Malware Analysis Report

2024-11-16 12:19

Sample ID 230715-dlzk4ahg8y
Target 5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde
SHA256 5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde
Tags
lumma phobos rhadamanthys smokeloader systembc summ backdoor collection discovery evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde

Threat Level: Known bad

The file 5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde was found to be: Known bad.

Malicious Activity Summary

lumma phobos rhadamanthys smokeloader systembc summ backdoor collection discovery evasion persistence ransomware spyware stealer trojan

SmokeLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

Phobos

Rhadamanthys

Lumma Stealer

SystemBC

Detect rhadamanthys stealer shellcode

Renames multiple (317) files with added filename extension

Deletes shadow copies

Modifies boot configuration data using bcdedit

Modifies Windows Firewall

Downloads MZ/PE file

Deletes backup catalog

Drops startup file

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

Checks installed software on the system

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Unsigned PE

Checks SCSI registry key(s)

outlook_win_path

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

Interacts with shadow copies

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-15 03:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-15 03:06

Reported

2023-07-15 03:09

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3116 created 3156 N/A C:\Users\Admin\AppData\Local\Temp\DA7.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (317) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\p8[{jcb007.exe C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\p8[{jcb007 = "C:\\Users\\Admin\\AppData\\Local\\p8[{jcb007.exe" C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\p8[{jcb007 = "C:\\Users\\Admin\\AppData\\Local\\p8[{jcb007.exe" C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-3195054982-4292022746-1467505928-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3195054982-4292022746-1467505928-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 228 set thread context of 760 N/A C:\Users\Admin\AppData\Local\Microsoft\9B).exe C:\Users\Admin\AppData\Local\Microsoft\9B).exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-pl.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-pl.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-pl.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\vccorlib140.dll.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\dcf.x-none.msi.16.x-none.vreg.dat C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzdb.dat.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PPSLAX.DLL.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.tree.dat C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-private-l1-1-0.dll.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONPPTAddin.dll.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\WidescreenPresentation.potx C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\cldrdata.jar.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\pl\msipc.dll.mui.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\javafx.properties.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\msvcp140_1.dll C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\README.TXT C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected][63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN090.XML.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-ppd.xrm-ms.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_SubTrial-pl.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare.HxS.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005 C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-100.png.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBCN6.CHM C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-conio-l1-1-0.dll C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-ul-phn.xrm-ms.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINSHELL.DLL.id[63449BD6-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\MSIPCEvents.man C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\9B).exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\9B).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\9B).exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3156 wrote to memory of 3116 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\DA7.exe
PID 3156 wrote to memory of 3116 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\DA7.exe
PID 3156 wrote to memory of 3116 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\DA7.exe
PID 3156 wrote to memory of 2244 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\19AE.exe
PID 3156 wrote to memory of 2244 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\19AE.exe
PID 3156 wrote to memory of 2244 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\19AE.exe
PID 3156 wrote to memory of 956 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 956 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 956 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 956 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 4388 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3156 wrote to memory of 4388 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3156 wrote to memory of 4388 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3156 wrote to memory of 2272 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 2272 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 2272 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 2272 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 5028 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3156 wrote to memory of 5028 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3156 wrote to memory of 5028 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3156 wrote to memory of 544 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 544 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 544 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 544 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 64 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 64 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 64 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 64 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 4840 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 4840 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 4840 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 4840 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 1872 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3156 wrote to memory of 1872 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3156 wrote to memory of 1872 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3156 wrote to memory of 2784 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 2784 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 2784 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3156 wrote to memory of 2784 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\DA7.exe C:\Windows\system32\certreq.exe
PID 3116 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\DA7.exe C:\Windows\system32\certreq.exe
PID 3116 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\DA7.exe C:\Windows\system32\certreq.exe
PID 3116 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\DA7.exe C:\Windows\system32\certreq.exe
PID 228 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Microsoft\9B).exe C:\Users\Admin\AppData\Local\Microsoft\9B).exe
PID 228 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Microsoft\9B).exe C:\Users\Admin\AppData\Local\Microsoft\9B).exe
PID 228 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Microsoft\9B).exe C:\Users\Admin\AppData\Local\Microsoft\9B).exe
PID 228 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Microsoft\9B).exe C:\Users\Admin\AppData\Local\Microsoft\9B).exe
PID 228 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Microsoft\9B).exe C:\Users\Admin\AppData\Local\Microsoft\9B).exe
PID 228 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Microsoft\9B).exe C:\Users\Admin\AppData\Local\Microsoft\9B).exe
PID 4828 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe C:\Windows\system32\cmd.exe
PID 4828 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe C:\Windows\system32\cmd.exe
PID 4828 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe C:\Windows\system32\cmd.exe
PID 4828 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe C:\Windows\system32\cmd.exe
PID 1664 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1664 wrote to memory of 1564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4244 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4244 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4244 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4244 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1664 wrote to memory of 3424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1664 wrote to memory of 3424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4244 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4244 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4244 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde.exe

"C:\Users\Admin\AppData\Local\Temp\5bbcdfba8af427d876d09a5aae8fbfae449d8a596cfbdfdda0bb3afdea7f6cde.exe"

C:\Users\Admin\AppData\Local\Temp\DA7.exe

C:\Users\Admin\AppData\Local\Temp\DA7.exe

C:\Users\Admin\AppData\Local\Temp\19AE.exe

C:\Users\Admin\AppData\Local\Temp\19AE.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3116 -ip 3116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 704

C:\Users\Admin\AppData\Local\Microsoft\9B).exe

"C:\Users\Admin\AppData\Local\Microsoft\9B).exe"

C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe

"C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe"

C:\Users\Admin\AppData\Local\Microsoft\$VK.exe

"C:\Users\Admin\AppData\Local\Microsoft\$VK.exe"

C:\Users\Admin\AppData\Local\Microsoft\9B).exe

"C:\Users\Admin\AppData\Local\Microsoft\9B).exe"

C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe

"C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4520 -ip 4520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2244 -ip 2244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 1228

C:\Users\Admin\AppData\Local\Temp\8B6F.exe

C:\Users\Admin\AppData\Local\Temp\8B6F.exe

C:\Users\Admin\AppData\Local\Temp\8E01.exe

C:\Users\Admin\AppData\Local\Temp\8E01.exe

C:\Users\Admin\AppData\Local\Temp\95C2.exe

C:\Users\Admin\AppData\Local\Temp\95C2.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1228 -ip 1228

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 164

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 76.214.17.2.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 stalagmijesarl.com udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.153.50.194.in-addr.arpa udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 admxlogs25.xyz udp
EE 46.36.218.224:80 admxlogs25.xyz tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 224.218.36.46.in-addr.arpa udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 github.com udp
US 140.82.113.3:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 3.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
N/A 194.50.153.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 gstatic-node.io udp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 8.8.8.8:53 admlogs195.xyz udp
EE 46.36.219.3:80 admlogs195.xyz tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 8.8.8.8:53 3.219.36.46.in-addr.arpa udp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
EE 46.36.219.3:80 admlogs195.xyz tcp
US 188.114.96.0:80 gstatic-node.io tcp
EE 46.36.219.3:80 admlogs195.xyz tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 188.114.96.0:80 gstatic-node.io tcp
US 8.8.8.8:53 serverxlogs21.xyz udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 120.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 cexsad917.xyz udp
EE 46.36.218.224:80 cexsad917.xyz tcp
US 8.8.8.8:53 liiala0j.beget.tech udp
RU 5.101.152.100:80 liiala0j.beget.tech tcp
US 8.8.8.8:53 100.152.101.5.in-addr.arpa udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 185.244.48.81:80 185.244.48.81 tcp
US 8.8.8.8:53 81.48.244.185.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/1212-134-0x00000000006E0000-0x00000000007E0000-memory.dmp

memory/1212-135-0x0000000000690000-0x0000000000699000-memory.dmp

memory/1212-136-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1212-137-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/1212-141-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/3156-138-0x0000000000C10000-0x0000000000C26000-memory.dmp

memory/1212-142-0x0000000000690000-0x0000000000699000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DA7.exe

MD5 11715c27335a026129dfc1695ebc8888
SHA1 0ffaa4f65fbf2bc0750b972621f37c787b0231e2
SHA256 c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482
SHA512 f7743e16fa619a90cb2c216bc46e2f3b10973e2d3aeb81be27d284e52758cc6fd204dc0babef2bfd01e8bfdc12e70c35dd0f50472f06635f489d2db8060b1220

C:\Users\Admin\AppData\Local\Temp\DA7.exe

MD5 11715c27335a026129dfc1695ebc8888
SHA1 0ffaa4f65fbf2bc0750b972621f37c787b0231e2
SHA256 c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482
SHA512 f7743e16fa619a90cb2c216bc46e2f3b10973e2d3aeb81be27d284e52758cc6fd204dc0babef2bfd01e8bfdc12e70c35dd0f50472f06635f489d2db8060b1220

C:\Users\Admin\AppData\Local\Temp\19AE.exe

MD5 6d35d4cb11e99f8645441b0f1f96da3d
SHA1 3b6e12da0c1c37d38db867ab6330ace34461c56a
SHA256 9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204
SHA512 01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

C:\Users\Admin\AppData\Local\Temp\19AE.exe

MD5 6d35d4cb11e99f8645441b0f1f96da3d
SHA1 3b6e12da0c1c37d38db867ab6330ace34461c56a
SHA256 9066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204
SHA512 01b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4

memory/956-160-0x0000000001020000-0x0000000001027000-memory.dmp

memory/956-161-0x0000000001010000-0x000000000101B000-memory.dmp

memory/956-162-0x0000000001010000-0x000000000101B000-memory.dmp

memory/4388-163-0x00000000003C0000-0x00000000003CF000-memory.dmp

memory/4388-164-0x00000000003D0000-0x00000000003D9000-memory.dmp

memory/4388-165-0x00000000003C0000-0x00000000003CF000-memory.dmp

memory/2272-166-0x0000000000FE0000-0x0000000000FE9000-memory.dmp

memory/2272-167-0x0000000000FF0000-0x0000000001000000-memory.dmp

memory/2272-168-0x0000000000FE0000-0x0000000000FE9000-memory.dmp

memory/5028-169-0x0000000000930000-0x000000000093C000-memory.dmp

memory/5028-170-0x0000000000940000-0x0000000000946000-memory.dmp

memory/5028-171-0x0000000000930000-0x000000000093C000-memory.dmp

memory/544-172-0x0000000000D30000-0x0000000000D57000-memory.dmp

memory/544-173-0x0000000000D60000-0x0000000000D82000-memory.dmp

memory/956-175-0x0000000001020000-0x0000000001027000-memory.dmp

memory/544-174-0x0000000000D30000-0x0000000000D57000-memory.dmp

memory/64-176-0x0000000000330000-0x0000000000339000-memory.dmp

memory/64-177-0x0000000000340000-0x0000000000345000-memory.dmp

memory/4840-178-0x0000000000D30000-0x0000000000D3B000-memory.dmp

memory/4388-179-0x00000000003D0000-0x00000000003D9000-memory.dmp

memory/4840-180-0x0000000000D40000-0x0000000000D46000-memory.dmp

memory/4840-181-0x0000000000D30000-0x0000000000D3B000-memory.dmp

memory/2272-183-0x0000000000FF0000-0x0000000001000000-memory.dmp

memory/1872-182-0x0000000000EF0000-0x0000000000EFD000-memory.dmp

memory/1872-184-0x0000000000F00000-0x0000000000F07000-memory.dmp

memory/1872-185-0x0000000000EF0000-0x0000000000EFD000-memory.dmp

memory/5028-186-0x0000000000940000-0x0000000000946000-memory.dmp

memory/3116-187-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3116-189-0x0000000000400000-0x0000000000517000-memory.dmp

memory/3116-188-0x00000000021D0000-0x0000000002241000-memory.dmp

memory/2784-191-0x0000000000660000-0x000000000066B000-memory.dmp

memory/544-190-0x0000000000D60000-0x0000000000D82000-memory.dmp

memory/2784-192-0x0000000000670000-0x0000000000678000-memory.dmp

memory/2784-193-0x0000000000660000-0x000000000066B000-memory.dmp

memory/64-194-0x0000000000330000-0x0000000000339000-memory.dmp

memory/3116-195-0x00000000006C0000-0x00000000006C7000-memory.dmp

memory/3116-196-0x00000000024E0000-0x00000000028E0000-memory.dmp

memory/3116-197-0x00000000024E0000-0x00000000028E0000-memory.dmp

memory/3116-198-0x00000000024E0000-0x00000000028E0000-memory.dmp

memory/4840-199-0x0000000000D40000-0x0000000000D46000-memory.dmp

memory/3116-200-0x00000000024E0000-0x00000000028E0000-memory.dmp

memory/1872-201-0x0000000000F00000-0x0000000000F07000-memory.dmp

memory/2244-202-0x0000000000530000-0x0000000000630000-memory.dmp

memory/2244-204-0x0000000002110000-0x0000000002165000-memory.dmp

memory/2244-203-0x0000000000400000-0x0000000000502000-memory.dmp

memory/3116-205-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3116-206-0x0000000000400000-0x0000000000517000-memory.dmp

memory/4068-207-0x000001965E320000-0x000001965E323000-memory.dmp

memory/2784-208-0x0000000000670000-0x0000000000678000-memory.dmp

memory/3116-210-0x0000000003220000-0x0000000003256000-memory.dmp

memory/3116-216-0x0000000003220000-0x0000000003256000-memory.dmp

memory/3116-217-0x00000000024E0000-0x00000000028E0000-memory.dmp

memory/3116-218-0x00000000024E0000-0x00000000028E0000-memory.dmp

memory/3116-220-0x0000000000400000-0x0000000000517000-memory.dmp

memory/3116-221-0x00000000024E0000-0x00000000028E0000-memory.dmp

memory/2244-222-0x0000000000400000-0x0000000000502000-memory.dmp

memory/2244-223-0x0000000000530000-0x0000000000630000-memory.dmp

memory/4068-225-0x000001965E320000-0x000001965E323000-memory.dmp

memory/4068-226-0x000001965E5C0000-0x000001965E5C7000-memory.dmp

memory/4068-227-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

memory/4068-228-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

memory/4068-229-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

memory/4068-230-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

memory/4068-232-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

memory/4068-231-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

memory/4068-234-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

memory/4068-235-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

memory/4068-236-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

memory/4068-237-0x00007FFB00F70000-0x00007FFB01165000-memory.dmp

memory/4068-238-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

memory/4068-239-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

memory/4068-240-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

memory/4068-241-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

memory/4068-243-0x00007FF4AF3F0000-0x00007FF4AF51D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\9B).exe

MD5 7d39a3778ad4a5d5e6c7e78fc9e05a00
SHA1 2b030e3180efb06721404fa0de1fbe4998618225
SHA256 21a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9
SHA512 1a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e

C:\Users\Admin\AppData\Local\Microsoft\9B).exe

MD5 7d39a3778ad4a5d5e6c7e78fc9e05a00
SHA1 2b030e3180efb06721404fa0de1fbe4998618225
SHA256 21a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9
SHA512 1a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e

memory/4068-249-0x00007FFB00F70000-0x00007FFB01165000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe

MD5 7166d39e9c1cb17e1728d316531242b1
SHA1 d05810943685bcd70999ff0926215f5d6fe2637a
SHA256 8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512 b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe

MD5 7166d39e9c1cb17e1728d316531242b1
SHA1 d05810943685bcd70999ff0926215f5d6fe2637a
SHA256 8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512 b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

C:\Users\Admin\AppData\Local\Microsoft\$VK.exe

MD5 16bab536f93bbf833bca053e355402ee
SHA1 8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374
SHA256 b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4
SHA512 c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

C:\Users\Admin\AppData\Local\Microsoft\$VK.exe

MD5 16bab536f93bbf833bca053e355402ee
SHA1 8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374
SHA256 b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4
SHA512 c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

memory/4068-258-0x000001965E5C0000-0x000001965E5C5000-memory.dmp

memory/4068-259-0x00007FFB00F70000-0x00007FFB01165000-memory.dmp

memory/228-261-0x00000000005C0000-0x00000000006C0000-memory.dmp

memory/228-262-0x00000000020F0000-0x00000000020F9000-memory.dmp

memory/760-263-0x0000000000400000-0x0000000000409000-memory.dmp

memory/760-265-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\9B).exe

MD5 7d39a3778ad4a5d5e6c7e78fc9e05a00
SHA1 2b030e3180efb06721404fa0de1fbe4998618225
SHA256 21a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9
SHA512 1a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e

memory/4828-267-0x0000000000530000-0x000000000053F000-memory.dmp

memory/4828-268-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/4828-266-0x0000000000540000-0x0000000000640000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\p8[{jcb007.exe

MD5 7166d39e9c1cb17e1728d316531242b1
SHA1 d05810943685bcd70999ff0926215f5d6fe2637a
SHA256 8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512 b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

memory/3052-271-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/3052-272-0x0000000000580000-0x0000000000585000-memory.dmp

memory/3052-273-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/3156-276-0x0000000007FD0000-0x0000000007FE6000-memory.dmp

memory/760-277-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[63449BD6-3483].[[email protected]].8base

MD5 78cfd4772d616d3693de3b210961d17f
SHA1 3ca8352bcb7d30713aa84a5956198f616c3281d2
SHA256 6bf2544950a63ee05c645467a8af59b9be55f59517b68cb732aaf337951fedb8
SHA512 6abbf02043c8db7924bf44856310b888c08b5b13bf16e87483e97cd9c65c40b6c89a0bce5074a525694a1c45248c14dabf8bb0fc7ae70d8c430b606132a88bd4

memory/4828-574-0x0000000000540000-0x0000000000640000-memory.dmp

memory/4828-817-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/3052-859-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/4828-1855-0x0000000000400000-0x00000000004E3000-memory.dmp

memory/4520-2425-0x0000000000670000-0x0000000000770000-memory.dmp

memory/4520-2436-0x0000000000530000-0x000000000053F000-memory.dmp

memory/2244-4000-0x0000000000400000-0x0000000000502000-memory.dmp

memory/4828-4027-0x0000000000400000-0x00000000004E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8B6F.exe

MD5 7166d39e9c1cb17e1728d316531242b1
SHA1 d05810943685bcd70999ff0926215f5d6fe2637a
SHA256 8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512 b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

C:\Users\Admin\AppData\Local\Temp\8B6F.exe

MD5 7166d39e9c1cb17e1728d316531242b1
SHA1 d05810943685bcd70999ff0926215f5d6fe2637a
SHA256 8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512 b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

C:\Users\Admin\AppData\Local\Temp\8B6F.exe

MD5 7166d39e9c1cb17e1728d316531242b1
SHA1 d05810943685bcd70999ff0926215f5d6fe2637a
SHA256 8879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512 b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214

C:\Users\Admin\AppData\Local\Temp\8E01.exe

MD5 16bab536f93bbf833bca053e355402ee
SHA1 8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374
SHA256 b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4
SHA512 c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

C:\Users\Admin\AppData\Local\Temp\8E01.exe

MD5 16bab536f93bbf833bca053e355402ee
SHA1 8b7ccbef0fcb0edab800b6ddc0c9d302b0a03374
SHA256 b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4
SHA512 c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f

memory/4828-5697-0x0000000000400000-0x00000000004E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\95C2.exe

MD5 4a9777a2bf4fa6e8945a0b48dfac8108
SHA1 36777152e87eb30a58e4b22430888ee0b065864e
SHA256 67e2316b799a36c92f468f339002f1b3e1c2a984c1fbff5a73f0659a13209ad8
SHA512 ddc703fbcf4909e65395a5911404c08991c03d234295d4e24484d92648e6b2e8a99fdafd8851b45e29d77c0e8aba0a4b0fc0c709ebbdee9939712fcc476a897a

C:\Users\Admin\AppData\Local\Temp\95C2.exe

MD5 4a9777a2bf4fa6e8945a0b48dfac8108
SHA1 36777152e87eb30a58e4b22430888ee0b065864e
SHA256 67e2316b799a36c92f468f339002f1b3e1c2a984c1fbff5a73f0659a13209ad8
SHA512 ddc703fbcf4909e65395a5911404c08991c03d234295d4e24484d92648e6b2e8a99fdafd8851b45e29d77c0e8aba0a4b0fc0c709ebbdee9939712fcc476a897a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ob0k9snf.default-release\cookies.sqlite.id[63449BD6-3483].[[email protected]].8base

MD5 aa80792c0b4eb2e6ba4c7e6211786c47
SHA1 aef9f11f45fa1a235b6f62b18551e2ad3cbadd9e
SHA256 c05df34a54e7ca3a9510b5e3849bf42746aeb4f5f45ef065e2faa8f1c3805966
SHA512 d6ce8d982b0d00ceae3f6075a0bb8a71f935cdc191e4cfa9cf9896cd6e47442b3c61a711501867fa30b64ece4c89862630819bef54b1e9132e5dad99e68e9bf7

C:\ProgramData\JKJECBAA

MD5 da6f6947237f7f9902d3b9ee78c045c0
SHA1 492a79734456f81be28b4875feb107420a840a46
SHA256 603604a1810fac25ae925cbddbc1c0bf212a7fbbfefa95fec40e09bff96f70c6
SHA512 fd76772b420b13eee0c783ff042eec6145237f6a186c7a843c837781bfbffa772fafb9eef24e1b9202f4b95d93b7865c25a2dc51b98a87a716bc2679c8db6ab0

C:\ProgramData\AAAAECGH

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571