Malware Analysis Report

2024-11-16 12:19

Sample ID 230715-arzw9shd71
Target c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482
SHA256 c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482
Tags
phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482

Threat Level: Known bad

The file c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482 was found to be: Known bad.

Malicious Activity Summary

phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Phobos

Detect rhadamanthys stealer shellcode

SmokeLoader

SystemBC

Deletes shadow copies

Renames multiple (87) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes backup catalog

Modifies Windows Firewall

Downloads MZ/PE file

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Program crash

outlook_win_path

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

Checks processor information in registry

Interacts with shadow copies

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-15 00:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-15 00:27

Reported

2023-07-15 00:30

Platform

win10v2004-20230703-en

Max time kernel

75s

Max time network

92s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2708 created 3140 N/A C:\Users\Admin\AppData\Local\Temp\c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (87) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\E~M.exe C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E~M = "C:\\Users\\Admin\\AppData\\Local\\E~M.exe" C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E~M = "C:\\Users\\Admin\\AppData\\Local\\E~M.exe" C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3820 set thread context of 3516 N/A C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\include\classfile_constants.h.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Riblet.eftx.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\uk.pak.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\bin\prism_d3d.dll.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\ij C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-modules.jar C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\splashscreen.dll C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msadce.dll C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\lib\management-agent.jar.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbynet.jar C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\MANIFEST.MF.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-actions_zh_CN.jar.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\locale\jfluid-server_ja.jar C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Banded Edge.eftx.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_ja.jar C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\release.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\id.txt C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.ecore.xmi_2.10.1.v20140901-1043.jar C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.rcp_4.3.100.v20141007-2301.jar.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.dll.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-dialogs_ja.jar C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\fxplugins.dll C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jsse.jar C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\preloaded_data.pb.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\an.txt C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-ui.jar.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_zh_CN.jar.id[3107CCA1-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\E~M.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2708 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe C:\Windows\system32\certreq.exe
PID 2708 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe C:\Windows\system32\certreq.exe
PID 2708 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe C:\Windows\system32\certreq.exe
PID 2708 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe C:\Windows\system32\certreq.exe
PID 3820 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe
PID 3820 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe
PID 3820 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe
PID 3820 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe
PID 3820 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe
PID 3820 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe
PID 3048 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Microsoft\E~M.exe C:\Windows\system32\cmd.exe
PID 3048 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Microsoft\E~M.exe C:\Windows\system32\cmd.exe
PID 3048 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Microsoft\E~M.exe C:\Windows\system32\cmd.exe
PID 3048 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Microsoft\E~M.exe C:\Windows\system32\cmd.exe
PID 3556 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3556 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3740 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3740 wrote to memory of 3544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3556 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3556 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3740 wrote to memory of 3412 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3740 wrote to memory of 3412 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3740 wrote to memory of 3716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3740 wrote to memory of 3716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3740 wrote to memory of 4432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3740 wrote to memory of 4432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3740 wrote to memory of 552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3740 wrote to memory of 552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe

"C:\Users\Admin\AppData\Local\Temp\c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482.exe"

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2708 -ip 2708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 944

C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe

"C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe"

C:\Users\Admin\AppData\Local\Microsoft\E~M.exe

"C:\Users\Admin\AppData\Local\Microsoft\E~M.exe"

C:\Users\Admin\AppData\Local\Microsoft\2jU6fH.exe

"C:\Users\Admin\AppData\Local\Microsoft\2jU6fH.exe"

C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe

"C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe"

C:\Users\Admin\AppData\Local\Microsoft\E~M.exe

"C:\Users\Admin\AppData\Local\Microsoft\E~M.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2652 -ip 2652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 460

C:\Users\Admin\AppData\Local\Temp\C1C.exe

C:\Users\Admin\AppData\Local\Temp\C1C.exe

C:\Users\Admin\AppData\Local\Temp\DE2.exe

C:\Users\Admin\AppData\Local\Temp\DE2.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 177.17.30.184.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 admlogs195.xyz udp
EE 46.36.219.3:80 admlogs195.xyz tcp
US 8.8.8.8:53 3.219.36.46.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.143.241.8.in-addr.arpa udp
EE 46.36.219.3:80 admlogs195.xyz tcp
EE 46.36.219.3:80 admlogs195.xyz tcp
EE 46.36.219.3:80 admlogs195.xyz tcp
US 8.8.8.8:53 serverxlogs21.xyz udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 120.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 cexsad917.xyz udp
EE 46.36.218.224:80 cexsad917.xyz tcp
US 8.8.8.8:53 224.218.36.46.in-addr.arpa udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp

Files

memory/2708-134-0x0000000000700000-0x0000000000800000-memory.dmp

memory/2708-135-0x0000000000680000-0x00000000006F1000-memory.dmp

memory/2708-136-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2708-137-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2708-138-0x00000000022D0000-0x00000000022D7000-memory.dmp

memory/2708-139-0x0000000002370000-0x0000000002770000-memory.dmp

memory/2708-140-0x0000000002370000-0x0000000002770000-memory.dmp

memory/2708-141-0x0000000002370000-0x0000000002770000-memory.dmp

memory/2708-142-0x0000000002370000-0x0000000002770000-memory.dmp

memory/2708-143-0x0000000000700000-0x0000000000800000-memory.dmp

memory/1796-144-0x00000148EF180000-0x00000148EF183000-memory.dmp

memory/2708-145-0x0000000000680000-0x00000000006F1000-memory.dmp

memory/2708-146-0x0000000003210000-0x0000000003246000-memory.dmp

memory/2708-152-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2708-153-0x0000000003210000-0x0000000003246000-memory.dmp

memory/2708-154-0x0000000002370000-0x0000000002770000-memory.dmp

memory/2708-156-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2708-157-0x0000000002370000-0x0000000002770000-memory.dmp

memory/1796-158-0x00000148EF180000-0x00000148EF183000-memory.dmp

memory/1796-159-0x00000148EF320000-0x00000148EF327000-memory.dmp

memory/1796-161-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

memory/1796-160-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

memory/1796-162-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

memory/1796-163-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

memory/1796-164-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

memory/1796-166-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

memory/1796-168-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

memory/1796-169-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

memory/1796-170-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

memory/1796-171-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

memory/1796-172-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

memory/1796-173-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

memory/1796-174-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

memory/1796-175-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

memory/1796-176-0x00007FF405F10000-0x00007FF40603D000-memory.dmp

memory/1796-178-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe

MD5 09d7f30d2f8432be6087038562a029dd
SHA1 07fc20446a03a20c191e750ef21737ec948d9544
SHA256 8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512 abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe

MD5 09d7f30d2f8432be6087038562a029dd
SHA1 07fc20446a03a20c191e750ef21737ec948d9544
SHA256 8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512 abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

C:\Users\Admin\AppData\Local\Microsoft\E~M.exe

MD5 de348ef9eed7ccdaed5a70ae15796a86
SHA1 42914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256 a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512 605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

C:\Users\Admin\AppData\Local\Microsoft\E~M.exe

MD5 de348ef9eed7ccdaed5a70ae15796a86
SHA1 42914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256 a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512 605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

C:\Users\Admin\AppData\Local\Microsoft\2jU6fH.exe

MD5 6ac14216327dcfb60b33ebd914f62769
SHA1 d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b
SHA256 25f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9
SHA512 6af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed

memory/3820-189-0x0000000000580000-0x0000000000589000-memory.dmp

memory/1796-190-0x00000148EF320000-0x00000148EF325000-memory.dmp

memory/3048-191-0x0000000000640000-0x000000000064F000-memory.dmp

memory/3820-188-0x00000000005E0000-0x00000000006E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\oeE3.exe

MD5 09d7f30d2f8432be6087038562a029dd
SHA1 07fc20446a03a20c191e750ef21737ec948d9544
SHA256 8c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512 abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e

memory/3516-196-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3048-197-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/3048-194-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/1796-193-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

memory/3516-192-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\E~M.exe

MD5 de348ef9eed7ccdaed5a70ae15796a86
SHA1 42914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256 a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512 605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163

memory/3140-200-0x00000000007E0000-0x00000000007F6000-memory.dmp

memory/3516-201-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2260-206-0x0000000002630000-0x000000000270B000-memory.dmp

memory/2260-205-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/2260-207-0x0000000002710000-0x00000000027EB000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[3107CCA1-3483].[[email protected]].8base

MD5 5ecbd8ddbbba5cc06367444108d0fc8a
SHA1 1d5041be2b9a23b29f57930b212ebdd397a0f9d7
SHA256 9d08a8a25dde9e9b323703bd93e3f09519d1ff30bd9c721b8981eab0db1a3399
SHA512 7a12442ca15822951da40d6fa0114bba5964d1793cf8693b0fed6d52e23eaef8f36c91c5f71893ad6d200371d18ddedbafd009ea628526bd7bd6f67ff6145404

memory/3048-518-0x0000000000640000-0x000000000064F000-memory.dmp

memory/3048-768-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/3048-771-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/3048-877-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/2652-2304-0x0000000000780000-0x0000000000880000-memory.dmp

memory/2652-2306-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/3048-2978-0x0000000000400000-0x00000000004E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C1C.exe

MD5 7166d39e9c1cb17e1728d316531242b1
SHA1 d05810943685bcd70999ff0926215f5d6fe2637a
SHA256 8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512 b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

C:\Users\Admin\AppData\Local\Temp\C1C.exe

MD5 7166d39e9c1cb17e1728d316531242b1
SHA1 d05810943685bcd70999ff0926215f5d6fe2637a
SHA256 8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512 b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

C:\Users\Admin\AppData\Local\Temp\DE2.exe

MD5 16bab536f93bbf833bca053e355402ee
SHA1 8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374
SHA256 b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4
SHA512 c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

C:\Users\Admin\AppData\Local\Temp\DE2.exe

MD5 16bab536f93bbf833bca053e355402ee
SHA1 8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374
SHA256 b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4
SHA512 c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

memory/4320-4243-0x0000000000180000-0x000000000018C000-memory.dmp

memory/4948-4276-0x0000000000410000-0x000000000047B000-memory.dmp

memory/4948-4310-0x0000000000410000-0x000000000047B000-memory.dmp

memory/4948-4318-0x0000000000480000-0x00000000004F5000-memory.dmp

memory/4320-4245-0x0000000000190000-0x0000000000197000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\cookies.sqlite.id[3107CCA1-3483].[[email protected]].8base

MD5 4a943e0588a5d8525175daed17208b07
SHA1 92cff8ce40e3beb4827ecc6306c2f3d89f803115
SHA256 17ffea8f66dace54c102d958e0a2682c4712bb5f04f91b1b11d49ab8a70c7f04
SHA512 7f90bd892865b131dca2dd86a5dbe2535f1fcd385a5f930c3265746169bec239bfc6b60d06f4f89d7bb620bb25f7ee5c0980277a12a560dbca1b63ad02139c59

memory/4320-4362-0x0000000000180000-0x000000000018C000-memory.dmp

memory/180-4431-0x0000000000EF0000-0x0000000000EF4000-memory.dmp

memory/180-4425-0x0000000000EE0000-0x0000000000EE9000-memory.dmp

memory/180-4443-0x0000000000EE0000-0x0000000000EE9000-memory.dmp

memory/4948-4563-0x0000000000410000-0x000000000047B000-memory.dmp

memory/3812-4567-0x0000000000F80000-0x0000000000F8A000-memory.dmp

memory/3812-4566-0x0000000000F70000-0x0000000000F7B000-memory.dmp

memory/3812-4568-0x0000000000F70000-0x0000000000F7B000-memory.dmp

memory/4916-4573-0x00000000005E0000-0x00000000005EB000-memory.dmp

memory/4916-4580-0x00000000005F0000-0x00000000005F7000-memory.dmp

memory/4916-4584-0x00000000005E0000-0x00000000005EB000-memory.dmp

memory/5088-4668-0x0000000000D50000-0x0000000000D5F000-memory.dmp

memory/3048-4732-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/5088-4740-0x0000000000D60000-0x0000000000D69000-memory.dmp

memory/5088-4758-0x0000000000D50000-0x0000000000D5F000-memory.dmp