Malware Analysis Report

2024-09-11 01:53

Sample ID 230822-kxtbsacf9z
Target f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6
SHA256 f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6
Tags
medusalocker evasion ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6

Threat Level: Known bad

The file f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6 was found to be: Known bad.

Malicious Activity Summary

medusalocker evasion ransomware spyware stealer trojan

MedusaLocker

MedusaLocker payload

Medusalocker family

UAC bypass

Deletes shadow copies

Renames multiple (292) files with added filename extension

Renames multiple (212) files with added filename extension

Executes dropped EXE

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Enumerates connected drives

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System policy modification

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Modify Registry
T1112
Indicator Removal
T1070
File Deletion
T1070.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2023-08-22 08:59

Signatures

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-22 08:59

Reported

2023-08-22 09:01

Platform

win7-20230712-en

Max time kernel

128s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe"

Signatures

MedusaLocker

ransomware medusalocker

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A

Deletes shadow copies

ransomware

Renames multiple (292) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-377084978-2088738870-2818360375-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1672 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1672 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1672 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1672 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1672 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1672 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1672 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1672 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1672 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1672 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1672 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1672 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1672 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1672 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1672 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1672 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1672 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1672 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1672 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1672 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1672 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1672 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1672 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1932 wrote to memory of 700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 1932 wrote to memory of 700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 1932 wrote to memory of 700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe
PID 1932 wrote to memory of 700 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\svhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe

"C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe"

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\taskeng.exe

taskeng.exe {8CCA3037-236A-4B2C-9E86-632F4EAB3BEE} S-1-5-21-377084978-2088738870-2818360375-1000:DSWJWADP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

Network

N/A

Files

\Device\HarddiskVolume1\Boot\!-Recovery_Instructions-!.html

MD5 99467eb98de371babdbe9cee761cf284
SHA1 ec87fc4de92d7040423519ffef1a7c09be99a634
SHA256 801df5118773e0c596cba8e32104395f379a360f2269aada1ececcc1ee798d08
SHA512 84c57cb75c23f38cf249756730c556b1ddb5851942f1007c41bef4fa9810121111c04b804d5a83f5703601c4c8efffa48f591fb9e0f1b648d17b6276772997c5

C:\Users\Default\NTUSER.DAT.LOG2

MD5 bf28a2aa65489f10d7ef27c3d1639cb1
SHA1 afa3dc07647b5dbcbf55f49c844fe032757a4f40
SHA256 66146d18939d4ec6cc65a8ee0f295a71ea956adad90111ede169a8d73aa48257
SHA512 e12b1475d9c0dbec15955e3a01882d76f96f7d3cace8b03cb54f3cf5b2c221ad24c6073c745c6a4f15d7dcf9708e40efba70c7bef8ebf6449447ad3be174a488

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 bb442cfc088a89e0c353ed20fb8cbf8b
SHA1 1477ae595f2fb3cf7ffdee788b748db253236d0c
SHA256 f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6
SHA512 ea2b42aa7e9aab775cf607ba0e5034edde3b07a1d913109337cd32bff4f45f6d054e434ccbccdc5a0dbf6901db7431d279c11f8dd8b1b56af1f84dfc3006f5e4

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 bb442cfc088a89e0c353ed20fb8cbf8b
SHA1 1477ae595f2fb3cf7ffdee788b748db253236d0c
SHA256 f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6
SHA512 ea2b42aa7e9aab775cf607ba0e5034edde3b07a1d913109337cd32bff4f45f6d054e434ccbccdc5a0dbf6901db7431d279c11f8dd8b1b56af1f84dfc3006f5e4

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-22 08:59

Reported

2023-08-22 09:01

Platform

win10v2004-20230703-en

Max time kernel

141s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe"

Signatures

MedusaLocker

ransomware medusalocker

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A

Renames multiple (212) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-3011986978-2180659500-3669311805-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4080 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4080 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4080 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4080 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4080 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4080 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4080 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4080 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 4080 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe C:\Windows\SysWOW64\Wbem\wmic.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe

"C:\Users\Admin\AppData\Local\Temp\f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Users\Admin\AppData\Roaming\svhost.exe

C:\Users\Admin\AppData\Roaming\svhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 254.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 126.138.241.8.in-addr.arpa udp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

\Device\HarddiskVolume1\Boot\!-Recovery_Instructions-!.html

MD5 02eca0ee7c4020c9f5ea9cf83b7b2497
SHA1 c7ef78a88b7fb08b98cce40737a16c602c4518b2
SHA256 72a1ceb5411c3c0f7c508f3c48442f899e5ada65166207ba79cfbb9bb121c217
SHA512 deda04a62c1b473a0ab99ecbc7ba1a3d99e3dd3df6ceadfab8ee939b982a489f7cd3fec915b99c3227f0411c3ac2d71339c2100aa946c0077d751872495eacab

C:\Users\Default\ntuser.dat.LOG2

MD5 3ce3caec9f015e6bbc450d82983101e9
SHA1 da80ff8f91b1a3d9e39ccef3313b5243845872af
SHA256 a40f589d7365cead930f8176b30ef34aab8879a3ecd38b5ce7d3e017ea74736b
SHA512 da71741b1793086fc83413ae8e90176bc0ea52bc9bf65d79eb37043872b59c59119cee22fa1090ddad69b4fafce75417b0f571fb6251b8f9c76b2de4d5be29f2

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 bb442cfc088a89e0c353ed20fb8cbf8b
SHA1 1477ae595f2fb3cf7ffdee788b748db253236d0c
SHA256 f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6
SHA512 ea2b42aa7e9aab775cf607ba0e5034edde3b07a1d913109337cd32bff4f45f6d054e434ccbccdc5a0dbf6901db7431d279c11f8dd8b1b56af1f84dfc3006f5e4

C:\Users\Admin\AppData\Roaming\svhost.exe

MD5 bb442cfc088a89e0c353ed20fb8cbf8b
SHA1 1477ae595f2fb3cf7ffdee788b748db253236d0c
SHA256 f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6
SHA512 ea2b42aa7e9aab775cf607ba0e5034edde3b07a1d913109337cd32bff4f45f6d054e434ccbccdc5a0dbf6901db7431d279c11f8dd8b1b56af1f84dfc3006f5e4