06ead3ec65b45a99c69731e9b8e951905f75a1e2e13054f1df52a5
SHA512 be8fb689c99cf43cca0a8853d70d290f0bef42df6b5d0dbfe66818b6e5ea75356081b03b6822141be27021bee174e35b8d5bb3376c636a196e1c61e052ea079b

C:\Users\Admin\Desktop\SearchClose.ram.id[50665DDC-3483].[[email protected]].8base

MD5 7690458a4dfccf86c36f962f1ddacf07
SHA1 47383b112328e5c74cdc492649a607e929a10735
SHA256 0590e053ac542b33e79b9a89cf4f70f5fabb2636a2b912a344ec70c53ec1e87c
SHA512 3758f605f46212f2767de4ee6f03eb20f773e46cd69b051d3f72dcebbbbff40f26bea6fc1a2bef60c8eb045c62bc7fc0273dd5b73a20e02e1f626eb3fdc383b1

C:\Users\Admin\Desktop\SearchEdit.ppt.id[50665DDC-3483].[[email protected]].8base

MD5 f071157cac82c5c60c8ed1ecb4ba97af
SHA1 7644772cb6d53699de97b414dcf4d0c285ee58f3
SHA256 8fec6b35f84ae26827e8769f77633ef5a6cbf00d73f55eff741d6b2b19688209
SHA512 dabee0a5e9bf8157938f5b670d6510f265eec9fa7b3237489c739730a1289198cdd9ef8c4a24b51d89012de51cd67ce77cb963112d82469e430d2b38d2817746

C:\Users\Admin\Desktop\SendBackup.aif.id[50665DDC-3483].[[email protected]].8base

MD5 650bdf32026b7a8bde8959e6971fd566
SHA1 4075bb258a05a8897fe93a19146d65b575c061a0
SHA256 3a6826714073821f938f4cd54dc8977909875e4d8937f305ecbe70e8094d5249
SHA512 c7c0f8972ee51ff15f1292b9b40053ea3384d2fadc8b2a7c32b549ee970f3cb2cb521ac92427e9878cbd9dcd9554a368d19171a93da6a6bb04dec6a3517c1e43

C:\Users\Admin\Desktop\StepRegister.ini.id[50665DDC-3483].[[email protected]].8base

MD5 f4dae9f35a43c01f4796b4c335c6f6af
SHA1 d6ab79f1fcaa4234ab0695806998d53e437bfa45
SHA256 d00ca0ca9dfc7668a50936027bc70c449c1510f6a7abe0914fd3a2bbd8eadee6
SHA512 59d34e241ba2026fc1f973e6f1b8ad17dc70d5e3d76363495503949ba510adf67fc7cb3d07624599630f46f2710e229f9059c8a5e1544479d96621a69a741e3f

C:\Users\Admin\Desktop\SubmitImport.au3.id[50665DDC-3483].[[email protected]].8base

MD5 d264c968dbdb75ae082a6b66167a716e
SHA1 78b810859c83799a193042687a3c8465e5216f13
SHA256 cbe679332fb1a5c0d6e71eeb456dbda735099a01ab7d4e2df2954635b5c66dbc
SHA512 0fd0f4f42c18ea96b094b20e005eac7bedac96da2236d83f877a0058f36ec365c7efad1e8dc23db72c805da7b8b2dc7886f05163a58f9108b4e308e5eea711fe

C:\Users\Admin\Desktop\UnpublishInvoke.tiff.id[50665DDC-3483].[[email protected]].8base

MD5 dba8a13b8521fd6e4dceea90447d7a99
SHA1 f1d109c7bfc4c66a7dec5bd3229cc786e6e42898
SHA256 3f9cdfd25f0c6e1fde56fe43b5b4f6ec0988eb2626ff109daffa8a6f30c6d75e
SHA512 4791f7904d5a5c15e7b79578c190f0ed1559def9d271b5aba840ef7dc9b433821e0db5a8d39925eb78884fb75ebd521490c3eeddb06a1a7d3a6d7bebdfbbc3a3

C:\Users\Admin\Desktop\UpdateConfirm.3g2.id[50665DDC-3483].[[email protected]].8base

MD5 47b0368d2c9cabb70406194b7db663c9
SHA1 77c56f1c6e0f6af66d287b24ee698e811c76a05c
SHA256 2cb53dc7efaa86bfd6056d19933097eaa473128807dbf13c96e49b22c9e33fa2
SHA512 5bb102498ce6defede97c13066c109e6e2a146274dbe462f93b841e794a8dde16c5f0a440a89c72fcdcc361d6a6bbf4d69ad9024f9fd5fb8b26a10f5c9826cbb

C:\Users\Admin\Desktop\RedoPush.wm.id[50665DDC-3483].[[email protected]].8base

MD5 aa5e0de09a79607d33684ce689783fa0
SHA1 3c5a52c35a800997870571afb94dc35cd8c37fc1
SHA256 4b3f05fcfaaa4f2dc7384e0abb6c7968ec028a87ae16cd07d866d5d7c3d633c9
SHA512 9632722dfbbf6650ac04f12edff559c8a2f02458b71ec17c1f2664e86423ad4f0a9b00ea962d006b17ddb8d2a48fb5fbb38b97f3a3334d82c9b6a1cf0d696d2f

C:\Users\Admin\Desktop\RemoveGrant.xltx.id[50665DDC-3483].[[email protected]].8base

MD5 a03a540a88ef24574b2a845395f8eadc
SHA1 6ec11b9ce2c9a5c1eb55dc2ceb2d9db47cdb96fc
SHA256 0faee1a959b1013eeb04993a79cd8a7b4e0e818b1b283cfb61e88ca8fae0b203
SHA512 8d5d95665c670287b2184186d57ce81e76cb4794250d3f16c5d404b6b67757364ff9b08a37c3f079117067104e9359003a35b3c4cf5eb801b942d61aad114aae

C:\info.hta

MD5 9c2e7283ba4766c51eaac9978967d93e
SHA1 f9d41c50d7f1d6dfb7a2d9d56aa973f0e05bbf2a
SHA256 3e970744d293e6919ddcfea718e82346046679c5c9da90a6d9c0eb3218aad0cd
SHA512 b3e2b87647d979b28ad0e39e5439b9612aa6432725e0142c7df81b5f9afdbc93d22d3ddc80e18c058ba26f5878b9d841eaa7793e061284f422ee7193bbf628d9

C:\Users\Admin\Desktop\info.txt

MD5 785cafecedf21b32589f303a8a490a6a
SHA1 5388d3b2a40734142918364eadc02b4429d856e3
SHA256 e455b6bfe96488ca6d4ee70ef495c8925040d22a7cba422e0db7469065daf932
SHA512 4511937134dd7809e888f9bcfcf06d24c17a06f55b5a2b9690a381fda8de9cb793a9799c91814ce43f47ca6db594b010c5feae8aff08bd3edd448967d06fc93b

C:\Users\Admin\Desktop\info.hta

MD5 9c2e7283ba4766c51eaac9978967d93e
SHA1 f9d41c50d7f1d6dfb7a2d9d56aa973f0e05bbf2a
SHA256 3e970744d293e6919ddcfea718e82346046679c5c9da90a6d9c0eb3218aad0cd
SHA512 b3e2b87647d979b28ad0e39e5439b9612aa6432725e0142c7df81b5f9afdbc93d22d3ddc80e18c058ba26f5878b9d841eaa7793e061284f422ee7193bbf628d9

C:\Users\Public\Desktop\VLC media player.lnk.id[50665DDC-3483].[[email protected]].8base

MD5 aeb1fbd89ce194771e271960cb0b773e
SHA1 edab5a39ce692a5193f9e098c48319f47950383c
SHA256 42adceddac5f15ec4ac4846b60f4babbd4984ccf4453b6a986a0b8fbbdc7ca9a
SHA512 b88a2512ccb9c6cd43e3e2dc6ceb77b29478d7002c986c4aa91c1ad7c18b226899da56de7e8b3dc0114776c693849be3a1af911fe032248ed4cd71a6e15c9aea

C:\Users\Public\Desktop\Adobe Reader 9.lnk.id[50665DDC-3483].[[email protected]].8base

MD5 cb5358028451f3748604dad35d6c8d7c
SHA1 1287da4a6c67293292369ef6c0bfac3c827498ba
SHA256 359dbdd8f5e11f3ebef2213dd55c28d8ac89dbb2f5be6750bc280453652255c6
SHA512 6bd25b1faaf6788a8cbd7747ab75b4a391f42364fda994eb4fc3fc8d1a01b6b44483cd47b40dcc3b4b23b6148d9854b956136f854b05bf2f1eca0c759933ae1a

C:\Users\Public\Desktop\Firefox.lnk.id[50665DDC-3483].[[email protected]].8base

MD5 661b0d039bbe9bb206cefa82ce86297a
SHA1 7f7376433d4aae4fdc94cd7c42d7730c8fc39f91
SHA256 06c2a6b22e9cb20283a369d098f86228ff5fe10359fb2042233ae77aad133c5b
SHA512 4f9a085dbfa4e43e39db81d4ad403f043a77280da6ccd73c96f85aa7faeb9d4b5eee923cf66b35a15200c2f68b39653fbe786b45ccd67ee6861559da6c913d55

C:\Users\Public\Desktop\Google Chrome.lnk.id[50665DDC-3483].[[email protected]].8base

MD5 b48280c9955cd2ef3e65485f7ecc6d39
SHA1 7032837c07182a9c329f37954c0a840fd59526e2
SHA256 05d8d86c03a2080cb84f5b8c8737c72683373eb38f7e75dc3d43db9df08855ce
SHA512 f549a348b15784ee1b8a7ccf7d0eaed9cc3987332d9920cabdd3f37e3116097ce1f7c015b10d858f5ea9a3b2f7c6f9a618364c4a7508944b3b0361e03d2e6753

C:\Users\Public\Desktop\info.hta

MD5 9c2e7283ba4766c51eaac9978967d93e
SHA1 f9d41c50d7f1d6dfb7a2d9d56aa973f0e05bbf2a
SHA256 3e970744d293e6919ddcfea718e82346046679c5c9da90a6d9c0eb3218aad0cd
SHA512 b3e2b87647d979b28ad0e39e5439b9612aa6432725e0142c7df81b5f9afdbc93d22d3ddc80e18c058ba26f5878b9d841eaa7793e061284f422ee7193bbf628d9

C:\Users\Public\Desktop\info.txt

MD5 785cafecedf21b32589f303a8a490a6a
SHA1 5388d3b2a40734142918364eadc02b4429d856e3
SHA256 e455b6bfe96488ca6d4ee70ef495c8925040d22a7cba422e0db7469065daf932
SHA512 4511937134dd7809e888f9bcfcf06d24c17a06f55b5a2b9690a381fda8de9cb793a9799c91814ce43f47ca6db594b010c5feae8aff08bd3edd448967d06fc93b

C:\info.hta

MD5 9c2e7283ba4766c51eaac9978967d93e
SHA1 f9d41c50d7f1d6dfb7a2d9d56aa973f0e05bbf2a
SHA256 3e970744d293e6919ddcfea718e82346046679c5c9da90a6d9c0eb3218aad0cd
SHA512 b3e2b87647d979b28ad0e39e5439b9612aa6432725e0142c7df81b5f9afdbc93d22d3ddc80e18c058ba26f5878b9d841eaa7793e061284f422ee7193bbf628d9

F:\info.hta

MD5 9c2e7283ba4766c51eaac9978967d93e
SHA1 f9d41c50d7f1d6dfb7a2d9d56aa973f0e05bbf2a
SHA256 3e970744d293e6919ddcfea718e82346046679c5c9da90a6d9c0eb3218aad0cd
SHA512 b3e2b87647d979b28ad0e39e5439b9612aa6432725e0142c7df81b5f9afdbc93d22d3ddc80e18c058ba26f5878b9d841eaa7793e061284f422ee7193bbf628d9

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-14 06:33

Reported

2023-07-14 06:35

Platform

win10v2004-20230703-en

Max time kernel

149s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2216 created 772 N/A C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (476) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\[email protected] C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\F9W8Tds@Y = "C:\\Users\\Admin\\AppData\\Local\\[email protected]" C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\F9W8Tds@Y = "C:\\Users\\Admin\\AppData\\Local\\[email protected]" C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1722984668-1829624581-3022101259-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3008 set thread context of 1192 N/A C:\Users\Admin\AppData\Local\Microsoft\{xE.exe C:\Users\Admin\AppData\Local\Microsoft\{xE.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationTypes.resources.dll C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-60.png C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\print_poster.png C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcr120.dll.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sr-Latn-RS.pak.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fontconfig.properties.src C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-32.png C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-256.png C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\meta-index.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\2.jpg C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_pt_BR.properties.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Mozilla Firefox\vcruntime140.dll.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\it.pak.DATA.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jar C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\BASMLA.XSL C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\ui-strings.js C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.DLL C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_altform-lightunplated.png C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\jvm.hprof.txt.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\sRGB.pf.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\mfc140enu.dll C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.175.29\msedgeupdateres_or.dll.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\7-Zip\Lang\lv.txt C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-48_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\ui-strings.js C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterRegular.ttf C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.ELM.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\ui-strings.js C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\ui-strings.js.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\lo.pak.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\ui-strings.js.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sk-sk\ui-strings.js.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files (x86)\Common Files\System\ado\msader15.dll C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Cloud.png C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\people\eliseGibson.png C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-100.png C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia.api C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Engine.resources.dll C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsdec_plugin.dll.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\ui-strings.js C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_radio_selected_18.svg.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.175.29\msedgeupdateres_et.dll.id[AE7CADA3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\{xE.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\{xE.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\{xE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\{xE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\{xE.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2216 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe C:\Windows\system32\certreq.exe
PID 2216 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe C:\Windows\system32\certreq.exe
PID 2216 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe C:\Windows\system32\certreq.exe
PID 2216 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe C:\Windows\system32\certreq.exe
PID 3008 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Microsoft\{xE.exe C:\Users\Admin\AppData\Local\Microsoft\{xE.exe
PID 3008 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Microsoft\{xE.exe C:\Users\Admin\AppData\Local\Microsoft\{xE.exe
PID 3008 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Microsoft\{xE.exe C:\Users\Admin\AppData\Local\Microsoft\{xE.exe
PID 3008 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Microsoft\{xE.exe C:\Users\Admin\AppData\Local\Microsoft\{xE.exe
PID 3008 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Microsoft\{xE.exe C:\Users\Admin\AppData\Local\Microsoft\{xE.exe
PID 3008 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Microsoft\{xE.exe C:\Users\Admin\AppData\Local\Microsoft\{xE.exe
PID 1068 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] C:\Windows\system32\cmd.exe
PID 1068 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] C:\Windows\system32\cmd.exe
PID 1068 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] C:\Windows\system32\cmd.exe
PID 1068 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] C:\Windows\system32\cmd.exe
PID 4820 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4820 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3412 wrote to memory of 3800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3412 wrote to memory of 3800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3412 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3412 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4820 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4820 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4820 wrote to memory of 3992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4820 wrote to memory of 3992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4820 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4820 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4820 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4820 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 772 wrote to memory of 320 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EC3F.exe
PID 772 wrote to memory of 320 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EC3F.exe
PID 772 wrote to memory of 320 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EC3F.exe
PID 772 wrote to memory of 4748 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 4748 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 4748 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 4748 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 5064 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 772 wrote to memory of 5064 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 772 wrote to memory of 5064 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 772 wrote to memory of 2968 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 2968 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 2968 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 2968 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 2828 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 2828 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 2828 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 2828 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 1352 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 1352 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 1352 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 1352 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 4156 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 772 wrote to memory of 4156 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 772 wrote to memory of 4156 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 772 wrote to memory of 452 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 452 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 452 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 452 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 3084 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 772 wrote to memory of 3084 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 772 wrote to memory of 3084 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 772 wrote to memory of 1124 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 1124 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 1124 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 772 wrote to memory of 1124 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe

"C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe"

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2216 -ip 2216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 948

C:\Users\Admin\AppData\Local\Microsoft\p9D[8W).exe

"C:\Users\Admin\AppData\Local\Microsoft\p9D[8W).exe"

C:\Users\Admin\AppData\Local\Microsoft\{xE.exe

"C:\Users\Admin\AppData\Local\Microsoft\{xE.exe"

C:\Users\Admin\AppData\Local\Microsoft\[email protected]

"C:\Users\Admin\AppData\Local\Microsoft\[email protected]"

C:\Users\Admin\AppData\Local\Microsoft\{xE.exe

"C:\Users\Admin\AppData\Local\Microsoft\{xE.exe"

C:\Users\Admin\AppData\Local\Microsoft\[email protected]

"C:\Users\Admin\AppData\Local\Microsoft\[email protected]"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1128 -ip 1128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 484

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Users\Admin\AppData\Local\Temp\EC3F.exe

C:\Users\Admin\AppData\Local\Temp\EC3F.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 320 -ip 320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 500

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 servblog25.xyz udp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 61.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
DE 45.131.66.61:80 servblog25.xyz tcp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 serverxlogs21.xyz udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 120.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 fexstat257.xyz udp
DE 45.89.125.136:80 fexstat257.xyz tcp
US 8.8.8.8:53 136.125.89.45.in-addr.arpa udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/2216-134-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

memory/2216-135-0x00000000048F0000-0x0000000004961000-memory.dmp

memory/2216-136-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/2216-137-0x0000000004970000-0x0000000004977000-memory.dmp

memory/2216-138-0x0000000004E00000-0x0000000005200000-memory.dmp

memory/2216-139-0x0000000004E00000-0x0000000005200000-memory.dmp

memory/2216-140-0x0000000004E00000-0x0000000005200000-memory.dmp

memory/2216-141-0x0000000004E00000-0x0000000005200000-memory.dmp

memory/2216-142-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

memory/2592-143-0x000001699EF60000-0x000001699EF63000-memory.dmp

memory/2216-144-0x00000000048F0000-0x0000000004961000-memory.dmp

memory/2216-145-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/2216-146-0x0000000004DA0000-0x0000000004DD6000-memory.dmp

memory/2216-152-0x0000000004DA0000-0x0000000004DD6000-memory.dmp

memory/2216-153-0x0000000004E00000-0x0000000005200000-memory.dmp

memory/2216-155-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/2216-156-0x0000000004E00000-0x0000000005200000-memory.dmp

memory/2592-157-0x000001699EF60000-0x000001699EF63000-memory.dmp

memory/2592-158-0x000001699EFF0000-0x000001699EFF7000-memory.dmp

memory/2592-159-0x00007FF460200000-0x00007FF46032D000-memory.dmp

memory/2592-160-0x00007FF460200000-0x00007FF46032D000-memory.dmp

memory/2592-161-0x00007FF460200000-0x00007FF46032D000-memory.dmp

memory/2592-162-0x00007FF460200000-0x00007FF46032D000-memory.dmp

memory/2592-163-0x00007FF460200000-0x00007FF46032D000-memory.dmp

memory/2592-165-0x00007FF460200000-0x00007FF46032D000-memory.dmp

memory/2592-167-0x00007FF460200000-0x00007FF46032D000-memory.dmp

memory/2592-168-0x00007FF460200000-0x00007FF46032D000-memory.dmp

memory/2592-169-0x00007FF460200000-0x00007FF46032D000-memory.dmp

memory/2592-170-0x00007FFCA8230000-0x00007FFCA8425000-memory.dmp

memory/2592-171-0x00007FF460200000-0x00007FF46032D000-memory.dmp

memory/2592-172-0x00007FF460200000-0x00007FF46032D000-memory.dmp

memory/2592-173-0x00007FF460200000-0x00007FF46032D000-memory.dmp

memory/2592-174-0x00007FF460200000-0x00007FF46032D000-memory.dmp

memory/2592-175-0x00007FF460200000-0x00007FF46032D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\p9D[8W).exe

MD5 3524139d7687147f53dc7df4f4867093
SHA1 77a6308dc4981ac164a887ed54a0e01c63c17c63
SHA256 954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081
SHA512 48df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3

C:\Users\Admin\AppData\Local\Microsoft\p9D[8W).exe

MD5 3524139d7687147f53dc7df4f4867093
SHA1 77a6308dc4981ac164a887ed54a0e01c63c17c63
SHA256 954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081
SHA512 48df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3

memory/2592-180-0x00007FF460200000-0x00007FF46032D000-memory.dmp

memory/2592-181-0x00007FFCA8230000-0x00007FFCA8425000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\{xE.exe

MD5 1b2b02b4b524fe02b8b96bd781c8eceb
SHA1 36e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256 e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA512 80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

C:\Users\Admin\AppData\Local\Microsoft\{xE.exe

MD5 1b2b02b4b524fe02b8b96bd781c8eceb
SHA1 36e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256 e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA512 80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

C:\Users\Admin\AppData\Local\Microsoft\[email protected]

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

C:\Users\Admin\AppData\Local\Microsoft\[email protected]

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

memory/2592-191-0x00007FFCA8230000-0x00007FFCA8425000-memory.dmp

memory/2592-190-0x000001699EFF0000-0x000001699EFF5000-memory.dmp

memory/1948-193-0x0000000000530000-0x0000000000535000-memory.dmp

memory/1948-192-0x0000000000570000-0x0000000000670000-memory.dmp

memory/1948-194-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3008-195-0x0000000000740000-0x0000000000840000-memory.dmp

memory/3008-196-0x0000000000700000-0x0000000000709000-memory.dmp

memory/1948-198-0x0000000000570000-0x0000000000670000-memory.dmp

memory/1068-199-0x0000000000530000-0x0000000000630000-memory.dmp

memory/1068-200-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1068-197-0x00000000004F0000-0x00000000004FF000-memory.dmp

memory/1192-201-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\{xE.exe

MD5 1b2b02b4b524fe02b8b96bd781c8eceb
SHA1 36e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256 e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA512 80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

memory/1192-203-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1192-204-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\[email protected]

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

memory/772-208-0x00000000008E0000-0x00000000008F6000-memory.dmp

memory/1192-209-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[AE7CADA3-3483].[[email protected]].8base

MD5 c43477bcde64bb882b22141efffbf781
SHA1 1c2bbf29f780aa9247da1b016a8ab74b84b10454
SHA256 76b5100924b53b8a59818626b17730359b36dfa32e9a00ad23a72f9751846f25
SHA512 d2c2b24ed8823dee86951082629cb295a3ce7e0e954a7396ed0b8253de353fa77fc63e4b71fe8cff5f893924ab1a21a7149645efe626ca8868b54efdacc5c909

memory/1068-423-0x00000000004F0000-0x00000000004FF000-memory.dmp

memory/1068-543-0x0000000000530000-0x0000000000630000-memory.dmp

memory/1068-545-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1068-546-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1128-744-0x0000000000640000-0x0000000000740000-memory.dmp

memory/1128-752-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1068-2675-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EC3F.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

C:\Users\Admin\AppData\Local\Temp\EC3F.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

C:\Users\Admin\AppData\Local\Temp\EC3F.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

memory/4748-4058-0x0000000000500000-0x000000000056B000-memory.dmp

memory/4748-4060-0x0000000000570000-0x00000000005E5000-memory.dmp

memory/4748-4093-0x0000000000500000-0x000000000056B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\cookies.sqlite.id[AE7CADA3-3483].[[email protected]].8base

MD5 3776fb4868bab628f0f15dcd7fbd5b7c
SHA1 e809d03605cb96a423e5053af79f101864aa2c15
SHA256 7ac365d8d38d5591dc00d6aabce69720a011b5fc93a63e0cb34c6ccd9eb52daa
SHA512 020090ee1df92c7e793868f9c21f7eb98b2bb6d5e78e9b8622653d5da6a74384f4c1e4460092316355efa7ed669c6ba2852df7e258866e07c9418323987ba6af

memory/4748-4368-0x0000000000500000-0x000000000056B000-memory.dmp

memory/5064-4375-0x0000000001100000-0x0000000001107000-memory.dmp

memory/5064-4376-0x00000000010F0000-0x00000000010FC000-memory.dmp

memory/5064-4378-0x00000000010F0000-0x00000000010FC000-memory.dmp

memory/2968-4411-0x0000000000FF0000-0x0000000000FF9000-memory.dmp

memory/2968-4415-0x0000000001200000-0x0000000001204000-memory.dmp

memory/2968-4416-0x0000000000FF0000-0x0000000000FF9000-memory.dmp

memory/2828-4596-0x00000000006F0000-0x00000000006FB000-memory.dmp

memory/2828-4597-0x0000000000700000-0x000000000070A000-memory.dmp

memory/2828-4598-0x00000000006F0000-0x00000000006FB000-memory.dmp

memory/1068-4599-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1352-4603-0x0000000000430000-0x000000000043B000-memory.dmp

memory/1352-4604-0x0000000000440000-0x0000000000447000-memory.dmp

memory/1352-4609-0x0000000000430000-0x000000000043B000-memory.dmp

memory/4156-4691-0x0000000000BD0000-0x0000000000BDF000-memory.dmp

memory/4156-4705-0x0000000000BE0000-0x0000000000BE9000-memory.dmp

memory/4156-4735-0x0000000000BD0000-0x0000000000BDF000-memory.dmp

memory/452-5062-0x0000000000FC0000-0x0000000000FC9000-memory.dmp

memory/452-5086-0x0000000000FC0000-0x0000000000FC9000-memory.dmp

memory/452-5078-0x0000000000FD0000-0x0000000000FD5000-memory.dmp

memory/2968-5092-0x0000000001200000-0x0000000001204000-memory.dmp

memory/3084-5119-0x00000000005C0000-0x00000000005CC000-memory.dmp

memory/3084-5120-0x00000000005D0000-0x00000000005D6000-memory.dmp

memory/3084-5124-0x00000000005C0000-0x00000000005CC000-memory.dmp

memory/1124-5276-0x0000000000FC0000-0x0000000000FC9000-memory.dmp

memory/1124-5278-0x0000000000FC0000-0x0000000000FC9000-memory.dmp

memory/4132-5279-0x0000000000960000-0x0000000000969000-memory.dmp

memory/1352-5280-0x0000000000440000-0x0000000000447000-memory.dmp

memory/4132-5281-0x0000000000FC0000-0x0000000000FC9000-memory.dmp

memory/4132-5282-0x0000000000960000-0x0000000000969000-memory.dmp

memory/1244-5537-0x0000000000660000-0x0000000000687000-memory.dmp

memory/1244-5591-0x0000000000660000-0x0000000000687000-memory.dmp

memory/4156-5574-0x0000000000BE0000-0x0000000000BE9000-memory.dmp

memory/4124-5698-0x0000000000360000-0x0000000000369000-memory.dmp

memory/452-5708-0x0000000000FD0000-0x0000000000FD5000-memory.dmp

memory/4124-5731-0x0000000000660000-0x0000000000687000-memory.dmp

memory/4124-5744-0x0000000000360000-0x0000000000369000-memory.dmp

memory/4964-5890-0x0000000000FC0000-0x0000000000FCB000-memory.dmp

memory/4964-5894-0x0000000000FC0000-0x0000000000FCB000-memory.dmp

memory/3084-5893-0x00000000005D0000-0x00000000005D6000-memory.dmp

memory/400-5896-0x0000000000190000-0x000000000019D000-memory.dmp

memory/1124-5895-0x00000000005C0000-0x00000000005CC000-memory.dmp

memory/400-5897-0x0000000000FC0000-0x0000000000FCB000-memory.dmp

memory/400-5898-0x0000000000190000-0x000000000019D000-memory.dmp

memory/1652-5917-0x0000000000FC0000-0x0000000000FCB000-memory.dmp

memory/1068-5928-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1068-7540-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000026.db.id[AE7CADA3-3483].[[email protected]].8base

MD5 f0223e0376b21682999771c3502f82b7
SHA1 de0bb7b2955035e28f86ba5f7c9be1abd2482658
SHA256 622c10568c5dbe01288d39d12176866890e17f5583d3d13d5e75f7dcf7b75976
SHA512 78516d85a32fc89fab9cec39bc238b26423eb997120b1954c6a2f69e17f3ae2f591a38fa8efe44bc92b86b48e9d70eeb2b6b0e4fcb402415cf8a5557a8a40a6d

C:\Users\Admin\AppData\Local\Temp\16BA\C\Windows\System32\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\16BA\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

MD5 108f130067a9df1719c590316a5245f7
SHA1 79bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256 c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512 d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

C:\Users\Admin\AppData\Local\Temp\16BA\C\Windows\SysWOW64\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\16BA\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Local\Temp\16BA\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\16BA\C\Windows\System32\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Local\Temp\16BA\C\Windows\System32\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\16BA\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

MD5 108f130067a9df1719c590316a5245f7
SHA1 79bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256 c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512 d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

C:\Users\Admin\AppData\Local\Temp\16BA\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

MD5 94f90fcd2b8f7f1df69224f845d9e9b7
SHA1 a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256 a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA512 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

C:\Users\Admin\AppData\Local\Temp\16BA\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

MD5 94f90fcd2b8f7f1df69224f845d9e9b7
SHA1 a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256 a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA512 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

C:\Users\Admin\AppData\Local\Temp\16BA\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe

MD5 cfe72ed40a076ae4f4157940ce0c5d44
SHA1 8010f7c746a7ba4864785f798f46ec05caae7ece
SHA256 6868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32
SHA512 f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0

C:\Users\Admin\AppData\Local\Temp\16BA\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll

MD5 4bf88985778e74145bdd37f5c5f8f0d1
SHA1 6f292dedaa2f97b93e707b024ef178f75fc26771
SHA256 f16eac39a2be258e1abc9a5207680fbc34190c8e5b56a6cfe28c365166b9d2e9
SHA512 c5eecbeb3e8080ba333e5099156b97c1e990e9f16190e395a4a2f354b64eeac3f924d230a522cadba4bf547765d4be2f7a8ef55738fecf702623eeba8604b724

C:\Users\Admin\AppData\Roaming\gijdgdd

MD5 5195665bdb7d1ce4541862318278e108
SHA1 630b8dc305e77948023c37eca3b0488ecd51fd0a
SHA256 0b8377d45bfc376df15d76addcce3c72366bba696e1ad77f88f86614770326aa
SHA512 653498e121b97f672ca2f35e9e029e2634b1cf3456293d0342fd93f5bdfe2fbacc7e61b2532f23fef350712abc55fdb0b43cb19c6e0ff76d98293aa0c11d8154

C:\Users\Admin\AppData\Roaming\ugrvhtr

MD5 1b2b02b4b524fe02b8b96bd781c8eceb
SHA1 36e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256 e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA512 80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8