Malware Analysis Report

2024-11-16 12:20

Sample ID 230715-ay2z7sge66
Target 1b94e6504da7365a7ac9e5f1c37ea714.exe
SHA256 eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
Tags
phobos rhadamanthys smokeloader systembc summ backdoor collection evasion persistence ransomware spyware stealer trojan lumma discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771

Threat Level: Known bad

The file 1b94e6504da7365a7ac9e5f1c37ea714.exe was found to be: Known bad.

Malicious Activity Summary

phobos rhadamanthys smokeloader systembc summ backdoor collection evasion persistence ransomware spyware stealer trojan lumma discovery

Lumma Stealer

Rhadamanthys

Phobos

SystemBC

Detect rhadamanthys stealer shellcode

Suspicious use of NtCreateUserProcessOtherParentProcess

SmokeLoader

Deletes shadow copies

Renames multiple (79) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (315) files with added filename extension

Downloads MZ/PE file

Modifies Windows Firewall

Deletes backup catalog

Reads user/profile data of web browsers

Deletes itself

Reads user/profile data of local email clients

Drops startup file

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Program crash

Checks processor information in registry

Suspicious use of WriteProcessMemory

outlook_office_path

Checks SCSI registry key(s)

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-15 00:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-15 00:38

Reported

2023-07-15 00:40

Platform

win7-20230712-en

Max time kernel

142s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2512 created 1400 N/A C:\Users\Admin\AppData\Local\Temp\24B0.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Renames multiple (79) files with added filename extension

ransomware

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\~st]e.exe C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\~st]e = "C:\\Users\\Admin\\AppData\\Local\\~st]e.exe" C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\~st]e = "C:\\Users\\Admin\\AppData\\Local\\~st]e.exe" C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-722410544-1258951091-1992882075-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-722410544-1258951091-1992882075-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1668 set thread context of 3036 N/A C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST7MDT C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-spi-actions.jar C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_zh_4.4.0.v20140623020002.jar.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-loaders.jar C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ca.pak C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\logging.properties C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\7-Zip\Lang\ne.txt.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Rarotonga C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\DVD Maker\it-IT\OmdProject.dll.mui C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\de.pak.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_zh_CN.jar C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Bougainville C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ja.pak.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\CloseUnregister.sql.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\access-bridge-64.jar.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.id[51F095FA-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1b94e6504da7365a7ac9e5f1c37ea714.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1b94e6504da7365a7ac9e5f1c37ea714.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1b94e6504da7365a7ac9e5f1c37ea714.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b94e6504da7365a7ac9e5f1c37ea714.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b94e6504da7365a7ac9e5f1c37ea714.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1400 wrote to memory of 2512 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\24B0.exe
PID 1400 wrote to memory of 2512 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\24B0.exe
PID 1400 wrote to memory of 2512 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\24B0.exe
PID 1400 wrote to memory of 2512 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\24B0.exe
PID 1400 wrote to memory of 2796 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 2796 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 2796 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 2796 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 2796 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 2848 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1400 wrote to memory of 2848 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1400 wrote to memory of 2848 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1400 wrote to memory of 2848 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1400 wrote to memory of 2932 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 2932 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 2932 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 2932 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 2932 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 2972 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1400 wrote to memory of 2972 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1400 wrote to memory of 2972 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1400 wrote to memory of 2972 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1400 wrote to memory of 1508 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 1508 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 1508 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 1508 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 1508 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 1960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 1960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 1960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 1960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 1960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 2712 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 2712 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 2712 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 2712 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 2712 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 2820 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1400 wrote to memory of 2820 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1400 wrote to memory of 2820 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1400 wrote to memory of 2820 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1400 wrote to memory of 2732 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 2732 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 2732 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 2732 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1400 wrote to memory of 2732 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 2512 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\24B0.exe C:\Windows\system32\certreq.exe
PID 2512 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\24B0.exe C:\Windows\system32\certreq.exe
PID 2512 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\24B0.exe C:\Windows\system32\certreq.exe
PID 2512 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\24B0.exe C:\Windows\system32\certreq.exe
PID 2512 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\24B0.exe C:\Windows\system32\certreq.exe
PID 2512 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\24B0.exe C:\Windows\system32\certreq.exe
PID 1668 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe
PID 1668 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe
PID 1668 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe
PID 1668 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe
PID 1668 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe
PID 1668 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe
PID 1668 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe
PID 2792 wrote to memory of 1680 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\gdfbwaj
PID 2792 wrote to memory of 1680 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\gdfbwaj
PID 2792 wrote to memory of 1680 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\gdfbwaj
PID 2792 wrote to memory of 1680 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\gdfbwaj
PID 3016 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1b94e6504da7365a7ac9e5f1c37ea714.exe

"C:\Users\Admin\AppData\Local\Temp\1b94e6504da7365a7ac9e5f1c37ea714.exe"

C:\Users\Admin\AppData\Local\Temp\24B0.exe

C:\Users\Admin\AppData\Local\Temp\24B0.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe

"C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe"

C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe

"C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe"

C:\Users\Admin\AppData\Local\Microsoft\1aL1rP.exe

"C:\Users\Admin\AppData\Local\Microsoft\1aL1rP.exe"

C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe

"C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {B18B27C8-722E-4D01-8694-97D85903E6C3} S-1-5-21-722410544-1258951091-1992882075-1000:MGKTNXNO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe

"C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe"

C:\Users\Admin\AppData\Roaming\gdfbwaj

C:\Users\Admin\AppData\Roaming\gdfbwaj

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Users\Admin\AppData\Local\Temp\BF1C.exe

C:\Users\Admin\AppData\Local\Temp\BF1C.exe

C:\Users\Admin\AppData\Local\Temp\D54B.exe

C:\Users\Admin\AppData\Local\Temp\D54B.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 stalagmijesarl.com udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 admxlogs25.xyz udp
EE 46.36.218.224:80 admxlogs25.xyz tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 github.com udp
US 140.82.112.3:443 github.com tcp
US 140.82.112.3:443 github.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 admlogs195.xyz udp
EE 46.36.219.3:80 admlogs195.xyz tcp
EE 46.36.219.3:80 admlogs195.xyz tcp
EE 46.36.219.3:80 admlogs195.xyz tcp
US 8.8.8.8:53 serverxlogs21.xyz udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 cexsad917.xyz udp
EE 46.36.218.224:80 cexsad917.xyz tcp

Files

memory/2392-55-0x0000000000590000-0x0000000000690000-memory.dmp

memory/2392-56-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2392-57-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/2392-59-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1400-58-0x0000000002A90000-0x0000000002AA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\24B0.exe

MD5 11715c27335a026129dfc1695ebc8888
SHA1 0ffaa4f65fbf2bc0750b972621f37c787b0231e2
SHA256 c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482
SHA512 f7743e16fa619a90cb2c216bc46e2f3b10973e2d3aeb81be27d284e52758cc6fd204dc0babef2bfd01e8bfdc12e70c35dd0f50472f06635f489d2db8060b1220

C:\Users\Admin\AppData\Local\Temp\24B0.exe

MD5 11715c27335a026129dfc1695ebc8888
SHA1 0ffaa4f65fbf2bc0750b972621f37c787b0231e2
SHA256 c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482
SHA512 f7743e16fa619a90cb2c216bc46e2f3b10973e2d3aeb81be27d284e52758cc6fd204dc0babef2bfd01e8bfdc12e70c35dd0f50472f06635f489d2db8060b1220

memory/2796-76-0x0000000000090000-0x0000000000097000-memory.dmp

memory/2796-77-0x0000000000080000-0x000000000008B000-memory.dmp

memory/2796-78-0x0000000000080000-0x000000000008B000-memory.dmp

memory/2848-79-0x0000000000060000-0x000000000006F000-memory.dmp

memory/2848-80-0x0000000000070000-0x0000000000079000-memory.dmp

memory/2848-81-0x0000000000060000-0x000000000006F000-memory.dmp

memory/2932-82-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2932-83-0x00000000000D0000-0x00000000000D5000-memory.dmp

memory/2932-84-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2972-85-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2972-86-0x0000000000070000-0x0000000000076000-memory.dmp

memory/2972-87-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1508-89-0x00000000000B0000-0x00000000000D2000-memory.dmp

memory/1508-88-0x0000000000080000-0x00000000000A7000-memory.dmp

memory/2796-91-0x0000000000090000-0x0000000000097000-memory.dmp

memory/1960-90-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1960-92-0x0000000000080000-0x00000000000A7000-memory.dmp

memory/1960-93-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2796-94-0x0000000000080000-0x000000000008B000-memory.dmp

memory/2712-98-0x00000000000C0000-0x00000000000CB000-memory.dmp

memory/2712-97-0x00000000000D0000-0x00000000000D6000-memory.dmp

memory/2712-96-0x00000000000C0000-0x00000000000CB000-memory.dmp

memory/2848-95-0x0000000000070000-0x0000000000079000-memory.dmp

memory/2932-100-0x00000000000D0000-0x00000000000D5000-memory.dmp

memory/2820-101-0x00000000000C0000-0x00000000000CB000-memory.dmp

memory/2820-99-0x00000000000E0000-0x00000000000ED000-memory.dmp

memory/2820-102-0x00000000000E0000-0x00000000000ED000-memory.dmp

memory/2732-106-0x0000000000080000-0x000000000008B000-memory.dmp

memory/2732-105-0x00000000000E0000-0x00000000000ED000-memory.dmp

memory/2972-104-0x0000000000070000-0x0000000000076000-memory.dmp

memory/2732-103-0x0000000000080000-0x000000000008B000-memory.dmp

memory/1508-107-0x0000000000080000-0x00000000000A7000-memory.dmp

memory/2512-108-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/2512-109-0x0000000000590000-0x0000000000601000-memory.dmp

memory/1960-110-0x0000000000080000-0x00000000000A7000-memory.dmp

memory/2512-111-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2712-112-0x00000000000D0000-0x00000000000D6000-memory.dmp

memory/2512-113-0x00000000001C0000-0x00000000001C7000-memory.dmp

memory/2512-115-0x0000000001F50000-0x0000000002350000-memory.dmp

memory/2512-114-0x0000000001F50000-0x0000000002350000-memory.dmp

memory/2512-116-0x0000000001F50000-0x0000000002350000-memory.dmp

memory/2820-117-0x00000000000C0000-0x00000000000CB000-memory.dmp

memory/2512-118-0x0000000001F50000-0x0000000002350000-memory.dmp

memory/2732-119-0x00000000000E0000-0x00000000000ED000-memory.dmp

memory/2304-120-0x0000000000060000-0x0000000000063000-memory.dmp

memory/2512-121-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/2512-122-0x0000000000590000-0x0000000000601000-memory.dmp

memory/2512-123-0x0000000002A20000-0x0000000002A56000-memory.dmp

memory/2512-129-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2512-130-0x0000000002A20000-0x0000000002A56000-memory.dmp

memory/2512-131-0x0000000001F50000-0x0000000002350000-memory.dmp

memory/2512-133-0x0000000000400000-0x0000000000517000-memory.dmp

memory/2512-134-0x0000000001F50000-0x0000000002350000-memory.dmp

memory/2304-135-0x0000000000060000-0x0000000000063000-memory.dmp

memory/2304-136-0x0000000000120000-0x0000000000127000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\24B0.exe

MD5 11715c27335a026129dfc1695ebc8888
SHA1 0ffaa4f65fbf2bc0750b972621f37c787b0231e2
SHA256 c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482
SHA512 f7743e16fa619a90cb2c216bc46e2f3b10973e2d3aeb81be27d284e52758cc6fd204dc0babef2bfd01e8bfdc12e70c35dd0f50472f06635f489d2db8060b1220

memory/2304-139-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2304-138-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2304-140-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2304-141-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2304-142-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2304-144-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2304-146-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2304-147-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2304-148-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2304-149-0x00000000776C0000-0x0000000077869000-memory.dmp

memory/2304-150-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2304-151-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2304-152-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2304-153-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2304-154-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe

MD5 7d39a3778ad4a5d5e6c7e78fc9e05a00
SHA1 2b030e3180efb06721404fa0de1fbe4998618225
SHA256 21a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9
SHA512 1a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e

C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe

MD5 7166d39e9c1cb17e1728d316531242b1
SHA1 d05810943685bcd70999ff0926215f5d6fe2637a
SHA256 8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512 b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

memory/2304-162-0x00000000776C0000-0x0000000077869000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\1aL1rP.exe

MD5 16bab536f93bbf833bca053e355402ee
SHA1 8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374
SHA256 b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4
SHA512 c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

memory/2304-165-0x0000000000120000-0x0000000000122000-memory.dmp

memory/2304-166-0x00000000776C0000-0x0000000077869000-memory.dmp

memory/3016-167-0x00000000002B0000-0x00000000003B0000-memory.dmp

memory/3016-169-0x00000000001B0000-0x00000000001BF000-memory.dmp

memory/3016-170-0x0000000000400000-0x00000000004E3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe

MD5 7166d39e9c1cb17e1728d316531242b1
SHA1 d05810943685bcd70999ff0926215f5d6fe2637a
SHA256 8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512 b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe

MD5 7166d39e9c1cb17e1728d316531242b1
SHA1 d05810943685bcd70999ff0926215f5d6fe2637a
SHA256 8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512 b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

memory/3036-176-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1668-174-0x00000000006B0000-0x00000000007B0000-memory.dmp

memory/3036-179-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3036-181-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe

MD5 7d39a3778ad4a5d5e6c7e78fc9e05a00
SHA1 2b030e3180efb06721404fa0de1fbe4998618225
SHA256 21a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9
SHA512 1a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e

memory/1668-177-0x0000000000220000-0x0000000000229000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe

MD5 7d39a3778ad4a5d5e6c7e78fc9e05a00
SHA1 2b030e3180efb06721404fa0de1fbe4998618225
SHA256 21a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9
SHA512 1a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e

C:\Users\Admin\AppData\Roaming\gdfbwaj

MD5 1b94e6504da7365a7ac9e5f1c37ea714
SHA1 b2c784470f5400680f275943aacfcbef6cda5c88
SHA256 eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
SHA512 6b86bdea9ed18fc11e32c0ce7e6883677fa5e3dfad053200e6757a51cc4b11a5adf0757853c9b4421796e7789d75af17c686ca513a9d442a7a0fa093920d012e

memory/1200-183-0x0000000000590000-0x0000000000690000-memory.dmp

C:\Users\Admin\AppData\Roaming\gdfbwaj

MD5 1b94e6504da7365a7ac9e5f1c37ea714
SHA1 b2c784470f5400680f275943aacfcbef6cda5c88
SHA256 eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
SHA512 6b86bdea9ed18fc11e32c0ce7e6883677fa5e3dfad053200e6757a51cc4b11a5adf0757853c9b4421796e7789d75af17c686ca513a9d442a7a0fa093920d012e

memory/1200-184-0x0000000000230000-0x0000000000235000-memory.dmp

memory/3016-186-0x00000000002B0000-0x00000000003B0000-memory.dmp

memory/1200-187-0x0000000000400000-0x00000000004E3000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[51F095FA-3483].[[email protected]].8base

MD5 bc5f1d1e4df27daacdfcb5c0ed15dc37
SHA1 7a211bed06367a2ddf1917f9d8caa707d6e65a43
SHA256 f86bb5cef9aa455c2e17dcad20ccd329be5333a85dbfb52014a425d58578d97e
SHA512 4aa669c2762c122e1f96e0c0b6b7077fd522f7d92c11420b6278f2593805e1b30d64deb9da6bc6cb03258188c07d06209730eb18545e9f8d2d3c2f2a18a653d9

memory/3036-230-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1400-229-0x00000000025D0000-0x00000000025E6000-memory.dmp

memory/3016-470-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1200-480-0x0000000000230000-0x0000000000235000-memory.dmp

memory/1200-479-0x0000000000590000-0x0000000000690000-memory.dmp

memory/3016-1583-0x0000000000400000-0x00000000004E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BF1C.exe

MD5 7166d39e9c1cb17e1728d316531242b1
SHA1 d05810943685bcd70999ff0926215f5d6fe2637a
SHA256 8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512 b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

C:\Users\Admin\AppData\Local\Temp\BF1C.exe

MD5 7166d39e9c1cb17e1728d316531242b1
SHA1 d05810943685bcd70999ff0926215f5d6fe2637a
SHA256 8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512 b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

memory/3016-2403-0x0000000000400000-0x00000000004E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D54B.exe

MD5 16bab536f93bbf833bca053e355402ee
SHA1 8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374
SHA256 b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4
SHA512 c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

C:\Users\Admin\AppData\Local\Temp\D54B.exe

MD5 16bab536f93bbf833bca053e355402ee
SHA1 8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374
SHA256 b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4
SHA512 c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

memory/2132-2842-0x0000000000600000-0x0000000000700000-memory.dmp

memory/2132-2844-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1172-2850-0x0000000000130000-0x00000000001B0000-memory.dmp

memory/1172-2854-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/1172-2841-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/1172-2890-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/2152-3027-0x0000000000070000-0x0000000000077000-memory.dmp

memory/2152-3014-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2936-3114-0x0000000000080000-0x0000000000089000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-15 00:38

Reported

2023-07-15 00:40

Platform

win10v2004-20230703-en

Max time kernel

145s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4316 created 3140 N/A C:\Users\Admin\AppData\Local\Temp\63B6.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (315) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\HY5.exe C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HY5 = "C:\\Users\\Admin\\AppData\\Local\\HY5.exe" C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HY5 = "C:\\Users\\Admin\\AppData\\Local\\HY5.exe" C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1412 set thread context of 5028 N/A C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\msxactps.dll C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_zh_TW.properties.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\TEMPSITC.TTF C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\dbghelp.dll.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sv.txt C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcp120.dll C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-explorer.xml.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\excel-udf-host.win32.bundle C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ppd.xrm-ms.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\7-Zip\Lang\sr-spc.txt.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\XLMACRO.CHM.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LHANDW.TTF.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.ELM C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mk.txt C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.runtime_0.10.0.v201209301036.jar C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-pl.xrm-ms.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.config.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN109.XML C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sqlpdw.xsl.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_MoveDrop32x32.gif.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PROFILE.ELM.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\fr-FR\oledb32r.dll.mui C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ppd.xrm-ms.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OSFROAMINGPROXY.DLL C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_KMS_Client-ul.xrm-ms.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\WEBSANDBOX.DLL.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ucrtbase.dll.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ko.pak.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ppd.xrm-ms.id[07ED5C0F-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightRegular.ttf C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1b94e6504da7365a7ac9e5f1c37ea714.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1b94e6504da7365a7ac9e5f1c37ea714.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1b94e6504da7365a7ac9e5f1c37ea714.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b94e6504da7365a7ac9e5f1c37ea714.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b94e6504da7365a7ac9e5f1c37ea714.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\HY5.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3140 wrote to memory of 4316 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\63B6.exe
PID 3140 wrote to memory of 4316 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\63B6.exe
PID 3140 wrote to memory of 4316 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\63B6.exe
PID 3140 wrote to memory of 3412 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\6FFC.exe
PID 3140 wrote to memory of 3412 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\6FFC.exe
PID 3140 wrote to memory of 3412 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\6FFC.exe
PID 3140 wrote to memory of 1176 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 1176 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 1176 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 1176 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 5040 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3140 wrote to memory of 5040 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3140 wrote to memory of 5040 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3140 wrote to memory of 2160 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 2160 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 2160 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 2160 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 4440 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3140 wrote to memory of 4440 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3140 wrote to memory of 4440 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3140 wrote to memory of 5068 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 5068 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 5068 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 5068 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 4320 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 4320 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 4320 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 4320 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 3668 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 3668 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 3668 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 3668 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 988 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3140 wrote to memory of 988 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3140 wrote to memory of 988 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3140 wrote to memory of 4988 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 4988 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 4988 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3140 wrote to memory of 4988 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 4316 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\63B6.exe C:\Windows\system32\certreq.exe
PID 4316 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\63B6.exe C:\Windows\system32\certreq.exe
PID 4316 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\63B6.exe C:\Windows\system32\certreq.exe
PID 4316 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\63B6.exe C:\Windows\system32\certreq.exe
PID 1412 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe
PID 1412 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe
PID 1412 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe
PID 1412 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe
PID 1412 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe
PID 1412 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe
PID 3324 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Microsoft\HY5.exe C:\Windows\system32\cmd.exe
PID 3324 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Microsoft\HY5.exe C:\Windows\system32\cmd.exe
PID 3324 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Microsoft\HY5.exe C:\Windows\system32\cmd.exe
PID 3324 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Microsoft\HY5.exe C:\Windows\system32\cmd.exe
PID 3508 wrote to memory of 544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3508 wrote to memory of 544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1528 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1528 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1528 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1528 wrote to memory of 4088 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3508 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3508 wrote to memory of 2440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1528 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1528 wrote to memory of 1412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1528 wrote to memory of 296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1b94e6504da7365a7ac9e5f1c37ea714.exe

"C:\Users\Admin\AppData\Local\Temp\1b94e6504da7365a7ac9e5f1c37ea714.exe"

C:\Users\Admin\AppData\Local\Temp\63B6.exe

C:\Users\Admin\AppData\Local\Temp\63B6.exe

C:\Users\Admin\AppData\Local\Temp\6FFC.exe

C:\Users\Admin\AppData\Local\Temp\6FFC.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4316 -ip 4316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 788

C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe

"C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe"

C:\Users\Admin\AppData\Local\Microsoft\HY5.exe

"C:\Users\Admin\AppData\Local\Microsoft\HY5.exe"

C:\Users\Admin\AppData\Local\Microsoft\MOKNQohq0O.exe

"C:\Users\Admin\AppData\Local\Microsoft\MOKNQohq0O.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3412 -ip 3412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 3344

C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe

"C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe"

C:\Users\Admin\AppData\Local\Microsoft\HY5.exe

"C:\Users\Admin\AppData\Local\Microsoft\HY5.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5012 -ip 5012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 480

C:\Users\Admin\AppData\Local\Temp\FD34.exe

C:\Users\Admin\AppData\Local\Temp\FD34.exe

C:\Users\Admin\AppData\Local\Temp\43.exe

C:\Users\Admin\AppData\Local\Temp\43.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Roaming\rrahvuf

C:\Users\Admin\AppData\Roaming\rrahvuf

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Roaming\uwahvuf

C:\Users\Admin\AppData\Roaming\uwahvuf

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 177.17.30.184.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 stalagmijesarl.com udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 31.153.50.194.in-addr.arpa udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 admxlogs25.xyz udp
EE 46.36.218.224:80 admxlogs25.xyz tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 224.218.36.46.in-addr.arpa udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 github.com udp
US 140.82.113.4:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 4.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 gstatic-node.io udp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 8.8.8.8:53 53.37.21.104.in-addr.arpa udp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 8.8.8.8:53 admlogs195.xyz udp
EE 46.36.219.3:80 admlogs195.xyz tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 8.8.8.8:53 3.219.36.46.in-addr.arpa udp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
EE 46.36.219.3:80 admlogs195.xyz tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
EE 46.36.219.3:80 admlogs195.xyz tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
EE 46.36.219.3:80 admlogs195.xyz tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 104.21.37.53:80 gstatic-node.io tcp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 serverxlogs21.xyz udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 cexsad917.xyz udp
EE 46.36.218.224:80 cexsad917.xyz tcp
US 8.8.8.8:53 120.66.131.45.in-addr.arpa udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp

Files

memory/864-134-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/864-135-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/864-136-0x0000000002240000-0x0000000002249000-memory.dmp

memory/3140-137-0x0000000006CB0000-0x0000000006CC6000-memory.dmp

memory/864-138-0x0000000000400000-0x00000000004E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\63B6.exe

MD5 11715c27335a026129dfc1695ebc8888
SHA1 0ffaa4f65fbf2bc0750b972621f37c787b0231e2
SHA256 c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482
SHA512 f7743e16fa619a90cb2c216bc46e2f3b10973e2d3aeb81be27d284e52758cc6fd204dc0babef2bfd01e8bfdc12e70c35dd0f50472f06635f489d2db8060b1220

C:\Users\Admin\AppData\Local\Temp\63B6.exe

MD5 11715c27335a026129dfc1695ebc8888
SHA1 0ffaa4f65fbf2bc0750b972621f37c787b0231e2
SHA256 c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482
SHA512 f7743e16fa619a90cb2c216bc46e2f3b10973e2d3aeb81be27d284e52758cc6fd204dc0babef2bfd01e8bfdc12e70c35dd0f50472f06635f489d2db8060b1220

C:\Users\Admin\AppData\Local\Temp\6FFC.exe

MD5 6d35d4cb11e99f8645441b0f1f96da3d
SHA1 3b6e12da0c1c37d38db867ab6330ace34461c56a
SHA256 9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204
SHA512 01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

C:\Users\Admin\AppData\Local\Temp\6FFC.exe

MD5 6d35d4cb11e99f8645441b0f1f96da3d
SHA1 3b6e12da0c1c37d38db867ab6330ace34461c56a
SHA256 9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204
SHA512 01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

memory/1176-158-0x00000000016A0000-0x00000000016A7000-memory.dmp

memory/1176-159-0x0000000001690000-0x000000000169B000-memory.dmp

memory/1176-160-0x0000000001690000-0x000000000169B000-memory.dmp

memory/5040-161-0x0000000000680000-0x0000000000689000-memory.dmp

memory/5040-163-0x00000000003F0000-0x00000000003FF000-memory.dmp

memory/2160-164-0x0000000000E00000-0x0000000000E09000-memory.dmp

memory/2160-165-0x0000000000E10000-0x0000000000E15000-memory.dmp

memory/2160-166-0x0000000000E00000-0x0000000000E09000-memory.dmp

memory/4440-167-0x00000000004D0000-0x00000000004DC000-memory.dmp

memory/4440-168-0x00000000004E0000-0x00000000004E6000-memory.dmp

memory/4440-169-0x00000000004D0000-0x00000000004DC000-memory.dmp

memory/5068-170-0x00000000001B0000-0x00000000001D7000-memory.dmp

memory/5068-171-0x0000000000400000-0x0000000000422000-memory.dmp

memory/5068-172-0x00000000001B0000-0x00000000001D7000-memory.dmp

memory/1176-173-0x00000000016A0000-0x00000000016A7000-memory.dmp

memory/4320-174-0x0000000000540000-0x0000000000549000-memory.dmp

memory/4320-175-0x0000000000550000-0x0000000000555000-memory.dmp

memory/4320-176-0x0000000000540000-0x0000000000549000-memory.dmp

memory/3668-177-0x00000000009A0000-0x00000000009AB000-memory.dmp

memory/5040-178-0x00000000003F0000-0x00000000003FF000-memory.dmp

memory/3668-180-0x00000000009A0000-0x00000000009AB000-memory.dmp

memory/3668-179-0x00000000009B0000-0x00000000009B6000-memory.dmp

memory/988-181-0x0000000000B90000-0x0000000000B9D000-memory.dmp

memory/988-183-0x0000000000BA0000-0x0000000000BA7000-memory.dmp

memory/2160-182-0x0000000000E10000-0x0000000000E15000-memory.dmp

memory/988-184-0x0000000000B90000-0x0000000000B9D000-memory.dmp

memory/4988-185-0x00000000007A0000-0x00000000007AB000-memory.dmp

memory/4440-186-0x00000000004E0000-0x00000000004E6000-memory.dmp

memory/4988-187-0x00000000007B0000-0x00000000007B8000-memory.dmp

memory/4988-188-0x00000000007A0000-0x00000000007AB000-memory.dmp

memory/5068-189-0x0000000000400000-0x0000000000422000-memory.dmp

memory/4316-190-0x00000000007A0000-0x00000000008A0000-memory.dmp

memory/4316-191-0x0000000002040000-0x00000000020B1000-memory.dmp

memory/4316-192-0x0000000000400000-0x0000000000517000-memory.dmp

memory/4320-193-0x0000000000550000-0x0000000000555000-memory.dmp

memory/3668-194-0x00000000009B0000-0x00000000009B6000-memory.dmp

memory/4316-195-0x00000000021D0000-0x00000000021D7000-memory.dmp

memory/4316-196-0x0000000002540000-0x0000000002940000-memory.dmp

memory/4316-197-0x0000000002540000-0x0000000002940000-memory.dmp

memory/4316-198-0x0000000002540000-0x0000000002940000-memory.dmp

memory/988-199-0x0000000000BA0000-0x0000000000BA7000-memory.dmp

memory/4316-200-0x0000000002540000-0x0000000002940000-memory.dmp

memory/3412-201-0x0000000002160000-0x00000000021B5000-memory.dmp

memory/3412-203-0x0000000000400000-0x0000000000502000-memory.dmp

memory/3412-202-0x00000000005B0000-0x00000000006B0000-memory.dmp

memory/4988-204-0x00000000007B0000-0x00000000007B8000-memory.dmp

memory/4316-205-0x0000000000400000-0x0000000000517000-memory.dmp

memory/4120-206-0x000001DED99C0000-0x000001DED99C3000-memory.dmp

memory/4316-207-0x00000000007A0000-0x00000000008A0000-memory.dmp

memory/4316-208-0x00000000024D0000-0x0000000002506000-memory.dmp

memory/4316-216-0x0000000002540000-0x0000000002940000-memory.dmp

memory/4316-215-0x00000000024D0000-0x0000000002506000-memory.dmp

memory/4316-218-0x0000000000400000-0x0000000000517000-memory.dmp

memory/4316-219-0x0000000002540000-0x0000000002940000-memory.dmp

memory/3412-220-0x0000000002160000-0x00000000021B5000-memory.dmp

memory/3412-221-0x00000000005B0000-0x00000000006B0000-memory.dmp

memory/3412-222-0x0000000000400000-0x0000000000502000-memory.dmp

memory/4120-223-0x000001DED99C0000-0x000001DED99C3000-memory.dmp

memory/4120-224-0x000001DED9C60000-0x000001DED9C67000-memory.dmp

memory/4120-225-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

memory/4120-226-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

memory/4120-227-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

memory/4120-228-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

memory/4120-229-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

memory/4120-231-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

memory/4120-233-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

memory/4120-234-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

memory/4120-235-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

memory/4120-236-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

memory/4120-237-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

memory/4120-238-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

memory/4120-239-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

memory/4120-241-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

memory/4120-242-0x00007FF4DCD80000-0x00007FF4DCEAD000-memory.dmp

memory/4120-243-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe

MD5 7d39a3778ad4a5d5e6c7e78fc9e05a00
SHA1 2b030e3180efb06721404fa0de1fbe4998618225
SHA256 21a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9
SHA512 1a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e

C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe

MD5 7d39a3778ad4a5d5e6c7e78fc9e05a00
SHA1 2b030e3180efb06721404fa0de1fbe4998618225
SHA256 21a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9
SHA512 1a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e

C:\Users\Admin\AppData\Local\Microsoft\HY5.exe

MD5 7166d39e9c1cb17e1728d316531242b1
SHA1 d05810943685bcd70999ff0926215f5d6fe2637a
SHA256 8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512 b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

C:\Users\Admin\AppData\Local\Microsoft\HY5.exe

MD5 7166d39e9c1cb17e1728d316531242b1
SHA1 d05810943685bcd70999ff0926215f5d6fe2637a
SHA256 8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512 b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

C:\Users\Admin\AppData\Local\Microsoft\MOKNQohq0O.exe

MD5 16bab536f93bbf833bca053e355402ee
SHA1 8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374
SHA256 b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4
SHA512 c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

C:\Users\Admin\AppData\Local\Microsoft\MOKNQohq0O.exe

MD5 16bab536f93bbf833bca053e355402ee
SHA1 8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374
SHA256 b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4
SHA512 c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

memory/4120-257-0x000001DED9C60000-0x000001DED9C65000-memory.dmp

memory/4120-258-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmp

memory/3412-260-0x0000000000400000-0x0000000000502000-memory.dmp

memory/1412-261-0x0000000000520000-0x0000000000620000-memory.dmp

memory/5028-265-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1412-263-0x0000000000630000-0x0000000000639000-memory.dmp

memory/5028-262-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Jni(_]27.exe

MD5 7d39a3778ad4a5d5e6c7e78fc9e05a00
SHA1 2b030e3180efb06721404fa0de1fbe4998618225
SHA256 21a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9
SHA512 1a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e

memory/1080-266-0x00000000006C0000-0x00000000007C0000-memory.dmp

memory/1080-267-0x0000000000650000-0x0000000000655000-memory.dmp

memory/3324-269-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1080-270-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/3324-268-0x0000000000600000-0x000000000060F000-memory.dmp

memory/3324-271-0x0000000000790000-0x0000000000890000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\HY5.exe

MD5 7166d39e9c1cb17e1728d316531242b1
SHA1 d05810943685bcd70999ff0926215f5d6fe2637a
SHA256 8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512 b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

memory/3140-276-0x0000000007750000-0x0000000007766000-memory.dmp

memory/5028-277-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[07ED5C0F-3483].[[email protected]].8base

MD5 0bd50927af09a1bcc65bbe40a754e848
SHA1 bd6fa5d74d6365e88d63dda797ebbf4e8f9b474c
SHA256 6931acd1aefb331946b74f55524490529d10eb27ea578be5d3295965388e39e0
SHA512 7a030cbcf8f44a9118f7919d201d767954969b9d65e6beb5b99b092bccb717a028bfc960f0a8db3e9348d6ae358ee3177be15c92eb965f002c6598e90787276c

memory/1080-718-0x00000000006C0000-0x00000000007C0000-memory.dmp

memory/3324-839-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/3324-1094-0x0000000000790000-0x0000000000890000-memory.dmp

memory/5012-2264-0x0000000000690000-0x0000000000790000-memory.dmp

memory/5012-2270-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/3324-2400-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/3324-4578-0x0000000000400000-0x00000000004E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FD34.exe

MD5 7166d39e9c1cb17e1728d316531242b1
SHA1 d05810943685bcd70999ff0926215f5d6fe2637a
SHA256 8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512 b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

C:\Users\Admin\AppData\Local\Temp\FD34.exe

MD5 7166d39e9c1cb17e1728d316531242b1
SHA1 d05810943685bcd70999ff0926215f5d6fe2637a
SHA256 8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512 b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

C:\Users\Admin\AppData\Local\Temp\FD34.exe

MD5 7166d39e9c1cb17e1728d316531242b1
SHA1 d05810943685bcd70999ff0926215f5d6fe2637a
SHA256 8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512 b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

C:\Users\Admin\AppData\Local\Temp\43.exe

MD5 16bab536f93bbf833bca053e355402ee
SHA1 8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374
SHA256 b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4
SHA512 c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

C:\Users\Admin\AppData\Local\Temp\43.exe

MD5 16bab536f93bbf833bca053e355402ee
SHA1 8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374
SHA256 b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4
SHA512 c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

memory/1676-5746-0x0000000000E40000-0x0000000000EAB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\cookies.sqlite.id[07ED5C0F-3483].[[email protected]].8base

MD5 05a87f2afd4c4ba5f9c852fed70390ad
SHA1 f47dc599a99b1a07036f3c0d6df243f9fb9b73f6
SHA256 e2f93150a39346b2b0e41f7d28eeec6bb156f4cb770c4bd736913f4eb213505e
SHA512 2d2f5275af1478b737b42215d427f5e919833f5a8c706e2a35aa6da2ce687636ce75fd4338ae742b06a181eb76c2e5a9e88ca8d1c04c8f32ac5b5154daccfc55

memory/3528-5989-0x0000000000770000-0x000000000077C000-memory.dmp

memory/3324-5988-0x0000000000400000-0x00000000004E3000-memory.dmp