Malware Analysis Report

2024-11-16 12:20

Sample ID 230715-ad2hyahd5y
Target eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
SHA256 eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
Tags
lumma phobos rhadamanthys smokeloader systembc summ backdoor collection discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771

Threat Level: Known bad

The file eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771 was found to be: Known bad.

Malicious Activity Summary

lumma phobos rhadamanthys smokeloader systembc summ backdoor collection discovery evasion persistence ransomware spyware stealer trojan

Phobos

Lumma Stealer

SmokeLoader

Detect rhadamanthys stealer shellcode

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

SystemBC

Renames multiple (327) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes shadow copies

Downloads MZ/PE file

Modifies Windows Firewall

Deletes backup catalog

Drops startup file

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

Checks installed software on the system

Drops desktop.ini file(s)

Accesses Microsoft Outlook profiles

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies registry class

outlook_office_path

Checks SCSI registry key(s)

Checks processor information in registry

Interacts with shadow copies

Suspicious behavior: GetForegroundWindowSpam

outlook_win_path

Uses Volume Shadow Copy service COM API

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-15 00:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-15 00:06

Reported

2023-07-15 00:09

Platform

win10v2004-20230703-en

Max time kernel

128s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1904 created 3096 N/A C:\Users\Admin\AppData\Local\Temp\6CBF.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (327) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\[email protected] C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\N@RGU = "C:\\Users\\Admin\\AppData\\Local\\[email protected]" C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\N@RGU = "C:\\Users\\Admin\\AppData\\Local\\[email protected]" C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3011986978-2180659500-3669311805-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3011986978-2180659500-3669311805-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5084 set thread context of 4928 N/A C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\db\bin\ij.bat.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-progress-ui.jar C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Grace-ppd.xrm-ms.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_MAK_AE-pl.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRLEX.DLL C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcr120.dll C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\PresentationFramework.resources.dll C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\deployJava1.dll.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Office.Interop.Outlook.dll C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\informix.xsl.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\msvcr100.dll.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-ppd.xrm-ms.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-processthreads-l1-1-1.dll.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\vfs\SystemX86\msvcp140_1.dll.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\vreg\osmux.x-none.msi.16.x-none.vreg.dat.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado27.tlb C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL078.XML.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\management.properties C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QRYINT32.DLL C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Mozilla Firefox\mozwer.dll C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Net.Resources.dll C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_ja.jar C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ppd.xrm-ms.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\TEMPSITC.TTF C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\7-Zip\Lang\ps.txt C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setEmbeddedCP C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICB.TTF.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Data.DataSetExtensions.Resources.dll C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\currency.data C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Resources\1033\PowerPivotExcelClientAddIn.rll.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\office.x-none.msi.16.x-none.vreg.dat.id[E23E0A24-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\proof.es-es.msi.16.es-es.vreg.dat C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.cfg C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3096 wrote to memory of 1904 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\6CBF.exe
PID 3096 wrote to memory of 1904 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\6CBF.exe
PID 3096 wrote to memory of 1904 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\6CBF.exe
PID 3096 wrote to memory of 1284 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\76D2.exe
PID 3096 wrote to memory of 1284 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\76D2.exe
PID 3096 wrote to memory of 1284 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\76D2.exe
PID 3096 wrote to memory of 4384 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 4384 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 4384 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 4384 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 3224 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3096 wrote to memory of 3224 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3096 wrote to memory of 3224 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3096 wrote to memory of 988 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 988 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 988 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 988 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 3916 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3096 wrote to memory of 3916 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3096 wrote to memory of 3916 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3096 wrote to memory of 1316 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 1316 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 1316 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 1316 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 1408 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 1408 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 1408 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 1408 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 2872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 2872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 2872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 2872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 1800 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3096 wrote to memory of 1800 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3096 wrote to memory of 1800 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3096 wrote to memory of 3412 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 3412 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 3412 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3096 wrote to memory of 3412 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1904 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\6CBF.exe C:\Windows\system32\certreq.exe
PID 1904 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\6CBF.exe C:\Windows\system32\certreq.exe
PID 1904 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\6CBF.exe C:\Windows\system32\certreq.exe
PID 1904 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\6CBF.exe C:\Windows\system32\certreq.exe
PID 5084 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe
PID 5084 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe
PID 5084 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe
PID 5084 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe
PID 5084 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe
PID 5084 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe
PID 3884 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] C:\Windows\system32\cmd.exe
PID 3884 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] C:\Windows\system32\cmd.exe
PID 3884 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] C:\Windows\system32\cmd.exe
PID 3884 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Microsoft\[email protected] C:\Windows\system32\cmd.exe
PID 1464 wrote to memory of 396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1464 wrote to memory of 396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1396 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1396 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1464 wrote to memory of 776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1464 wrote to memory of 776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1396 wrote to memory of 652 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1396 wrote to memory of 652 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1396 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1396 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1396 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exe

"C:\Users\Admin\AppData\Local\Temp\eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771.exe"

C:\Users\Admin\AppData\Local\Temp\6CBF.exe

C:\Users\Admin\AppData\Local\Temp\6CBF.exe

C:\Users\Admin\AppData\Local\Temp\76D2.exe

C:\Users\Admin\AppData\Local\Temp\76D2.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1904 -ip 1904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 952

C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe

"C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe"

C:\Users\Admin\AppData\Local\Microsoft\[email protected]

"C:\Users\Admin\AppData\Local\Microsoft\[email protected]"

C:\Users\Admin\AppData\Local\Microsoft\s3b%cr{ehH.exe

"C:\Users\Admin\AppData\Local\Microsoft\s3b%cr{ehH.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1284 -ip 1284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 3436

C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe

"C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe"

C:\Users\Admin\AppData\Local\Microsoft\[email protected]

"C:\Users\Admin\AppData\Local\Microsoft\[email protected]"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1904 -ip 1904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 288

C:\Users\Admin\AppData\Local\Temp\C75F.exe

C:\Users\Admin\AppData\Local\Temp\C75F.exe

C:\Users\Admin\AppData\Local\Temp\C9B2.exe

C:\Users\Admin\AppData\Local\Temp\C9B2.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1208 -ip 1208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 592

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 stalagmijesarl.com udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 31.153.50.194.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 admxlogs25.xyz udp
EE 46.36.218.224:80 admxlogs25.xyz tcp
US 8.8.8.8:53 224.218.36.46.in-addr.arpa udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 github.com udp
US 140.82.112.4:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 4.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 gstatic-node.io udp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 8.8.8.8:53 admlogs195.xyz udp
EE 46.36.219.3:80 admlogs195.xyz tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 8.8.8.8:53 3.219.36.46.in-addr.arpa udp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
EE 46.36.219.3:80 admlogs195.xyz tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
EE 46.36.219.3:80 admlogs195.xyz tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
US 188.114.97.0:80 gstatic-node.io tcp
EE 46.36.219.3:80 admlogs195.xyz tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 153.141.79.40.in-addr.arpa udp
US 8.8.8.8:53 serverxlogs21.xyz udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 120.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 cexsad917.xyz udp
EE 46.36.218.224:80 cexsad917.xyz tcp
DE 45.131.66.120:80 serverxlogs21.xyz tcp

Files

memory/1096-134-0x0000000000560000-0x0000000000660000-memory.dmp

memory/1096-135-0x0000000000540000-0x0000000000549000-memory.dmp

memory/1096-136-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1096-137-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/3096-138-0x0000000002E80000-0x0000000002E96000-memory.dmp

memory/1096-140-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1096-142-0x0000000000540000-0x0000000000549000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6CBF.exe

MD5 aaf3d68aeea347268ede50e621ca21ce
SHA1 0e7c0e38a200a9ea3af663dfd33941cc5e1657c9
SHA256 09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416
SHA512 61416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0

C:\Users\Admin\AppData\Local\Temp\6CBF.exe

MD5 aaf3d68aeea347268ede50e621ca21ce
SHA1 0e7c0e38a200a9ea3af663dfd33941cc5e1657c9
SHA256 09c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416
SHA512 61416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0

C:\Users\Admin\AppData\Local\Temp\76D2.exe

MD5 6d35d4cb11e99f8645441b0f1f96da3d
SHA1 3b6e12da0c1c37d38db867ab6330ace34461c56a
SHA256 9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204
SHA512 01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

C:\Users\Admin\AppData\Local\Temp\76D2.exe

MD5 6d35d4cb11e99f8645441b0f1f96da3d
SHA1 3b6e12da0c1c37d38db867ab6330ace34461c56a
SHA256 9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204
SHA512 01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

memory/4384-161-0x0000000001000000-0x000000000100B000-memory.dmp

memory/4384-160-0x0000000001010000-0x0000000001017000-memory.dmp

memory/4384-162-0x0000000001000000-0x000000000100B000-memory.dmp

memory/3224-163-0x0000000000780000-0x000000000078F000-memory.dmp

memory/3224-164-0x0000000000790000-0x0000000000799000-memory.dmp

memory/3224-165-0x0000000000780000-0x000000000078F000-memory.dmp

memory/988-166-0x0000000000AB0000-0x0000000000AB9000-memory.dmp

memory/988-167-0x0000000000AC0000-0x0000000000AC5000-memory.dmp

memory/988-168-0x0000000000AB0000-0x0000000000AB9000-memory.dmp

memory/3916-169-0x0000000000E30000-0x0000000000E3C000-memory.dmp

memory/3916-170-0x0000000000E40000-0x0000000000E46000-memory.dmp

memory/3916-171-0x0000000000E30000-0x0000000000E3C000-memory.dmp

memory/1316-172-0x0000000000B20000-0x0000000000B47000-memory.dmp

memory/1316-174-0x0000000000B20000-0x0000000000B47000-memory.dmp

memory/1316-173-0x0000000000B50000-0x0000000000B72000-memory.dmp

memory/4384-175-0x0000000001010000-0x0000000001017000-memory.dmp

memory/1408-176-0x0000000000430000-0x0000000000439000-memory.dmp

memory/1408-177-0x0000000000440000-0x0000000000445000-memory.dmp

memory/2872-178-0x0000000000D80000-0x0000000000D8B000-memory.dmp

memory/3224-179-0x0000000000790000-0x0000000000799000-memory.dmp

memory/2872-180-0x0000000000D90000-0x0000000000D96000-memory.dmp

memory/2872-181-0x0000000000D80000-0x0000000000D8B000-memory.dmp

memory/1800-182-0x00000000009C0000-0x00000000009CD000-memory.dmp

memory/1800-184-0x00000000009D0000-0x00000000009D7000-memory.dmp

memory/988-183-0x0000000000AC0000-0x0000000000AC5000-memory.dmp

memory/1800-185-0x00000000009C0000-0x00000000009CD000-memory.dmp

memory/3916-186-0x0000000000E40000-0x0000000000E46000-memory.dmp

memory/1904-188-0x0000000002070000-0x00000000020E1000-memory.dmp

memory/1904-187-0x0000000000790000-0x0000000000890000-memory.dmp

memory/1316-189-0x0000000000B50000-0x0000000000B72000-memory.dmp

memory/1904-190-0x0000000000400000-0x0000000000517000-memory.dmp

memory/3412-191-0x0000000000B20000-0x0000000000B2B000-memory.dmp

memory/3412-193-0x0000000000B20000-0x0000000000B2B000-memory.dmp

memory/1408-194-0x0000000000430000-0x0000000000439000-memory.dmp

memory/3412-192-0x0000000000B30000-0x0000000000B38000-memory.dmp

memory/2872-195-0x0000000000D90000-0x0000000000D96000-memory.dmp

memory/1284-196-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1284-197-0x0000000002160000-0x00000000021B5000-memory.dmp

memory/1284-198-0x0000000000400000-0x0000000000502000-memory.dmp

memory/1904-199-0x0000000000770000-0x0000000000777000-memory.dmp

memory/1904-200-0x0000000002330000-0x0000000002730000-memory.dmp

memory/1800-201-0x00000000009D0000-0x00000000009D7000-memory.dmp

memory/1904-202-0x0000000002330000-0x0000000002730000-memory.dmp

memory/1904-203-0x0000000002330000-0x0000000002730000-memory.dmp

memory/1904-204-0x0000000000790000-0x0000000000890000-memory.dmp

memory/1904-205-0x0000000002070000-0x00000000020E1000-memory.dmp

memory/1904-206-0x0000000000400000-0x0000000000517000-memory.dmp

memory/4344-207-0x000002050F590000-0x000002050F593000-memory.dmp

memory/3412-208-0x0000000000B30000-0x0000000000B38000-memory.dmp

memory/1904-209-0x0000000003130000-0x0000000003166000-memory.dmp

memory/1284-216-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/1904-217-0x0000000003130000-0x0000000003166000-memory.dmp

memory/1904-218-0x0000000002330000-0x0000000002730000-memory.dmp

memory/1904-220-0x0000000000400000-0x0000000000517000-memory.dmp

memory/1904-221-0x0000000002330000-0x0000000002730000-memory.dmp

memory/1284-223-0x0000000000400000-0x0000000000502000-memory.dmp

memory/4344-224-0x000002050F590000-0x000002050F593000-memory.dmp

memory/4344-225-0x000002050F950000-0x000002050F957000-memory.dmp

memory/4344-226-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

memory/4344-227-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

memory/4344-228-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

memory/4344-229-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

memory/4344-230-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

memory/4344-232-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

memory/4344-234-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

memory/4344-235-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

memory/4344-236-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

memory/4344-237-0x00007FFA8C6B0000-0x00007FFA8C8A5000-memory.dmp

memory/4344-238-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

memory/4344-239-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

memory/4344-240-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

memory/4344-241-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

memory/4344-243-0x00007FF4810B0000-0x00007FF4811DD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe

MD5 09d7f30d2f8432be6087038562a029dd
SHA1 07fc20446a03a20c191e750ef21737ec948d9544
SHA256 8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512 abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe

MD5 09d7f30d2f8432be6087038562a029dd
SHA1 07fc20446a03a20c191e750ef21737ec948d9544
SHA256 8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512 abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

C:\Users\Admin\AppData\Local\Microsoft\[email protected]

MD5 de348ef9eed7ccdaed5a70ae15796a86
SHA1 42914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256 a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512 605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

C:\Users\Admin\AppData\Local\Microsoft\[email protected]

MD5 de348ef9eed7ccdaed5a70ae15796a86
SHA1 42914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256 a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512 605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

memory/4344-252-0x00007FFA8C6B0000-0x00007FFA8C8A5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\s3b%cr{ehH.exe

MD5 6ac14216327dcfb60b33ebd914f62769
SHA1 d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b
SHA256 25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9
SHA512 6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

C:\Users\Admin\AppData\Local\Microsoft\s3b%cr{ehH.exe

MD5 6ac14216327dcfb60b33ebd914f62769
SHA1 d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b
SHA256 25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9
SHA512 6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

memory/4344-258-0x000002050F950000-0x000002050F955000-memory.dmp

memory/1284-259-0x0000000000400000-0x0000000000502000-memory.dmp

memory/4344-260-0x00007FFA8C6B0000-0x00007FFA8C8A5000-memory.dmp

memory/5084-261-0x0000000000590000-0x0000000000690000-memory.dmp

memory/5084-262-0x0000000000580000-0x0000000000589000-memory.dmp

memory/4928-263-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\g_K{pI9.exe

MD5 09d7f30d2f8432be6087038562a029dd
SHA1 07fc20446a03a20c191e750ef21737ec948d9544
SHA256 8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512 abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

memory/4928-265-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3884-266-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3884-267-0x0000000000630000-0x000000000063F000-memory.dmp

memory/3884-268-0x0000000000400000-0x00000000004E3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\[email protected]

MD5 de348ef9eed7ccdaed5a70ae15796a86
SHA1 42914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256 a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512 605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

memory/3096-271-0x0000000008E90000-0x0000000008EA6000-memory.dmp

memory/4928-272-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[E23E0A24-3483].[[email protected]].8base

MD5 65d85994a3ddac0f5fdb58497b4b0432
SHA1 2ab671021ff8062f4d87b9366a0cd352bfb7c4bf
SHA256 fad3b5e2c868717f2b4fc04bb968047386e59a1fd9583c51bb1498f40f9f991b
SHA512 0972f4a54cdbc1e6cc8d53978cf9d2adba8139a1b93cbbe28ac1b343b4321078f56d12bd499508ba941633803b4e5e7f901a0ac6dff44b51dbe74fc2363fa993

memory/3884-576-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/4424-699-0x0000000000730000-0x0000000000830000-memory.dmp

memory/4424-716-0x0000000000720000-0x0000000000725000-memory.dmp

memory/3884-734-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/3884-725-0x0000000000510000-0x0000000000610000-memory.dmp

memory/4424-774-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1904-2492-0x00000000005B0000-0x00000000006B0000-memory.dmp

memory/4424-2493-0x0000000000730000-0x0000000000830000-memory.dmp

memory/1904-2495-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/3884-2657-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/3884-4657-0x0000000000400000-0x00000000004E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C75F.exe

MD5 de348ef9eed7ccdaed5a70ae15796a86
SHA1 42914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256 a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512 605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

C:\Users\Admin\AppData\Local\Temp\C75F.exe

MD5 de348ef9eed7ccdaed5a70ae15796a86
SHA1 42914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256 a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512 605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

C:\Users\Admin\AppData\Local\Temp\C75F.exe

MD5 de348ef9eed7ccdaed5a70ae15796a86
SHA1 42914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256 a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512 605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

memory/4560-5138-0x0000000000380000-0x00000000003EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C9B2.exe

MD5 6ac14216327dcfb60b33ebd914f62769
SHA1 d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b
SHA256 25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9
SHA512 6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

C:\Users\Admin\AppData\Local\Temp\C9B2.exe

MD5 6ac14216327dcfb60b33ebd914f62769
SHA1 d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b
SHA256 25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9
SHA512 6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hw21aoqh.default-release\cookies.sqlite.id[E23E0A24-3483].[[email protected]].8base

MD5 215f00a6efaffe691769e01b90666ead
SHA1 2f5b65ed36614a6447df7e8f7dfe1ee9f71edeed
SHA256 4fce73a651415b930b4c9e42c6c37b16779cfa2c1235a124ccda1520f9fc7d82
SHA512 0a77341d387737e0c145804c9c39ac0b6a9da8b707116d79603c0c35fb391d90a3b4a0a8a921c4e4ea29ef9e2495d0f8e83061c2c7fce59088ca94f8a01b1ab5

memory/3920-5401-0x0000000000630000-0x000000000063C000-memory.dmp

memory/2196-5540-0x0000000000B20000-0x0000000000B29000-memory.dmp

memory/3624-5731-0x00000000004F0000-0x00000000004FB000-memory.dmp

memory/1472-5927-0x0000000000D20000-0x0000000000D2B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

MD5 8e361d0a2847f22c1e9548bf12f94c27
SHA1 0984b528f982bd872cdb1a3eece5c14c623cdbb5
SHA256 961b71fdda8966e64d1e47fd88e3790e8d9b302c21d13ba8bd25598287352de6
SHA512 53b5f6c9dd56040e900c0874d618eea60ba8b53b00eee16c05d8d2ea1ad37322e78f0adcf13763b664598adca591dbdddd09a4f16e632b7012980472b78ece30

C:\Users\Admin\AppData\Local\Temp\F43A\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe

MD5 cfe72ed40a076ae4f4157940ce0c5d44
SHA1 8010f7c746a7ba4864785f798f46ec05caae7ece
SHA256 6868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32
SHA512 f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0

C:\Users\Admin\AppData\Local\Temp\F43A\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll

MD5 f1223e2d6945c19a9fe18589c11476e2
SHA1 ba025bccef36cbc981dc3ebf5b68d4f6d3c45150
SHA256 c91da68001ea06826f90944bead448c8e480689c5c81967c1e640c6711b9c356
SHA512 f6222a1f326e37d0cb44d49b66c344a5765eaf08fecc1af3b13914dd712b8a0dc80d57382b3f6e2032e77e9e5ff0893567bf22e4762f1bff7bf033ec77921ee5

C:\Users\Admin\AppData\Local\Temp\F43A\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

MD5 108f130067a9df1719c590316a5245f7
SHA1 79bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256 c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512 d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

C:\Users\Admin\AppData\Local\Temp\F43A\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

MD5 94f90fcd2b8f7f1df69224f845d9e9b7
SHA1 a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256 a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA512 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

C:\Users\Admin\AppData\Local\Temp\F43A\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

MD5 108f130067a9df1719c590316a5245f7
SHA1 79bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256 c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512 d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

C:\Users\Admin\AppData\Local\Temp\F43A\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

MD5 94f90fcd2b8f7f1df69224f845d9e9b7
SHA1 a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256 a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA512 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

C:\Users\Admin\AppData\Local\Temp\F43A\C\Windows\System32\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\F43A\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Local\Temp\F43A\C\Windows\SysWOW64\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\F43A\C\Windows\System32\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Local\Temp\F43A\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\F43A\C\Windows\System32\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Roaming\fhhebau

MD5 e43d1dd874f3202ff1baabca8a1d2170
SHA1 3ffa9db0985b82f07fcdf174c877f712825ad544
SHA256 d11e8d1ec3ab840915963d65be91d0b5e5e29840469d0dac33c020be99161cbc
SHA512 22cf518e3a635f7dcf0aeb69923afa156f181eb746b4837afd020fff8c1dda8e62ea80111272e766872ea4899dc32d947c63cad48df4b498a4516d20b2a0fb05

C:\Users\Admin\AppData\Roaming\fjhirug

MD5 7fec436708c150a9a0b7927c9775f7d1
SHA1 3f50ed0da6610205251cbf99acfaf08c62da8e8c
SHA256 8e93810e44af88a8e8cfe5ede34764eda39f0244fcc7c963ca484efa6264be20
SHA512 b5bf05cb44d32848d52216f206268d75bb221767bcf3896af4ca67d42a3a0afb4ae98d63860e6212b6463a07289381d1f04d79befe641b14e11522291892b1fd

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000026.db.id[E23E0A24-3483].[[email protected]].8base

MD5 880a4b202cc8e647aa7458e8bb2b2237
SHA1 3e8b6086f2d7057c6c645df001284fb9f5b0a83f
SHA256 5796f5208a60d9a2f370e1e7cb35f737be00b1c3b617d9b0c8201122e1dd707d
SHA512 fc6b1c7f69a83f18523f4473cf7f8affacc43af90eeb81f9ea196d36336461a40b5ee9dfa8f1e20bfce084c6c429e00054a4efbce64c43b3738ad38a93159475

C:\Users\Admin\AppData\Roaming\jivcdva

MD5 1b94e6504da7365a7ac9e5f1c37ea714
SHA1 b2c784470f5400680f275943aacfcbef6cda5c88
SHA256 eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
SHA512 6b86bdea9ed18fc11e32c0ce7e6883677fa5e3dfad053200e6757a51cc4b11a5adf0757853c9b4421796e7789d75af17c686ca513a9d442a7a0fa093920d012e

C:\Users\Admin\AppData\Roaming\gcvcdva

MD5 09d7f30d2f8432be6087038562a029dd
SHA1 07fc20446a03a20c191e750ef21737ec948d9544
SHA256 8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512 abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e