Malware Analysis Report

2024-11-16 12:20

Sample ID 230714-jzd47sdf2z
Target a662ba3492a7d218908f5d851841ed96.exe
SHA256 c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94
Tags
phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c21da75b52a0bc699a83bf0eebc5216573533962d425f875191af178c19bab94

Threat Level: Known bad

The file a662ba3492a7d218908f5d851841ed96.exe was found to be: Known bad.

Malicious Activity Summary

phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan

SystemBC

Rhadamanthys

Phobos

Detect rhadamanthys stealer shellcode

SmokeLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

Modifies boot configuration data using bcdedit

Renames multiple (491) files with added filename extension

Renames multiple (311) files with added filename extension

Deletes shadow copies

Downloads MZ/PE file

Modifies Windows Firewall

Deletes backup catalog

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Deletes itself

Drops startup file

Accesses Microsoft Outlook profiles

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of SendNotifyMessage

outlook_office_path

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Checks SCSI registry key(s)

Modifies registry class

Suspicious use of UnmapMainImage

Checks processor information in registry

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Uses Volume Shadow Copy service COM API

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-14 08:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-14 08:06

Reported

2023-07-14 08:08

Platform

win7-20230712-en

Max time kernel

150s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2648 created 1220 N/A C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (311) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\certreq.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\_u-912IeH.exe C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\_u-912IeH = "C:\\Users\\Admin\\AppData\\Local\\_u-912IeH.exe" C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows\CurrentVersion\Run\_u-912IeH = "C:\\Users\\Admin\\AppData\\Local\\_u-912IeH.exe" C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\SUPQ34GC\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AWDPAFLJ\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DF03YERZ\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3408354897-1169622894-3874090110-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\UCNEF1W7\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3408354897-1169622894-3874090110-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\C9G3U3S4\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1364 set thread context of 2540 N/A C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195260.WMF C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0212957.WMF C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME30.CSS.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mset7es.kic C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_dot.png C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\clock.js C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7ES.DLL C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.ja_5.5.0.165303.jar.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\librss_plugin.dll C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_settings.png C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)grayStateIcon.png C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00564_.WMF.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader.dll.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dushanbe C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Mendoza C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Sales Pipeline.accdt.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00236_.WMF C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152414.WMF.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Perspective.dotx C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0234001.WMF C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\CONCRETE.ELM.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\es-ES\Hearts.exe.mui.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Windows Journal\de-DE\NBMapTIP.dll.mui C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\VSTAClientPkgUI.dll.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_zh_4.4.0.v20140623020002.jar.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CARBN_01.MID C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\44.png C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101863.BMP C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ACEWSTR.DLL C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00336_.WMF.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\MORPH9.DLL.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files\7-Zip\Lang\nl.txt.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montreal C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tirane C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\ReachFramework.resources.dll C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\SAVE.GIF.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.png C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Spelling.api C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\LoginForm.zip C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\settings.html C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+2 C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPQUOT.DPV.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libvmem_plugin.dll C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.dll.id[215BA69E-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\Proof.XML C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe C:\Windows\system32\certreq.exe
PID 2648 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe C:\Windows\system32\certreq.exe
PID 2648 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe C:\Windows\system32\certreq.exe
PID 2648 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe C:\Windows\system32\certreq.exe
PID 2648 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe C:\Windows\system32\certreq.exe
PID 2648 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe C:\Windows\system32\certreq.exe
PID 1364 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe
PID 1364 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe
PID 1364 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe
PID 1364 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe
PID 1364 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe
PID 1364 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe
PID 1364 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe
PID 584 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe C:\Windows\system32\cmd.exe
PID 584 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe C:\Windows\system32\cmd.exe
PID 584 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe C:\Windows\system32\cmd.exe
PID 584 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe C:\Windows\system32\cmd.exe
PID 584 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe C:\Windows\system32\cmd.exe
PID 584 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe C:\Windows\system32\cmd.exe
PID 584 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe C:\Windows\system32\cmd.exe
PID 584 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe C:\Windows\system32\cmd.exe
PID 2168 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2168 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2168 wrote to memory of 1636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1960 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1960 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1960 wrote to memory of 2144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2168 wrote to memory of 1812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2168 wrote to memory of 1812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2168 wrote to memory of 1812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1220 wrote to memory of 3056 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\B8B5.exe
PID 1220 wrote to memory of 3056 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\B8B5.exe
PID 1220 wrote to memory of 3056 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\B8B5.exe
PID 1220 wrote to memory of 3056 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\B8B5.exe
PID 1220 wrote to memory of 3068 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 3068 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 3068 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 3068 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 3068 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 1716 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1220 wrote to memory of 1716 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1220 wrote to memory of 1716 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1220 wrote to memory of 1716 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1220 wrote to memory of 1104 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 1104 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 1104 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 1104 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 1104 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 1328 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 1328 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 1328 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 1328 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 1328 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 2344 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 2344 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 2344 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 2344 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 2344 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1220 wrote to memory of 536 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1220 wrote to memory of 536 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1220 wrote to memory of 536 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1220 wrote to memory of 536 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1960 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1960 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe

"C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe"

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe

"C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe"

C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe

"C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe"

C:\Users\Admin\AppData\Local\Microsoft\G_P.exe

"C:\Users\Admin\AppData\Local\Microsoft\G_P.exe"

C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe

"C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe"

C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe

"C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Users\Admin\AppData\Local\Temp\B8B5.exe

C:\Users\Admin\AppData\Local\Temp\B8B5.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 servblog25.xyz udp
DE 45.131.66.61:80 servblog25.xyz tcp
DE 45.131.66.61:80 servblog25.xyz tcp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 serverxlogs21.xyz udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 fexstat257.xyz udp
DE 45.89.125.136:80 fexstat257.xyz tcp

Files

memory/2648-54-0x0000000000570000-0x0000000000670000-memory.dmp

memory/2648-55-0x0000000000310000-0x0000000000381000-memory.dmp

memory/2648-56-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2648-57-0x0000000000230000-0x0000000000237000-memory.dmp

memory/2648-60-0x0000000001E50000-0x0000000002250000-memory.dmp

memory/2648-58-0x0000000001E50000-0x0000000002250000-memory.dmp

memory/2648-59-0x0000000001E50000-0x0000000002250000-memory.dmp

memory/2648-61-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2648-62-0x0000000001E50000-0x0000000002250000-memory.dmp

memory/2648-63-0x0000000000570000-0x0000000000670000-memory.dmp

memory/1756-64-0x0000000000060000-0x0000000000063000-memory.dmp

memory/2648-65-0x0000000000310000-0x0000000000381000-memory.dmp

memory/2648-66-0x0000000001DD0000-0x0000000001E06000-memory.dmp

memory/2648-72-0x0000000001DD0000-0x0000000001E06000-memory.dmp

memory/2648-73-0x0000000001E50000-0x0000000002250000-memory.dmp

memory/2648-76-0x0000000001E50000-0x0000000002250000-memory.dmp

memory/2648-75-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/1756-77-0x0000000000060000-0x0000000000063000-memory.dmp

memory/1756-78-0x0000000000120000-0x0000000000127000-memory.dmp

memory/1756-79-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/1756-80-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/1756-81-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/1756-82-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/1756-83-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/1756-85-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/1756-87-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/1756-88-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/1756-89-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/1756-90-0x0000000077560000-0x0000000077709000-memory.dmp

memory/1756-91-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/1756-92-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/1756-93-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/1756-94-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/1756-95-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe

MD5 d8a652141be195333dd68e662b04c523
SHA1 266363bf92a157ca769f3cce33f13363cf94eb3f
SHA256 82e21c96880af14b90e7d8a688ec83c41bddcaa29ee05557b763795d1416ad39
SHA512 ce0d269674d139358b5068b3df7ccbae1e5470a031d3e59ac1ab68493438e51dc733a6be5d36854257d8d5d5e822a9ad421398cc0a2f3c783d5d33b04af484ea

C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe

MD5 a2f3d796dc2c2f474188db58d5ca7593
SHA1 dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
SHA256 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA512 9a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c

C:\Users\Admin\AppData\Local\Microsoft\G_P.exe

MD5 771e03d1211a93261e4b5686aa911243
SHA1 d0b249fe34b8bdeac98712ac9dd37f340f287b4c
SHA256 18cbb36da4425cd9d142d75e9e07b02fddeede075bf6f4c9297d014a9163e342
SHA512 8aa08956338fbb5fe9f04126e09123e3fb5c512a73b00b843c517d9cd05695ff7d6df7e1bdea5621b1b660cec3e2a191ff68d10a1a12789a870dd8d49ad52ed5

memory/1756-105-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/1756-106-0x0000000077560000-0x0000000077709000-memory.dmp

memory/1756-107-0x0000000000120000-0x0000000000122000-memory.dmp

memory/1756-108-0x0000000077560000-0x0000000077709000-memory.dmp

memory/584-109-0x0000000000610000-0x0000000000710000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe

MD5 a2f3d796dc2c2f474188db58d5ca7593
SHA1 dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
SHA256 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA512 9a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c

memory/584-111-0x0000000000220000-0x000000000022F000-memory.dmp

memory/584-112-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\_u-912IeH.exe

MD5 a2f3d796dc2c2f474188db58d5ca7593
SHA1 dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
SHA256 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA512 9a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c

memory/924-115-0x00000000005E0000-0x00000000006E0000-memory.dmp

memory/924-116-0x0000000000220000-0x0000000000225000-memory.dmp

memory/924-117-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1364-118-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1364-119-0x00000000008E0000-0x00000000009E0000-memory.dmp

memory/2540-121-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2540-123-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe

MD5 d8a652141be195333dd68e662b04c523
SHA1 266363bf92a157ca769f3cce33f13363cf94eb3f
SHA256 82e21c96880af14b90e7d8a688ec83c41bddcaa29ee05557b763795d1416ad39
SHA512 ce0d269674d139358b5068b3df7ccbae1e5470a031d3e59ac1ab68493438e51dc733a6be5d36854257d8d5d5e822a9ad421398cc0a2f3c783d5d33b04af484ea

memory/2540-125-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Ut8{bs.exe

MD5 d8a652141be195333dd68e662b04c523
SHA1 266363bf92a157ca769f3cce33f13363cf94eb3f
SHA256 82e21c96880af14b90e7d8a688ec83c41bddcaa29ee05557b763795d1416ad39
SHA512 ce0d269674d139358b5068b3df7ccbae1e5470a031d3e59ac1ab68493438e51dc733a6be5d36854257d8d5d5e822a9ad421398cc0a2f3c783d5d33b04af484ea

memory/584-126-0x0000000000610000-0x0000000000710000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[215BA69E-3483].[[email protected]].8base

MD5 d284cc48ba380f1f453724eab26856f3
SHA1 6fe51776e9c5f257cfca5cf6e8b09a8cbb52bbca
SHA256 4ccc0f736b4fc6c81111cac475fb87484bda5af50b5f21623a79f988db719986
SHA512 be16cea6db849f9e0e35774a68fb7f24f50a661783c6b5a8c9a8cf8b3fa1c702d704ff74f1bc7b444d621129ad3a51542b85f2e637c5ebaa53f5bfe37cafc653

memory/584-194-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1220-344-0x0000000002940000-0x0000000002956000-memory.dmp

memory/2540-345-0x0000000000400000-0x0000000000409000-memory.dmp

memory/924-371-0x00000000005E0000-0x00000000006E0000-memory.dmp

memory/924-374-0x0000000000220000-0x0000000000225000-memory.dmp

memory/584-1448-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3068-1779-0x00000000005C0000-0x00000000006C0000-memory.dmp

memory/3068-1780-0x0000000000400000-0x000000000049A000-memory.dmp

memory/584-2482-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B8B5.exe

MD5 a2f3d796dc2c2f474188db58d5ca7593
SHA1 dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
SHA256 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA512 9a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c

C:\Users\Admin\AppData\Local\Temp\B8B5.exe

MD5 a2f3d796dc2c2f474188db58d5ca7593
SHA1 dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
SHA256 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA512 9a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c

memory/3068-2861-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/3068-2857-0x0000000000430000-0x00000000004A5000-memory.dmp

memory/3068-2849-0x0000000000080000-0x00000000000EB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zf65wlcn.default-release\cookies.sqlite.id[215BA69E-3483].[[email protected]].8base

MD5 0118853aefb7c3f5c3a04552faead425
SHA1 1504a0dce2ad700572941eab6748c7bf2293245c
SHA256 a04323170b6e5a98d3b87a1310ffaf0121d5f261471a67fb06e8ba1f466a98b3
SHA512 e804dac909abf46ce8d685425683ed1922b85d937f61dd687d966c9ee16af1c4ede83423583b23428ad88ea11853460990d6881a7e048c93a471648574d57592

memory/3068-2925-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/1716-3031-0x0000000000070000-0x0000000000077000-memory.dmp

memory/1716-3034-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1716-3030-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1104-3041-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/1104-3040-0x00000000000D0000-0x00000000000D4000-memory.dmp

memory/1104-3039-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/1328-3046-0x0000000000080000-0x000000000008B000-memory.dmp

memory/1328-3048-0x0000000000080000-0x000000000008B000-memory.dmp

memory/1328-3047-0x0000000000090000-0x000000000009A000-memory.dmp

memory/2344-3103-0x00000000000D0000-0x00000000000D7000-memory.dmp

memory/2344-3102-0x0000000000080000-0x000000000008B000-memory.dmp

memory/536-3207-0x00000000000F0000-0x00000000000F9000-memory.dmp

memory/536-3208-0x00000000000E0000-0x00000000000EF000-memory.dmp

memory/536-3206-0x00000000000E0000-0x00000000000EF000-memory.dmp

memory/2092-3229-0x00000000000D0000-0x00000000000D5000-memory.dmp

memory/2092-3228-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/2092-3242-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/584-3249-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1104-3243-0x00000000000D0000-0x00000000000D4000-memory.dmp

memory/2056-3456-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2056-3471-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/2056-3474-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2796-3628-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/2796-3629-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2796-3630-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/2344-3631-0x0000000000080000-0x000000000008B000-memory.dmp

memory/1932-3632-0x0000000000060000-0x0000000000069000-memory.dmp

memory/1932-3634-0x0000000000060000-0x0000000000069000-memory.dmp

memory/1932-3633-0x0000000000070000-0x0000000000075000-memory.dmp

memory/2552-3638-0x0000000000100000-0x0000000000127000-memory.dmp

memory/2552-3637-0x0000000000060000-0x0000000000069000-memory.dmp

memory/536-3636-0x00000000000F0000-0x00000000000F9000-memory.dmp

memory/2552-3635-0x0000000000100000-0x0000000000127000-memory.dmp

memory/2092-3643-0x00000000000D0000-0x00000000000D5000-memory.dmp

memory/1488-3642-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1488-3646-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2748-3670-0x0000000000080000-0x000000000008B000-memory.dmp

memory/2748-3675-0x0000000000090000-0x0000000000096000-memory.dmp

memory/2748-3718-0x0000000000080000-0x000000000008B000-memory.dmp

memory/204-3830-0x0000000000060000-0x000000000006D000-memory.dmp

memory/204-3852-0x0000000000060000-0x000000000006D000-memory.dmp

memory/204-3851-0x0000000000080000-0x000000000008B000-memory.dmp

memory/2796-3850-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1320-3951-0x0000000000080000-0x000000000008B000-memory.dmp

memory/1932-4035-0x0000000000070000-0x0000000000075000-memory.dmp

memory/1320-4254-0x0000000000060000-0x000000000006D000-memory.dmp

memory/584-4891-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\G_P.exe

MD5 771e03d1211a93261e4b5686aa911243
SHA1 d0b249fe34b8bdeac98712ac9dd37f340f287b4c
SHA256 18cbb36da4425cd9d142d75e9e07b02fddeede075bf6f4c9297d014a9163e342
SHA512 8aa08956338fbb5fe9f04126e09123e3fb5c512a73b00b843c517d9cd05695ff7d6df7e1bdea5621b1b660cec3e2a191ff68d10a1a12789a870dd8d49ad52ed5

C:\Users\Admin\AppData\Local\Temp\B8B5.exe

MD5 a2f3d796dc2c2f474188db58d5ca7593
SHA1 dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
SHA256 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA512 9a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c

C:\Users\Admin\AppData\Roaming\ejcbfsr

MD5 d8a652141be195333dd68e662b04c523
SHA1 266363bf92a157ca769f3cce33f13363cf94eb3f
SHA256 82e21c96880af14b90e7d8a688ec83c41bddcaa29ee05557b763795d1416ad39
SHA512 ce0d269674d139358b5068b3df7ccbae1e5470a031d3e59ac1ab68493438e51dc733a6be5d36854257d8d5d5e822a9ad421398cc0a2f3c783d5d33b04af484ea

C:\Users\Admin\AppData\Roaming\wbbffvc

MD5 28da584a90c29a9ef5d248bd58771a1f
SHA1 48792b2bc89646a0ec9f3b1879e05c8308672c7d
SHA256 a7e2c1e9bd80246e1ab0bd931fc83be8512a2a9643389e44309163b0ca3b7d5b
SHA512 73999339d006875f3e73e2bd1ff478287a49cc840c13fc8a010b64fd91c40688a7b3c965e5e414be154de4d2cad2e2223acb010f962700b4e20722502643f466

C:\Users\Public\Desktop\Google Chrome.lnk.id[215BA69E-3483].[[email protected]].8base

MD5 69401169ffb58262685e1411b06cc024
SHA1 db1ee400ae0b5220a94637f17c09c7b71925a894
SHA256 a105778ceef6ebc175be048a17d363e88c93a422aff4df5c2703d124bb7ba24e
SHA512 16ed33fe50b2f3cf3633ec6ecaff5468b326ab8bcf65290f29830bf70c8b03a3635a963e482f5c27a6bc9b3ac2df804256b6f52cf8a0704c3bb11ed3672694e6

C:\Users\Public\Desktop\VLC media player.lnk.id[215BA69E-3483].[[email protected]].8base

MD5 498b7d7a692b6f51a600c956f5e94bdc
SHA1 7bd9d3c1dcf3ebcf8592182349b1965232c5a08f
SHA256 752bd09c1ac1660d8fa6e58e005bf4f49f33441d8ba9a68a0a5ad4f451494019
SHA512 cde7360847c0aa4d610833807430690888ba113dd56d9bf19bd8a6a59aacdc937ffff768b95dee28a74d8c02196267b223bae791290df34f1f85df14f404d224

C:\Users\Admin\Desktop\AddCompare.rtf.id[215BA69E-3483].[[email protected]].8base

MD5 6392910dcbc53550fde7e7b59f08c724
SHA1 958df5ae89f60a671c8bd4777362a2fe44138fa1
SHA256 81dcc6eb87891f90827ae306b039c10503358452e0a70caf633b7d949be17493
SHA512 f6bd62fa5763fce44bbccff675dc2ae1261e0df2186711fe030a6fedbed7c7d414f9457bfdba3560edb04202619f08479029a4ddc28e219e17283da431e56208

C:\Users\Admin\Desktop\BackupMove.dib.id[215BA69E-3483].[[email protected]].8base

MD5 cf9d6955eb268db6ffe66c459db9a5b2
SHA1 e3601422cf0d00f04f91f7593a835d2ba6aed4d5
SHA256 359fdbbee971b59307835eb1f9f2c3a8aa84d8111169ead0956843a6bbc51128
SHA512 0455f4c710858a3747ba607e9ea6a938b43bdffec7dbac827b9b069a4c4b5496da863918c7fb63281f3100ef6202782f2b4d3c0537c41359891fbe40670499bc

C:\Users\Public\Desktop\Adobe Reader 9.lnk.id[215BA69E-3483].[[email protected]].8base

MD5 31f665c67a1c10ffc8a6a4c53ae4b47b
SHA1 b347edc82cd8636e7fa0e467f6a76637a1912543
SHA256 fcb833c399e80975cd5099447760f739db57bc374cf2948a6fa36b996a6410f0
SHA512 0ffb9cb646ab1368326297231e04da7797ea14f1bff5aba2507723531f8e4eb771af9b0bbc172a760a4b9abd15b69f22e2d539bf15100635eeb1520c0bcac0bf

C:\Users\Public\Desktop\Firefox.lnk.id[215BA69E-3483].[[email protected]].8base

MD5 fa26c55dcd4f57357194436b73ee87af
SHA1 82dfd3368339f12624eb0f7a7074ad57f36b0a9b
SHA256 41262eb2d912f509a96fe3a373a44b329d901df239f713e8aa5ba819ad715fcc
SHA512 d07f057af852b4b0dd2573f2e0fe4f34aa2b044ec2f8fe76654fa95ba3f5f368c2c18492da425f18a1d63b295ba2f95e45a113c9e5abc556278b5cd010fb9e5c

C:\Users\Admin\Desktop\CheckpointSwitch.tiff.id[215BA69E-3483].[[email protected]].8base

MD5 6471bce59861402000463e56a2308874
SHA1 83ab8dc37b14eaf407ba943260f0709b71496875
SHA256 fdd1fc6fd67f476e1eab3e9355ef27a80686714710adcba4d263da219e165a48
SHA512 cd8b92fb95048baa5b44d67e59ba129427bb945afa8d0c07176921357c143a6bda6f3c447e7708e5d88b6670237809dea203eb51bf199ee102f6b51c3cfea0ad

C:\Users\Admin\Desktop\ClearPush.m3u.id[215BA69E-3483].[[email protected]].8base

MD5 9ad497786bf717be14419e1d18122dd5
SHA1 99c7f2c6456e113d48358dc3139dc936f7f94f7e
SHA256 3b446ae7dfe70fca12b7daf018e1a9a87cad9dcd1e4673c6f3ec640be576e168
SHA512 b211d9ba2fc929eb811598d6171f185b0c409057037cc2f957bfd961d9a8e5426cb9c3c29539b006d4b663ce721735cfe64b31d1a8fb3aad27e083387d47767a

C:\Users\Admin\Desktop\ConvertFromWrite.mpe.id[215BA69E-3483].[[email protected]].8base

MD5 fabca6f0d86628b0ce3cc13bff3bbfa9
SHA1 39f381071e6d6f80d320e3a989e731e6e62c2220
SHA256 91718d95226dc4c6bad478341623870d22daeceb1432abec2dbd8d190d91317d
SHA512 59c9dfff7b309f9b63f38164298f23c5e328bd697fcffd4e1feaa841d2e23841c3dc97df576ec28cfc098d141a24b264f7ddfa0c96577149cc3f59891818e0b4

C:\Users\Admin\Desktop\WaitSet.shtml.id[215BA69E-3483].[[email protected]].8base

MD5 1416cdba84193c8c186969a1a7f48e3f
SHA1 572d2bb23d786e83d6fb42e966e72a733f4c523b
SHA256 05e5c8b1cac109f92692e8f743b74c95ea9a9a5f80d7b7e33bf0e18aaac78426
SHA512 7f9ad171245dfaccb76bcc1bec237c0cc8d8ae181a8c0a00b61844b48b7e81fb145a0c4cc21b4625e9fb4d238331500a403708e0a91653ef1e696f4ce926cc19

C:\Users\Admin\Desktop\UninstallConnect.rm.id[215BA69E-3483].[[email protected]].8base

MD5 e53647fb88d414153f3d7436d42d0761
SHA1 eb60fa1cb5eb3864b2c4bf35a67ed7c971401ae1
SHA256 e1e22cb811f28c037fd27802e92651f89d8e748d8af68934ee678ce3da499bce
SHA512 4ddb03db8222a235c4d7847b7a7eeb4ac010dfdffc6dfe7bf052aaa43e150a4e68c10401a5a4c0cc14138cce3e3798f1fa014704b623dc4642f5b4dd93576ddf

C:\Users\Admin\Desktop\DenySend.potx.id[215BA69E-3483].[[email protected]].8base

MD5 117d1319a97123695a477e6c83796c0d
SHA1 eeb2a153fdae9632c1c9da23e2efc9552c3367a3
SHA256 dd044c03e2cae7679d7f73b549eac9594002979b61de23c7b62846f301927021
SHA512 dce2311f0f969f3bb7d9c1761605d112c40bf566238c081be2fb93c30bc2105e0070a278690a1a2f15d85ea1c30fac3d077d674324861e95aa63515ad9480d1a

C:\Users\Admin\Desktop\DebugRegister.txt.id[215BA69E-3483].[[email protected]].8base

MD5 07d1eccda809180af85a8865f4bccf1a
SHA1 adf6dc4e347debc68098d35beddfb48cebd4e4d9
SHA256 cc5e825c1e209a149e910bbd06200014e1e57d2d4dd596ebd7f7f012a78f9445
SHA512 cdb536a2c8912b59cf293eb8811f61cc57227c560b07fbbd049e31aa653a1440d3d2d727610715144702313ccfdeba11ebe9fce99edae3a11a6fcc82eeb098dd

C:\Users\Admin\Desktop\DisablePing.xlt.id[215BA69E-3483].[[email protected]].8base

MD5 02b6e433f2505dd18c461ef59691b65b
SHA1 4fd708b9401a6cabbd400404c0d50771f709ab93
SHA256 c6d1c034631c53b908a8562907db19f58afb4e3124ae99195067e2bb2b9f1f00
SHA512 e86ce91ea1cdc01792568d0179fc3ed4dfb41010775185ef6fb71f24f484843b040777901aeeb3f58a0eb562711eab59d2079e5c8f106ab8048537b0a510102c

C:\Users\Admin\Desktop\DisableSubmit.mht.id[215BA69E-3483].[[email protected]].8base

MD5 106a78a4364a6cbd09ce1789ba32eafc
SHA1 79c5f51fba04c0ad59555a3d8cfaacebb1e0bcd6
SHA256 b1160e2bbd8408382ae03a6371267ccdddeedce8c68679be4bd469c388ccd64b
SHA512 a8ef029a573575976dd9287b14e3aa1e33b00cfd5b188cb40b1fa8f870502b4d7f2226dbf34cef9fc242f9e625e43041a5bcad981f03eab922849937d85d926e

C:\Users\Admin\Desktop\HideInitialize.wma.id[215BA69E-3483].[[email protected]].8base

MD5 63dc96e185a12d586735c27ce72efdb6
SHA1 edcd885ccd39999206e9018e8517d9346b06058d
SHA256 912d0d298d8268e682fac39ca54b6c063f03b52a8e07faf35e83c11f88c9ef77
SHA512 1830a974fd2ae41f5d26093002181e49ab27176f268522bea70dda242e795bf067e02ca6e6af78dc3f6adf81012e6fd61196644b4bb9669e4f76abb5cfe32151

C:\Users\Admin\Desktop\HideSave.zip.id[215BA69E-3483].[[email protected]].8base

MD5 98410befe4e81286ffde198591a2bb5a
SHA1 9a1913dba967dddd6cda4d8ee210b982bfc59adf
SHA256 b1aa814ea8c7a178d76ca3554d028eb219ed872b4f18b895c60e52ee744dc1a0
SHA512 343ea8dd6783b9b65d59996073c3e7343ece37c8d19c71ac042d6f5af851ef9a3ea6440ba03d09af05ef68097cb6bbad89eb1c103a478dcdf24abef5da2df5cf

C:\Users\Admin\Desktop\MoveDismount.avi.id[215BA69E-3483].[[email protected]].8base

MD5 1ee42eba2f4b0e024cd9e54cb8f4b834
SHA1 79bb2385e792d1e6477b2643c3141ead84049677
SHA256 493a52656fd1e7a0bc90b0fdfa71443873b1555105efc21436c6c01c9e5da4d6
SHA512 fef070a8b8df07f80f4c676982d999a648ee4939df79f7df001e66f96292d7978069b08129487d70a91dd7ee83f1ecbc03f9858253384438486cb52780d449fb

C:\Users\Admin\Desktop\OpenJoin.xml.id[215BA69E-3483].[[email protected]].8base

MD5 e30feb179b324395ffc6ccfd39be1217
SHA1 aadd0676023d528c909cc6d6e96be4c4e8d22cca
SHA256 d5b43b68a6f32070a8b3a3719186d27bdf6ca2cacc5b7f67981bbdf387e1f44d
SHA512 f184478a4c544a43215a1b66fbf0569b1cc6911acf6e0b5956a1a6098734900f7e3ca8c8042e7e6db562804d09cf23a7a47f73dae0059ae39708cb3d0292047f

C:\Users\Admin\Desktop\ResetConvertTo.m1v.id[215BA69E-3483].[[email protected]].8base

MD5 847476be67005f82d59c709b68d2615f
SHA1 9aff704237a2a10362378f9159cb3690b8919e7d
SHA256 a6359008cb212d3cb203a51176113476be5d727f26a1f498bcde201fef9faa66
SHA512 1e4cad192fdf9060bd00ea03303c13149a3e1c0e318788e6ca33ea5566ebe258f8c2143eb878caabcc0bed4981b693ae27baa28a0f39088e62fc4382a81de375

C:\Users\Admin\Desktop\SplitNew.xps.id[215BA69E-3483].[[email protected]].8base

MD5 5bd4a4682bf050120c8721eaecc4820e
SHA1 6e03176486f1c231fede439a76fa321dd60e205c
SHA256 57bcbf74db6f05d4aa3f3cc7bb030a122d988fff37fea2b81c3e4df1c799139f
SHA512 ff568954e457a20d2ed9783ae004715fa3324192d524c91061173a012b5637d4123df6204bca3a2ec27334f4eb3adccc85f2e2d0eec7e830f3f54240d093e65f

C:\Users\Admin\Desktop\SwitchUnpublish.mpa.id[215BA69E-3483].[[email protected]].8base

MD5 95ee02514852536e6840fa18fa5db57a
SHA1 1c70439b7b60784d649ab4ffd4530e4f92a41733
SHA256 36f8fe9455cd290e437df18bcc568f95c270fa0264752650efdf44d80687a26d
SHA512 20c8d1cecbf4887a448b2a24603e7a52f9f4de02164137c580cfff526db28b453fe1fc03bb0b4e1db12f4c6c9db6f914a3307b1375d35077f8c64628a3e8bed3

C:\Users\Admin\Desktop\SyncUnpublish.ocx.id[215BA69E-3483].[[email protected]].8base

MD5 2a2a5eaf4734f21f49f26804d931c7d6
SHA1 c17a95c24909d56395ab176e5302bc77dcdd495a
SHA256 bc0c7f13db76db2e6835518b4eb4c5f0c9172458735c7acec3128216d9e6f039
SHA512 e2f0207153b348520226f1c323bbacd0da1fbe88873cb7b1763cfc09c26e553e92cc56ac73ad10da8b53cd8bf77e49fef9a0560bd483b17309d6022979543e18

C:\Users\Admin\Desktop\UndoConfirm.xlsb.id[215BA69E-3483].[[email protected]].8base

MD5 a7fadc3d5e94a6e9742e984e812b0bc3
SHA1 42a45eb1907ecbabad9bd3b57ec2963eafd61ea7
SHA256 63a9c9d411fd2193df26fb000cf6920043cabba849acd957884ec72b68249e8c
SHA512 f40b37eca1fbcb99836e5c1222ae2cbb913e4b28d5dba8046c8e8243107f14681b682b8ef65e43716fdd3c9bc10a0c86424cd1fde572c7fa10f9345df45ba7ac

C:\Users\Admin\Desktop\UpdateRevoke.vbe.id[215BA69E-3483].[[email protected]].8base

MD5 5933d683413a83b0db0f3ef955bf789e
SHA1 39c6ea1b6bcb4ad91d9f9e63339021fc65c141b3
SHA256 0cc8f0b471f3b52a0c73f8a04dcfd48648c2d51ee87a30d53ca64b76d63b4f35
SHA512 ff1f6e096b8f4f312bf2f2be985ce47a78abfa52e79e61fdff2a653225dd7f53ce95b02a88146ece1fca5b3ef9ea0c634056ac48e72db08c49dc467de7059739

C:\Users\Admin\Desktop\UseLock.pub.id[215BA69E-3483].[[email protected]].8base

MD5 c1a89429ee8e77493b7beee711995fe5
SHA1 ddc95fc71a2f2bfd46fe7dcc38da0bb86ac11ea0
SHA256 010afd37897771b727f95d11bb974bce3505994861972d437c9e92cb288d1bc3
SHA512 106aee71859cb34c7a7bd9f1c5e3c1bb4411bf9d666247f1d4da8e618b9533aa6b022db772963ce6d0e3cf4781f8b81a78b211fcbfe297d9d04697c7cd47b465

C:\info.hta

MD5 e6fc569bdb5fc632b48a139839264da8
SHA1 5af9bd158b68421d8b4f52db7455b32d7556c75d
SHA256 895dfaa240b5f2cf0752d4ecae4bdaa69a5657a6d269b35a42f69e8fdb23f407
SHA512 e516fa81ea4ba431c54c59e5e0ed93a338c57725517e25d8c75198dfa80cf22df8e90f06cf5bdadc4c60f3e76ebe64ce8afda5266bcbab30adcb930de10de296

C:\Users\Admin\Desktop\info.hta

MD5 e6fc569bdb5fc632b48a139839264da8
SHA1 5af9bd158b68421d8b4f52db7455b32d7556c75d
SHA256 895dfaa240b5f2cf0752d4ecae4bdaa69a5657a6d269b35a42f69e8fdb23f407
SHA512 e516fa81ea4ba431c54c59e5e0ed93a338c57725517e25d8c75198dfa80cf22df8e90f06cf5bdadc4c60f3e76ebe64ce8afda5266bcbab30adcb930de10de296

C:\users\public\desktop\info.hta

MD5 e6fc569bdb5fc632b48a139839264da8
SHA1 5af9bd158b68421d8b4f52db7455b32d7556c75d
SHA256 895dfaa240b5f2cf0752d4ecae4bdaa69a5657a6d269b35a42f69e8fdb23f407
SHA512 e516fa81ea4ba431c54c59e5e0ed93a338c57725517e25d8c75198dfa80cf22df8e90f06cf5bdadc4c60f3e76ebe64ce8afda5266bcbab30adcb930de10de296

C:\info.hta

MD5 e6fc569bdb5fc632b48a139839264da8
SHA1 5af9bd158b68421d8b4f52db7455b32d7556c75d
SHA256 895dfaa240b5f2cf0752d4ecae4bdaa69a5657a6d269b35a42f69e8fdb23f407
SHA512 e516fa81ea4ba431c54c59e5e0ed93a338c57725517e25d8c75198dfa80cf22df8e90f06cf5bdadc4c60f3e76ebe64ce8afda5266bcbab30adcb930de10de296

F:\info.hta

MD5 e6fc569bdb5fc632b48a139839264da8
SHA1 5af9bd158b68421d8b4f52db7455b32d7556c75d
SHA256 895dfaa240b5f2cf0752d4ecae4bdaa69a5657a6d269b35a42f69e8fdb23f407
SHA512 e516fa81ea4ba431c54c59e5e0ed93a338c57725517e25d8c75198dfa80cf22df8e90f06cf5bdadc4c60f3e76ebe64ce8afda5266bcbab30adcb930de10de296

C:\Users\Admin\Desktop\info.txt

MD5 785cafecedf21b32589f303a8a490a6a
SHA1 5388d3b2a40734142918364eadc02b4429d856e3
SHA256 e455b6bfe96488ca6d4ee70ef495c8925040d22a7cba422e0db7469065daf932
SHA512 4511937134dd7809e888f9bcfcf06d24c17a06f55b5a2b9690a381fda8de9cb793a9799c91814ce43f47ca6db594b010c5feae8aff08bd3edd448967d06fc93b

C:\Users\Public\Desktop\info.txt

MD5 785cafecedf21b32589f303a8a490a6a
SHA1 5388d3b2a40734142918364eadc02b4429d856e3
SHA256 e455b6bfe96488ca6d4ee70ef495c8925040d22a7cba422e0db7469065daf932
SHA512 4511937134dd7809e888f9bcfcf06d24c17a06f55b5a2b9690a381fda8de9cb793a9799c91814ce43f47ca6db594b010c5feae8aff08bd3edd448967d06fc93b

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-14 08:06

Reported

2023-07-14 08:08

Platform

win10v2004-20230703-en

Max time kernel

138s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1940 created 3088 N/A C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (491) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\XfLd%9.exe C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XfLd%9 = "C:\\Users\\Admin\\AppData\\Local\\XfLd%9.exe" C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XfLd%9 = "C:\\Users\\Admin\\AppData\\Local\\XfLd%9.exe" C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1420546310-613437930-2990200354-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1420546310-613437930-2990200354-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4736 set thread context of 3864 N/A C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre1.8.0_66\bin\j2pcsc.dll.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_MAK_AE-pl.xrm-ms.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-ms.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.Printing.resources.dll C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\3px.png C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-disabled_32.svg C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\StudentReport.dotx C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_StoreLogo.scale-200.png C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter_18.svg C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nb-no\ui-strings.js C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-convert-l1-1-0.dll.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.png C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\ui-strings.js.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Runtime.Serialization.Xml.dll C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\mpvis.dll.mui C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\mfcm140u.dll C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\iheart-radio.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\duplicate.svg C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\ui-strings.js.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\lib\psfont.properties.ja.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\IFDPINTL.DLL C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-sl\ui-strings.js C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\ui-strings.js.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_sse2_plugin.dll.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\PlaceholderCollectionHero.png C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-200.HCWhite.png C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ppd.xrm-ms.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libscreen_plugin.dll C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\mfc140kor.dll C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\PREVIEW.GIF.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-48.png C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-80_altform-unplated.png C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon.png.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Security.Cryptography.Cng.dll C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalSplashScreen.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\AppStore_icon.svg.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\msmdsrvi_xl.rll.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.png C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-40_altform-unplated.png C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_k_col.hxk C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\ui-strings.js.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019DemoR_BypassTrial180-ul-oob.xrm-ms.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\ui-strings.js.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\koreus.luac.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\System.ValueTuple.dll.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\proof.es-es.msi.16.es-es.boot.tree.dat C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libhttp_plugin.dll C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_FR.LEX.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_unselected_18.svg C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-cn_get.svg.id[4E633C4D-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.aff C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe C:\Windows\system32\certreq.exe
PID 1940 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe C:\Windows\system32\certreq.exe
PID 1940 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe C:\Windows\system32\certreq.exe
PID 1940 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe C:\Windows\system32\certreq.exe
PID 4736 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe
PID 4736 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe
PID 4736 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe
PID 4736 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe
PID 4736 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe
PID 4736 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe
PID 3392 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe C:\Windows\system32\cmd.exe
PID 3392 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe C:\Windows\system32\cmd.exe
PID 3392 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe C:\Windows\system32\cmd.exe
PID 3392 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe C:\Windows\system32\cmd.exe
PID 4700 wrote to memory of 1360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4700 wrote to memory of 1360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4520 wrote to memory of 4040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4520 wrote to memory of 4040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4520 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4520 wrote to memory of 3780 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4520 wrote to memory of 3220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4520 wrote to memory of 3220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4520 wrote to memory of 3408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4520 wrote to memory of 3408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4520 wrote to memory of 3692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4520 wrote to memory of 3692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4700 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4700 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3088 wrote to memory of 2836 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\29D5.exe
PID 3088 wrote to memory of 2836 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\29D5.exe
PID 3088 wrote to memory of 2836 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\29D5.exe
PID 3088 wrote to memory of 3708 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 3708 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 3708 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 3708 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 396 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3088 wrote to memory of 396 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3088 wrote to memory of 396 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3088 wrote to memory of 1132 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 1132 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 1132 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 1132 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 3708 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 3708 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 3708 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 3708 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 1436 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 1436 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 1436 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 1436 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 1940 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3088 wrote to memory of 1940 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3088 wrote to memory of 1940 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3088 wrote to memory of 3856 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 3856 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 3856 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 3856 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 4424 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3088 wrote to memory of 4424 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3088 wrote to memory of 4424 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3088 wrote to memory of 4736 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 4736 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 4736 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3088 wrote to memory of 4736 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe

"C:\Users\Admin\AppData\Local\Temp\a662ba3492a7d218908f5d851841ed96.exe"

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1940 -ip 1940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 952

C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe

"C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe"

C:\Users\Admin\AppData\Local\Microsoft\Z69s9.exe

"C:\Users\Admin\AppData\Local\Microsoft\Z69s9.exe"

C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe

"C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe"

C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe

"C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe"

C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe

"C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4608 -ip 4608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4608 -ip 4608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4608 -ip 4608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 476

C:\Users\Admin\AppData\Local\Temp\29D5.exe

C:\Users\Admin\AppData\Local\Temp\29D5.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2836 -ip 2836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2836 -ip 2836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2836 -ip 2836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 528

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 servblog25.xyz udp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 61.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 servblog25.xyz udp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 serverxlogs21.xyz udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 fexstat257.xyz udp
DE 45.89.125.136:80 fexstat257.xyz tcp
US 8.8.8.8:53 120.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 136.125.89.45.in-addr.arpa udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

memory/1940-134-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/1940-135-0x0000000002210000-0x0000000002281000-memory.dmp

memory/1940-136-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/1940-137-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/1940-138-0x00000000022B0000-0x00000000022B7000-memory.dmp

memory/1940-139-0x0000000002570000-0x0000000002970000-memory.dmp

memory/1940-140-0x0000000002570000-0x0000000002970000-memory.dmp

memory/1940-141-0x0000000002570000-0x0000000002970000-memory.dmp

memory/1940-142-0x0000000002570000-0x0000000002970000-memory.dmp

memory/1940-143-0x00000000004D0000-0x00000000005D0000-memory.dmp

memory/1332-144-0x000002316DF40000-0x000002316DF43000-memory.dmp

memory/1940-145-0x0000000002210000-0x0000000002281000-memory.dmp

memory/1940-146-0x0000000003300000-0x0000000003336000-memory.dmp

memory/1940-152-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/1940-154-0x0000000002570000-0x0000000002970000-memory.dmp

memory/1940-153-0x0000000003300000-0x0000000003336000-memory.dmp

memory/1940-156-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/1940-157-0x0000000002570000-0x0000000002970000-memory.dmp

memory/1332-158-0x000002316DF40000-0x000002316DF43000-memory.dmp

memory/1332-159-0x000002316E300000-0x000002316E307000-memory.dmp

memory/1332-161-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

memory/1332-160-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

memory/1332-162-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

memory/1332-163-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

memory/1332-164-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

memory/1332-166-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

memory/1332-167-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

memory/1332-168-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

memory/1332-169-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

memory/1332-170-0x00007FFDDD3F0000-0x00007FFDDD5E5000-memory.dmp

memory/1332-171-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

memory/1332-172-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

memory/1332-173-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

memory/1332-174-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

memory/1332-175-0x00007FF43DDC0000-0x00007FF43DEED000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe

MD5 a2f3d796dc2c2f474188db58d5ca7593
SHA1 dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
SHA256 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA512 9a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c

C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe

MD5 a2f3d796dc2c2f474188db58d5ca7593
SHA1 dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
SHA256 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA512 9a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c

C:\Users\Admin\AppData\Local\Microsoft\Z69s9.exe

MD5 771e03d1211a93261e4b5686aa911243
SHA1 d0b249fe34b8bdeac98712ac9dd37f340f287b4c
SHA256 18cbb36da4425cd9d142d75e9e07b02fddeede075bf6f4c9297d014a9163e342
SHA512 8aa08956338fbb5fe9f04126e09123e3fb5c512a73b00b843c517d9cd05695ff7d6df7e1bdea5621b1b660cec3e2a191ff68d10a1a12789a870dd8d49ad52ed5

C:\Users\Admin\AppData\Local\Microsoft\Z69s9.exe

MD5 771e03d1211a93261e4b5686aa911243
SHA1 d0b249fe34b8bdeac98712ac9dd37f340f287b4c
SHA256 18cbb36da4425cd9d142d75e9e07b02fddeede075bf6f4c9297d014a9163e342
SHA512 8aa08956338fbb5fe9f04126e09123e3fb5c512a73b00b843c517d9cd05695ff7d6df7e1bdea5621b1b660cec3e2a191ff68d10a1a12789a870dd8d49ad52ed5

C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe

MD5 d8a652141be195333dd68e662b04c523
SHA1 266363bf92a157ca769f3cce33f13363cf94eb3f
SHA256 82e21c96880af14b90e7d8a688ec83c41bddcaa29ee05557b763795d1416ad39
SHA512 ce0d269674d139358b5068b3df7ccbae1e5470a031d3e59ac1ab68493438e51dc733a6be5d36854257d8d5d5e822a9ad421398cc0a2f3c783d5d33b04af484ea

C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe

MD5 d8a652141be195333dd68e662b04c523
SHA1 266363bf92a157ca769f3cce33f13363cf94eb3f
SHA256 82e21c96880af14b90e7d8a688ec83c41bddcaa29ee05557b763795d1416ad39
SHA512 ce0d269674d139358b5068b3df7ccbae1e5470a031d3e59ac1ab68493438e51dc733a6be5d36854257d8d5d5e822a9ad421398cc0a2f3c783d5d33b04af484ea

memory/1332-188-0x00007FFDDD3F0000-0x00007FFDDD5E5000-memory.dmp

memory/1332-189-0x000002316E300000-0x000002316E305000-memory.dmp

memory/1332-190-0x00007FFDDD3F0000-0x00007FFDDD5E5000-memory.dmp

memory/1812-191-0x0000000000640000-0x0000000000740000-memory.dmp

memory/1812-192-0x00000000005C0000-0x00000000005C5000-memory.dmp

memory/1812-193-0x0000000000400000-0x000000000049A000-memory.dmp

memory/4736-195-0x00000000005F0000-0x00000000005F9000-memory.dmp

memory/4736-194-0x00000000007F0000-0x00000000008F0000-memory.dmp

memory/3864-196-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\K5UnDT.exe

MD5 d8a652141be195333dd68e662b04c523
SHA1 266363bf92a157ca769f3cce33f13363cf94eb3f
SHA256 82e21c96880af14b90e7d8a688ec83c41bddcaa29ee05557b763795d1416ad39
SHA512 ce0d269674d139358b5068b3df7ccbae1e5470a031d3e59ac1ab68493438e51dc733a6be5d36854257d8d5d5e822a9ad421398cc0a2f3c783d5d33b04af484ea

memory/3864-199-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3864-198-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3392-200-0x0000000000670000-0x0000000000770000-memory.dmp

memory/3392-201-0x0000000000600000-0x000000000060F000-memory.dmp

memory/3392-202-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\XfLd%9.exe

MD5 a2f3d796dc2c2f474188db58d5ca7593
SHA1 dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
SHA256 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA512 9a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c

memory/1812-205-0x0000000000640000-0x0000000000740000-memory.dmp

memory/3088-208-0x0000000002F60000-0x0000000002F76000-memory.dmp

memory/3864-209-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[4E633C4D-3483].[[email protected]].8base

MD5 4886df6a96daab23ee35f6697d9065e8
SHA1 f8e26bdf7ccc4a7984de2f0dfb18cd4a9b4b9006
SHA256 f54bd062618e502a4cc90bd8667494be2056e3df360c801bef27e668aa9f89e7
SHA512 f4a1ba1d3a607f6d114df42967a9eec34911bba43c474ead4a39742acd1db3919eaba7b960e3eca2fcd3d5d59ea408328c57f43cd958e3ede0d222314bc8b22d

memory/3392-506-0x0000000000670000-0x0000000000770000-memory.dmp

memory/3392-663-0x0000000000600000-0x000000000060F000-memory.dmp

memory/3392-785-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3392-1868-0x0000000000400000-0x000000000049A000-memory.dmp

memory/4608-1980-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/4608-2045-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\29D5.exe

MD5 a2f3d796dc2c2f474188db58d5ca7593
SHA1 dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
SHA256 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA512 9a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c

C:\Users\Admin\AppData\Local\Temp\29D5.exe

MD5 a2f3d796dc2c2f474188db58d5ca7593
SHA1 dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
SHA256 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA512 9a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c

C:\Users\Admin\AppData\Local\Temp\29D5.exe

MD5 a2f3d796dc2c2f474188db58d5ca7593
SHA1 dc88893abba370aab576dcc9bd60b5fc7bb5dd4e
SHA256 408d62cbf4789d9533230eff49b8b45c11b01fd8c8d6d65ec339725d7521a48c
SHA512 9a454f6eb65ef53baa5cff2e2dd3b4691e80acc37b78e27b4832a045420942425aa458243d3640fe9b3d5c756cfb8d65d7f828cd4b6633228a6500327c1f2b7c

memory/3708-4030-0x0000000000B30000-0x0000000000BA5000-memory.dmp

memory/3708-4015-0x0000000000AC0000-0x0000000000B2B000-memory.dmp

memory/3708-4044-0x0000000000AC0000-0x0000000000B2B000-memory.dmp

memory/3392-4051-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rzyhfx4n.default-release\cookies.sqlite.id[4E633C4D-3483].[[email protected]].8base

MD5 6640124557dc9a6cfc91acac6c726474
SHA1 ca4f00d0cba5adbbdca6d8c571949201350e025f
SHA256 61806e7cd53233de610add652627e221bf6532487d196581955ef05df69aaf83
SHA512 d5c0c24111faf604f4e0edcbc68a394809c9404d2942027ee29f712c1d3fdb2ebcb1f5d1e7623bca3476c22ee4a8b435120f3748f667d32dd0c1e656b30a57a9

memory/396-4319-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

memory/396-4320-0x0000000000BB0000-0x0000000000BB7000-memory.dmp

memory/396-4321-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

memory/3708-4336-0x0000000000AC0000-0x0000000000B2B000-memory.dmp

memory/1132-4408-0x0000000000A60000-0x0000000000A69000-memory.dmp

memory/1132-4401-0x0000000000A70000-0x0000000000A74000-memory.dmp

memory/1132-4397-0x0000000000A60000-0x0000000000A69000-memory.dmp

memory/3708-4582-0x0000000000B70000-0x0000000000B7A000-memory.dmp

memory/3708-4586-0x0000000000B60000-0x0000000000B6B000-memory.dmp

memory/3708-4634-0x0000000000B60000-0x0000000000B6B000-memory.dmp

memory/1436-4822-0x00000000012A0000-0x00000000012A7000-memory.dmp

memory/1436-4821-0x0000000001290000-0x000000000129B000-memory.dmp

memory/1436-4823-0x0000000001290000-0x000000000129B000-memory.dmp

memory/1940-4824-0x0000000000910000-0x000000000091F000-memory.dmp

memory/1940-4829-0x0000000000920000-0x0000000000929000-memory.dmp

memory/1940-4837-0x0000000000910000-0x000000000091F000-memory.dmp

memory/3856-5070-0x0000000000B50000-0x0000000000B59000-memory.dmp

memory/3856-5088-0x0000000000B50000-0x0000000000B59000-memory.dmp

memory/3856-5079-0x0000000000B60000-0x0000000000B65000-memory.dmp

memory/4424-5404-0x0000000000780000-0x000000000078C000-memory.dmp

memory/1132-5405-0x0000000000A70000-0x0000000000A74000-memory.dmp

memory/4424-5407-0x0000000000780000-0x000000000078C000-memory.dmp

memory/4424-5406-0x0000000000790000-0x0000000000796000-memory.dmp

memory/4736-5433-0x00000000003F0000-0x00000000003F9000-memory.dmp

memory/4736-5436-0x0000000000600000-0x0000000000604000-memory.dmp

memory/4736-5445-0x00000000003F0000-0x00000000003F9000-memory.dmp

memory/1360-5633-0x0000000000EA0000-0x0000000000EA9000-memory.dmp

memory/1436-5642-0x00000000012A0000-0x00000000012A7000-memory.dmp

memory/1360-5667-0x0000000000EB0000-0x0000000000EB5000-memory.dmp

memory/1360-5668-0x0000000000EA0000-0x0000000000EA9000-memory.dmp

memory/4868-5845-0x00000000005A0000-0x00000000005C7000-memory.dmp

memory/1940-5846-0x0000000000920000-0x0000000000929000-memory.dmp

memory/4868-5848-0x00000000005D0000-0x00000000005F1000-memory.dmp

memory/4868-5847-0x00000000005A0000-0x00000000005C7000-memory.dmp

memory/1308-5851-0x0000000000FC0000-0x0000000000FC9000-memory.dmp

memory/3392-5852-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3856-5868-0x0000000000B60000-0x0000000000B65000-memory.dmp

memory/1308-5869-0x0000000000FC0000-0x0000000000FC9000-memory.dmp

memory/1916-5972-0x0000000000B50000-0x0000000000B5B000-memory.dmp

memory/1916-5987-0x0000000000B60000-0x0000000000B66000-memory.dmp

memory/1916-6028-0x0000000000B50000-0x0000000000B5B000-memory.dmp

memory/2104-6342-0x0000000000AD0000-0x0000000000ADD000-memory.dmp

memory/2104-6353-0x0000000000AE0000-0x0000000000AE7000-memory.dmp

memory/2104-6356-0x0000000000AD0000-0x0000000000ADD000-memory.dmp

memory/860-6386-0x0000000000DF0000-0x0000000000DFB000-memory.dmp

memory/1360-6409-0x0000000000EB0000-0x0000000000EB5000-memory.dmp

memory/3392-8567-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000027.db.id[4E633C4D-3483].[[email protected]].8base

MD5 68d6cc7909349b771788724c64341518
SHA1 266150f70fc9dc8b5b61b4abd28443982047ea60
SHA256 3d345e237e08e2045f7e142ced77edbb1e8ba6b92c365527e5e1d5c98dc13c4f
SHA512 d8445a8645f7a8cf9f8c69c03f7653bde308204d3727c91ba7f79db97292ab94136fad5c920be93a5fcf57da2c9487b480d3a3a0d89b6247281f7e76d6167cab

C:\Users\Admin\AppData\Local\Temp\5366\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll

MD5 d220973f7c8ca6e1ae835eca6e547df2
SHA1 bfaba046457e3278bf7f4d45d5436df10df92681
SHA256 632d2eae353347497600a2322db7073194c3eefa7394505d458df23071bb8b53
SHA512 266c995f635e07f272189fa0e9e44739dee23a8a17f3e9ae4dfa09c762cb5a0fafcf094e309620c6c217495be6169bc3407fdf864dcbd139f77e606f2db2a680

C:\Users\Admin\AppData\Local\Temp\5366\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Local\Temp\5366\C\Windows\SysWOW64\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\5366\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\5366\C\Windows\System32\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Local\Temp\5366\C\Windows\System32\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\5366\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

MD5 94f90fcd2b8f7f1df69224f845d9e9b7
SHA1 a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256 a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA512 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

C:\Users\Admin\AppData\Local\Temp\5366\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

MD5 108f130067a9df1719c590316a5245f7
SHA1 79bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256 c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512 d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

C:\Users\Admin\AppData\Local\Temp\5366\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

MD5 94f90fcd2b8f7f1df69224f845d9e9b7
SHA1 a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256 a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA512 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

C:\Users\Admin\AppData\Local\Temp\5366\C\Windows\System32\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\5366\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

MD5 108f130067a9df1719c590316a5245f7
SHA1 79bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256 c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512 d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

C:\Users\Admin\AppData\Local\Temp\5366\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe

MD5 cfe72ed40a076ae4f4157940ce0c5d44
SHA1 8010f7c746a7ba4864785f798f46ec05caae7ece
SHA256 6868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32
SHA512 f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0

C:\Users\Admin\AppData\Roaming\wfiahug

MD5 650e2e3933ba7e005d71842aaf5b9bac
SHA1 8d31ce06a3c18a51ac135efda58dc3f6e587c215
SHA256 5d34c5d975766f27555e683ccfabb662886fbb1b9da42ea4670f176c5f04e105
SHA512 45e437d8040cbfc574cca4d1f752561c18735f4066e59cf2e0180588a8ab8db5400a23cbf6e067f1098c35923861bc73fa5246a70bc98bff134b01bb958d775a

C:\Users\Admin\AppData\Roaming\rcevgdd

MD5 d8a652141be195333dd68e662b04c523
SHA1 266363bf92a157ca769f3cce33f13363cf94eb3f
SHA256 82e21c96880af14b90e7d8a688ec83c41bddcaa29ee05557b763795d1416ad39
SHA512 ce0d269674d139358b5068b3df7ccbae1e5470a031d3e59ac1ab68493438e51dc733a6be5d36854257d8d5d5e822a9ad421398cc0a2f3c783d5d33b04af484ea

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.id[4E633C4D-3483].[[email protected]].8base

MD5 26ec9f000816efe09f4f967ff56ab076
SHA1 5ebec883b5f4d5e77432672c271c3e3714cadb0e
SHA256 22cafb077954e220e107287359febf214c275ba24e56b5ab405cd355d37a120a
SHA512 ab98bd0145ca2365d9fd421dac444bba38b286074193eb38d8d02ed8a37c460c288795b697d038d443c808f84df0d21f8839ee6b41335eb873bcd990042d33b2

C:\info.hta

MD5 af4ead8c4b4ec6ee70a6614b9d196038
SHA1 35b084940f356f79a45ec2f3f743d048cf6e5aa4
SHA256 d7fdc29f4c08bf477e68d3fb396088f5108fbad8a72879188952c63fcec146fa
SHA512 b810cd96404b1554c4b0c06de999dfe51200e38d0b5604bc1f848e74b5cc22e5310d24e3c3e0f553d1154749724cfa0cd96e29ef0aee7bb4597eaf90981b3b47

C:\users\public\desktop\info.hta

MD5 af4ead8c4b4ec6ee70a6614b9d196038
SHA1 35b084940f356f79a45ec2f3f743d048cf6e5aa4
SHA256 d7fdc29f4c08bf477e68d3fb396088f5108fbad8a72879188952c63fcec146fa
SHA512 b810cd96404b1554c4b0c06de999dfe51200e38d0b5604bc1f848e74b5cc22e5310d24e3c3e0f553d1154749724cfa0cd96e29ef0aee7bb4597eaf90981b3b47

C:\Users\Admin\Desktop\info.hta

MD5 af4ead8c4b4ec6ee70a6614b9d196038
SHA1 35b084940f356f79a45ec2f3f743d048cf6e5aa4
SHA256 d7fdc29f4c08bf477e68d3fb396088f5108fbad8a72879188952c63fcec146fa
SHA512 b810cd96404b1554c4b0c06de999dfe51200e38d0b5604bc1f848e74b5cc22e5310d24e3c3e0f553d1154749724cfa0cd96e29ef0aee7bb4597eaf90981b3b47

F:\info.hta

MD5 af4ead8c4b4ec6ee70a6614b9d196038
SHA1 35b084940f356f79a45ec2f3f743d048cf6e5aa4
SHA256 d7fdc29f4c08bf477e68d3fb396088f5108fbad8a72879188952c63fcec146fa
SHA512 b810cd96404b1554c4b0c06de999dfe51200e38d0b5604bc1f848e74b5cc22e5310d24e3c3e0f553d1154749724cfa0cd96e29ef0aee7bb4597eaf90981b3b47

C:\info.hta

MD5 af4ead8c4b4ec6ee70a6614b9d196038
SHA1 35b084940f356f79a45ec2f3f743d048cf6e5aa4
SHA256 d7fdc29f4c08bf477e68d3fb396088f5108fbad8a72879188952c63fcec146fa
SHA512 b810cd96404b1554c4b0c06de999dfe51200e38d0b5604bc1f848e74b5cc22e5310d24e3c3e0f553d1154749724cfa0cd96e29ef0aee7bb4597eaf90981b3b47