Malware Analysis Report

2024-10-16 05:11

Sample ID 230927-khkq4ahc8x
Target SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
SHA256 65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636
Tags
ammyyadmin flawedammyy phobos rhadamanthys smokeloader backdoor bootkit collection evasion persistence ransomware rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

65fcd66d75c64db0f8b7819431d77f83a421e9fd210ff6bdf74c47e7a4c39636

Threat Level: Known bad

The file SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy phobos rhadamanthys smokeloader backdoor bootkit collection evasion persistence ransomware rat spyware stealer trojan

SmokeLoader

Detect rhadamanthys stealer shellcode

AmmyyAdmin payload

FlawedAmmyy RAT

Phobos

Ammyy Admin

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Renames multiple (312) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes shadow copies

Renames multiple (346) files with added filename extension

Downloads MZ/PE file

Deletes backup catalog

Modifies Windows Firewall

Drops startup file

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Deletes itself

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Drops desktop.ini file(s)

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Checks processor information in registry

outlook_office_path

Suspicious behavior: MapViewOfSection

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-27 08:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-27 08:36

Reported

2023-09-27 08:38

Platform

win10v2004-20230915-en

Max time kernel

97s

Max time network

133s

Command Line

C:\Windows\Explorer.EXE

Signatures

Ammyy Admin

rat ammyyadmin

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

FlawedAmmyy RAT

trojan flawedammyy

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3092 created 3132 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (346) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\35EB.tmp\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pES[YI = "C:\\Users\\Admin\\AppData\\Local\\pES[YI.exe" C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pES[YI = "C:\\Users\\Admin\\AppData\\Local\\pES[YI.exe" C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-1141987721-3945596982-3297311814-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1141987721-3945596982-3297311814-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\35EB.tmp\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak.id[7660D832-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+NewSQLServerConnection.odc C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libreal_plugin.dll C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\DirectionalDot.png C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-96_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.id[7660D832-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ppd.xrm-ms.id[7660D832-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar.id[7660D832-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ONBttnWD.dll.id[7660D832-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\FileAssociation\FileAssociation.targetsize-24.png C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\splashscreen.dll C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-400.png C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\PaintLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_altform-unplated_contrast-white_devicefamily-colorfulunplated.png C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\dkjson.luac C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.id[7660D832-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File created C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.tree.dat.id[7660D832-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailMediumTile.scale-125.png C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\ffjcext.zip C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.js C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEWDAT.DLL.id[7660D832-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-96_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar.id[7660D832-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar.id[7660D832-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-ms.id[7660D832-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-oob.xrm-ms.id[7660D832-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\SplashWideTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms.id[7660D832-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libsepia_plugin.dll C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ul-oob.xrm-ms.id[7660D832-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\dt_shmem.dll.id[7660D832-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar.id[7660D832-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-locale-l1-1-0.dll C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-256_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\BCSRuntimeRes.dll.id[7660D832-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BOOKOSB.TTF C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-200_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzmappings C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-options.jar C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\PREVIEW.GIF.id[7660D832-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Xml.Linq.Resources.dll C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-30.png C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File created C:\Program Files\7-Zip\Lang\nb.txt.id[7660D832-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWAD.TTF C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\F356.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\F356.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\F356.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EC4F.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F356.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ED0C.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5760.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5760.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\35EB.tmp\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4892 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 4892 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 4892 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 4892 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 4892 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 4892 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 4892 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 4892 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 3092 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Windows\system32\certreq.exe
PID 3092 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Windows\system32\certreq.exe
PID 3092 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Windows\system32\certreq.exe
PID 3092 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Windows\system32\certreq.exe
PID 2324 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 2324 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 2324 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 2324 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 2324 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 2324 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 2324 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 2324 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 2324 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 2324 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 3772 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe
PID 3772 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe
PID 3772 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe
PID 3772 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe
PID 3772 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe
PID 3772 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe
PID 3772 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe
PID 3772 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe
PID 3772 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe
PID 3380 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 3380 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 3380 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 3380 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 3380 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 3380 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 3380 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 3380 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 3380 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 3380 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 3380 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 3380 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 3380 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe
PID 2812 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Windows\system32\cmd.exe
PID 2812 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Windows\system32\cmd.exe
PID 2812 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Windows\system32\cmd.exe
PID 2812 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe C:\Windows\system32\cmd.exe
PID 2392 wrote to memory of 4676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2392 wrote to memory of 4676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3692 wrote to memory of 804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3692 wrote to memory of 804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2392 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2392 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3692 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3692 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3692 wrote to memory of 4936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3692 wrote to memory of 4936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3692 wrote to memory of 2132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3692 wrote to memory of 2132 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 3692 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3692 wrote to memory of 2412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3132 wrote to memory of 872 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EC4F.exe
PID 3132 wrote to memory of 872 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EC4F.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe

"C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe"

C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe

"C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe"

C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe

C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe

C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe

C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe

C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe

C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe

C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe

"C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe"

C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe

C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe

C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe

C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Users\Admin\AppData\Local\Temp\EC4F.exe

C:\Users\Admin\AppData\Local\Temp\EC4F.exe

C:\Users\Admin\AppData\Local\Temp\ED0C.exe

C:\Users\Admin\AppData\Local\Temp\ED0C.exe

C:\Users\Admin\AppData\Local\Temp\EC4F.exe

C:\Users\Admin\AppData\Local\Temp\EC4F.exe

C:\Users\Admin\AppData\Local\Temp\EC4F.exe

C:\Users\Admin\AppData\Local\Temp\EC4F.exe

C:\Users\Admin\AppData\Local\Temp\F356.exe

C:\Users\Admin\AppData\Local\Temp\F356.exe

C:\Users\Admin\AppData\Local\Temp\F356.exe

C:\Users\Admin\AppData\Local\Temp\F356.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\ED0C.exe

"C:\Users\Admin\AppData\Local\Temp\ED0C.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\35EB.tmp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\35EB.tmp\svchost.exe -debug

C:\Windows\SYSTEM32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\35EB.tmp\aa_nts.dll",run

C:\Users\Admin\AppData\Local\Temp\5760.exe

C:\Users\Admin\AppData\Local\Temp\5760.exe

C:\Users\Admin\AppData\Local\Temp\5760.exe

C:\Users\Admin\AppData\Local\Temp\5760.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 amxt25.xyz udp
DE 45.131.66.61:80 amxt25.xyz tcp
US 8.8.8.8:53 61.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 254.211.247.8.in-addr.arpa udp
DE 45.131.66.61:80 amxt25.xyz tcp
DE 45.131.66.61:80 amxt25.xyz tcp
US 8.8.8.8:53 servermlogs27.xyz udp
DE 45.131.66.120:80 servermlogs27.xyz tcp
US 8.8.8.8:53 gentexlog238.xyz udp
DE 185.234.72.182:80 gentexlog238.xyz tcp
US 8.8.8.8:53 120.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 182.72.234.185.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
DE 144.76.136.153:80 transfer.sh tcp
DE 45.131.66.120:80 servermlogs27.xyz tcp
DE 45.131.66.120:80 servermlogs27.xyz tcp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.242:443 tcp
DE 45.131.66.120:80 servermlogs27.xyz tcp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 242.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 www.ammyy.com udp
DE 136.243.18.118:80 www.ammyy.com tcp
DE 136.243.18.118:443 www.ammyy.com tcp
US 8.8.8.8:53 118.18.243.136.in-addr.arpa udp
US 8.8.8.8:53 siliconstarfge.com udp
MO 180.94.156.61:80 siliconstarfge.com tcp
US 8.8.8.8:53 61.156.94.180.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
MO 180.94.156.61:80 siliconstarfge.com tcp
MO 180.94.156.61:80 siliconstarfge.com tcp

Files

memory/4892-1-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/4892-0-0x0000000000230000-0x0000000000416000-memory.dmp

memory/4892-2-0x0000000004DD0000-0x0000000004E48000-memory.dmp

memory/4892-3-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

memory/4892-4-0x0000000004E50000-0x0000000004EB8000-memory.dmp

memory/4892-5-0x0000000004EC0000-0x0000000004F0C000-memory.dmp

memory/4892-6-0x00000000054E0000-0x0000000005A84000-memory.dmp

memory/3092-7-0x0000000000400000-0x0000000000473000-memory.dmp

memory/3092-10-0x0000000000400000-0x0000000000473000-memory.dmp

memory/3092-11-0x0000000000400000-0x0000000000473000-memory.dmp

memory/4892-12-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/3092-13-0x0000000001410000-0x0000000001417000-memory.dmp

memory/3092-14-0x0000000003000000-0x0000000003400000-memory.dmp

memory/3092-15-0x0000000003000000-0x0000000003400000-memory.dmp

memory/3092-16-0x0000000003000000-0x0000000003400000-memory.dmp

memory/3092-17-0x0000000003000000-0x0000000003400000-memory.dmp

memory/804-18-0x000001DCCAFE0000-0x000001DCCAFE3000-memory.dmp

memory/3092-19-0x0000000000400000-0x0000000000473000-memory.dmp

memory/3092-20-0x0000000003E40000-0x0000000003E76000-memory.dmp

memory/3092-26-0x0000000003E40000-0x0000000003E76000-memory.dmp

memory/3092-27-0x0000000003000000-0x0000000003400000-memory.dmp

memory/3092-28-0x0000000000400000-0x0000000000473000-memory.dmp

memory/3092-29-0x0000000003000000-0x0000000003400000-memory.dmp

memory/804-30-0x000001DCCAFE0000-0x000001DCCAFE3000-memory.dmp

memory/804-31-0x000001DCCB280000-0x000001DCCB287000-memory.dmp

memory/804-32-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

memory/804-33-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

memory/804-34-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

memory/804-35-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

memory/804-36-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

memory/804-38-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

memory/804-40-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

memory/804-41-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

memory/804-42-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

memory/804-43-0x00007FFBC8F70000-0x00007FFBC9165000-memory.dmp

memory/804-44-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

memory/804-45-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

memory/804-46-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

memory/804-47-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

memory/804-48-0x00007FF4F3420000-0x00007FF4F354F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe

MD5 614d1cd9e8513df074caa93ac0aeeb2e
SHA1 5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA256 3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA512 11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe

MD5 614d1cd9e8513df074caa93ac0aeeb2e
SHA1 5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA256 3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA512 11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

memory/2324-52-0x0000000000160000-0x00000000001A8000-memory.dmp

memory/804-54-0x00007FFBC8F70000-0x00007FFBC9165000-memory.dmp

memory/2324-55-0x00000000049F0000-0x0000000004A36000-memory.dmp

memory/2324-59-0x0000000004A30000-0x0000000004A64000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe

MD5 2931ff8f30f41984e58e2bb3d4c82000
SHA1 c71353633077fadacbe07ed6e2939262f89f9ad3
SHA256 ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7
SHA512 0a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0

memory/3772-60-0x00000000004F0000-0x0000000000534000-memory.dmp

memory/3772-61-0x0000000004D70000-0x0000000004DB4000-memory.dmp

memory/2324-57-0x0000000074940000-0x00000000750F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe

MD5 2931ff8f30f41984e58e2bb3d4c82000
SHA1 c71353633077fadacbe07ed6e2939262f89f9ad3
SHA256 ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7
SHA512 0a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0

memory/3772-63-0x0000000004DC0000-0x0000000004DF2000-memory.dmp

memory/2324-64-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/3772-65-0x0000000004EF0000-0x0000000004F00000-memory.dmp

memory/3772-62-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/2812-66-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe

MD5 614d1cd9e8513df074caa93ac0aeeb2e
SHA1 5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA256 3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA512 11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

memory/2812-70-0x0000000000400000-0x0000000000413000-memory.dmp

memory/3580-71-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3580-76-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe

MD5 2931ff8f30f41984e58e2bb3d4c82000
SHA1 c71353633077fadacbe07ed6e2939262f89f9ad3
SHA256 ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7
SHA512 0a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0

memory/2812-77-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\X6(A({C.exe

MD5 2931ff8f30f41984e58e2bb3d4c82000
SHA1 c71353633077fadacbe07ed6e2939262f89f9ad3
SHA256 ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7
SHA512 0a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0

memory/2324-72-0x0000000074940000-0x00000000750F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe

MD5 614d1cd9e8513df074caa93ac0aeeb2e
SHA1 5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA256 3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA512 11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

memory/3772-78-0x0000000074940000-0x00000000750F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pES[YI.exe.log

MD5 4a911455784f74e368a4c2c7876d76f4
SHA1 a1700a0849ffb4f26671eb76da2489946b821c34
SHA256 264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA512 4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

memory/3380-81-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/3380-82-0x0000000005090000-0x00000000050A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe

MD5 614d1cd9e8513df074caa93ac0aeeb2e
SHA1 5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA256 3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA512 11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

C:\Users\Admin\AppData\Local\Microsoft\pES[YI.exe

MD5 614d1cd9e8513df074caa93ac0aeeb2e
SHA1 5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA256 3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA512 11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

memory/3380-87-0x0000000074940000-0x00000000750F0000-memory.dmp

memory/5076-89-0x0000000000400000-0x0000000000413000-memory.dmp

memory/804-90-0x000001DCCB280000-0x000001DCCB285000-memory.dmp

memory/804-91-0x00007FFBC8F70000-0x00007FFBC9165000-memory.dmp

memory/3132-92-0x0000000002E00000-0x0000000002E16000-memory.dmp

memory/3580-93-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2812-105-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2812-107-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2812-109-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2812-112-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2812-117-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2812-113-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2812-130-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2812-132-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2812-137-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2812-111-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[7660D832-3483].[[email protected]].8base

MD5 882601a28cc18c925d93e77f13491b54
SHA1 255324fd392e1efecdeaea6444e2bbb3b51bc39e
SHA256 c916dd961cfc3d5247651e248d5e323abdac10a0f29880b1823ce4b622fe53a0
SHA512 bd242c56b54f1be1974386797ecb4de846a4200fbf946930a14d38870c0d9e6b0dc6640e14c68ae02928d43328505bbdf8abd6ea03f582240a1fcb0b61e5600c

C:\Users\Admin\AppData\Local\Temp\EC4F.exe

MD5 614d1cd9e8513df074caa93ac0aeeb2e
SHA1 5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA256 3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA512 11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

C:\Users\Admin\AppData\Local\Temp\EC4F.exe

MD5 614d1cd9e8513df074caa93ac0aeeb2e
SHA1 5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA256 3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA512 11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

C:\Users\Admin\AppData\Local\Temp\EC4F.exe

MD5 614d1cd9e8513df074caa93ac0aeeb2e
SHA1 5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA256 3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA512 11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

C:\Users\Admin\AppData\Local\Temp\ED0C.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

C:\Users\Admin\AppData\Local\Temp\ED0C.exe

MD5 20bb118569b859e64feaaf30227e04b8
SHA1 3fb2c608529575ad4b06770e130eb9d2d0750ed7
SHA256 c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674
SHA512 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c

memory/872-2507-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/1296-2533-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/1296-2532-0x0000000000E60000-0x0000000000EDC000-memory.dmp

memory/872-2539-0x00000000052D0000-0x00000000052E0000-memory.dmp

memory/1296-2595-0x0000000005280000-0x0000000005312000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EC4F.exe

MD5 614d1cd9e8513df074caa93ac0aeeb2e
SHA1 5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA256 3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA512 11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

C:\Users\Admin\AppData\Local\Temp\EC4F.exe

MD5 614d1cd9e8513df074caa93ac0aeeb2e
SHA1 5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA256 3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA512 11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

memory/872-2603-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/3676-2606-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1296-2621-0x0000000005320000-0x00000000053BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F356.exe

MD5 a539a3b01f640912b3e70b0624d6e779
SHA1 d21349894faf0b19e292d2fe779fd25a05d347c2
SHA256 fe89c1419eb7fc7222dc3f2e6554dd4418d02d264d41853d82deb4f37173bfec
SHA512 2b6950363159d4a5748c6cd06f027512c8fcd9492a3dee78220747fc7562d54249d7a99d5f6c22e9e9fbb269fb25f8c74606252d3646d2bf13a885db8f041a26

C:\Users\Admin\AppData\Local\Temp\F356.exe

MD5 a539a3b01f640912b3e70b0624d6e779
SHA1 d21349894faf0b19e292d2fe779fd25a05d347c2
SHA256 fe89c1419eb7fc7222dc3f2e6554dd4418d02d264d41853d82deb4f37173bfec
SHA512 2b6950363159d4a5748c6cd06f027512c8fcd9492a3dee78220747fc7562d54249d7a99d5f6c22e9e9fbb269fb25f8c74606252d3646d2bf13a885db8f041a26

memory/2636-2647-0x00000000007D0000-0x000000000083E000-memory.dmp

memory/2636-2651-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/2636-2658-0x0000000004FF0000-0x0000000005034000-memory.dmp

memory/2636-2664-0x00000000050C0000-0x0000000005104000-memory.dmp

memory/2636-2679-0x0000000005140000-0x0000000005150000-memory.dmp

memory/2636-2676-0x0000000005100000-0x0000000005132000-memory.dmp

memory/1296-2774-0x0000000006210000-0x0000000006220000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F356.exe

MD5 a539a3b01f640912b3e70b0624d6e779
SHA1 d21349894faf0b19e292d2fe779fd25a05d347c2
SHA256 fe89c1419eb7fc7222dc3f2e6554dd4418d02d264d41853d82deb4f37173bfec
SHA512 2b6950363159d4a5748c6cd06f027512c8fcd9492a3dee78220747fc7562d54249d7a99d5f6c22e9e9fbb269fb25f8c74606252d3646d2bf13a885db8f041a26

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\F356.exe.log

MD5 4a911455784f74e368a4c2c7876d76f4
SHA1 a1700a0849ffb4f26671eb76da2489946b821c34
SHA256 264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c
SHA512 4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

memory/3516-2851-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1296-2804-0x0000000006110000-0x0000000006152000-memory.dmp

memory/2636-2856-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/1296-2947-0x00000000061D0000-0x00000000061DA000-memory.dmp

memory/3240-3219-0x0000000000C00000-0x0000000000C75000-memory.dmp

memory/3240-3322-0x0000000000990000-0x00000000009FB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x00o19f5.default-release\cookies.sqlite.id[7660D832-3483].[[email protected]].8base

MD5 a6cbd4f2473ea413fcb5d112d4e4df82
SHA1 848bfd0ff65898a8d4e8504078063bf75af45aa4
SHA256 5f8b54efde3931807a21850f5490a21d581a18a212d69018d3aab2e8d3671c3a
SHA512 4eeecfc743f2422fcd95e4923d21a9f3f0ae4809929971fba5b7700ad67f944d65070a09753a31fe0f3202c1f28600e485de1d3bc9903ecbc1c73a45764a3863

memory/1296-3593-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/4688-3611-0x0000000000950000-0x0000000000957000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\35EB.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Local\Temp\35EB.tmp\svchost.exe

MD5 90aadf2247149996ae443e2c82af3730
SHA1 050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512 eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

C:\Users\Admin\AppData\Roaming\ushggau

MD5 a539a3b01f640912b3e70b0624d6e779
SHA1 d21349894faf0b19e292d2fe779fd25a05d347c2
SHA256 fe89c1419eb7fc7222dc3f2e6554dd4418d02d264d41853d82deb4f37173bfec
SHA512 2b6950363159d4a5748c6cd06f027512c8fcd9492a3dee78220747fc7562d54249d7a99d5f6c22e9e9fbb269fb25f8c74606252d3646d2bf13a885db8f041a26

C:\Users\Admin\AppData\Local\Temp\35EB.tmp\aa_nts.dll

MD5 480a66902e6e7cdafaa6711e8697ff8c
SHA1 6ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA256 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA512 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

C:\Users\Admin\AppData\Local\Temp\35EB.tmp\aa_nts.dll

MD5 480a66902e6e7cdafaa6711e8697ff8c
SHA1 6ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA256 7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA512 7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

C:\Users\Admin\AppData\Local\Temp\35EB.tmp\aa_nts.msg

MD5 3f05819f995b4dafa1b5d55ce8d1f411
SHA1 404449b79a16bfc4f64f2fd55cd73d5d27a85d71
SHA256 7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0
SHA512 34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026

C:\Users\Admin\AppData\Local\Temp\5760.exe

MD5 b198acab3a32e992031632f2b99bf083
SHA1 3750f70adfd21117a123cc498002050bbe9ec37c
SHA256 97cab0037b5553b6703dcee9f9230ec7807c32348dc258ecc7dbadefb2a1e9e2
SHA512 30752cbbac2eb6448a53941e5f1717302a589c579815b9e1cf75f2f09189b828fb63c21b8d89c223ee10b479ec3c85899bc0237e5f5e3ce8ec77f48e8c683721

C:\Users\Admin\AppData\Local\Temp\5760.exe

MD5 b198acab3a32e992031632f2b99bf083
SHA1 3750f70adfd21117a123cc498002050bbe9ec37c
SHA256 97cab0037b5553b6703dcee9f9230ec7807c32348dc258ecc7dbadefb2a1e9e2
SHA512 30752cbbac2eb6448a53941e5f1717302a589c579815b9e1cf75f2f09189b828fb63c21b8d89c223ee10b479ec3c85899bc0237e5f5e3ce8ec77f48e8c683721

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\5760.exe.log

MD5 9f5d0107d96d176b1ffcd5c7e7a42dc9
SHA1 de83788e2f18629555c42a3e6fada12f70457141
SHA256 d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097
SHA512 86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61

C:\Users\Admin\AppData\Local\Temp\5760.exe

MD5 b198acab3a32e992031632f2b99bf083
SHA1 3750f70adfd21117a123cc498002050bbe9ec37c
SHA256 97cab0037b5553b6703dcee9f9230ec7807c32348dc258ecc7dbadefb2a1e9e2
SHA512 30752cbbac2eb6448a53941e5f1717302a589c579815b9e1cf75f2f09189b828fb63c21b8d89c223ee10b479ec3c85899bc0237e5f5e3ce8ec77f48e8c683721

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-27 08:36

Reported

2023-09-27 08:38

Platform

win7-20230831-en

Max time kernel

150s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2628 created 1280 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (312) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\certreq.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ot{G7.exe C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ot{G7 = "C:\\Users\\Admin\\AppData\\Local\\ot{G7.exe" C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\ot{G7 = "C:\\Users\\Admin\\AppData\\Local\\ot{G7.exe" C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OCC48JZO\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\9ZA6L5EC\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\S14V3QJ7\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HFUNQS4P\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-607259312-1573743425-2763420908-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-607259312-1573743425-2763420908-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\FZ6PR11S\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\NETWORK.ELM C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00218_.WMF C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_On.png C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\de-DE\FreeCell.exe.mui.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Updater.api.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01168_.WMF C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185798.WMF C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\eventlog_provider.dll.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vincennes.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\control\libnetsync_plugin.dll.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBAR.DPV C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARVERTBB.DPV.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\clock.html C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kamchatka.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.lnk C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200279.WMF.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME55.CSS C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\liblogger_plugin.dll.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00045_.WMF.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\js\common.js C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libdvbsub_plugin.dll.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libfluidsynth_plugin.dll C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\setup.ini.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01563_.WMF C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME28.CSS C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialMergeLetter.dotx.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\init.js C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files\Microsoft Office\Office14\ONLNTCOMLIB.DLL.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.RSD C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\PREVIEW.GIF.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105292.WMF.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files\Java\jre7\lib\jfr.jar.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174635.WMF C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115839.GIF C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right.gif.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\zipfs.jar.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00234_.WMF C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART14.BDR.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FORM.JS.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\mlib_image.dll C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Aqtobe.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PRRTINST.WMF C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\RSSFeeds.html C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\vi.pak C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00197_.WMF.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay.css C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLPROXY.DLL C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\OUTDR_01.MID C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libclone_plugin.dll.id[A8F4A2BE-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 900 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 900 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 900 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 900 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 900 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 900 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 900 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 900 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 900 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe
PID 2628 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Windows\system32\certreq.exe
PID 2628 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Windows\system32\certreq.exe
PID 2628 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Windows\system32\certreq.exe
PID 2628 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Windows\system32\certreq.exe
PID 2628 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Windows\system32\certreq.exe
PID 2628 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe C:\Windows\system32\certreq.exe
PID 1540 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe
PID 1540 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe
PID 1540 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe
PID 1540 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe
PID 1540 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe
PID 1540 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe
PID 1540 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe
PID 1540 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe
PID 1540 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe
PID 1540 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe
PID 1540 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe
PID 2820 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe
PID 2820 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.2387.19648.17401.exe

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe

"C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe"

C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe

C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

"C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe"

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe

"C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe"

C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe

C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 amxt25.xyz udp
DE 45.131.66.61:80 amxt25.xyz tcp
DE 45.131.66.61:80 amxt25.xyz tcp
DE 45.131.66.61:80 amxt25.xyz tcp

Files

memory/900-0-0x0000000000AD0000-0x0000000000CB6000-memory.dmp

memory/900-1-0x0000000074950000-0x000000007503E000-memory.dmp

memory/900-2-0x0000000000630000-0x00000000006A8000-memory.dmp

memory/900-3-0x0000000004D20000-0x0000000004D60000-memory.dmp

memory/900-4-0x0000000002250000-0x00000000022B8000-memory.dmp

memory/900-5-0x00000000022C0000-0x000000000230C000-memory.dmp

memory/2628-6-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2628-7-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2628-8-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2628-10-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2628-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2628-14-0x0000000000400000-0x0000000000473000-memory.dmp

memory/900-17-0x0000000074950000-0x000000007503E000-memory.dmp

memory/2628-16-0x0000000000400000-0x0000000000473000-memory.dmp

memory/2628-18-0x0000000000180000-0x0000000000187000-memory.dmp

memory/2628-19-0x00000000020C0000-0x00000000024C0000-memory.dmp

memory/2628-20-0x00000000020C0000-0x00000000024C0000-memory.dmp

memory/2628-21-0x00000000020C0000-0x00000000024C0000-memory.dmp

memory/2628-22-0x00000000020C0000-0x00000000024C0000-memory.dmp

memory/2772-23-0x00000000000E0000-0x00000000000E3000-memory.dmp

memory/2772-24-0x00000000000E0000-0x00000000000E3000-memory.dmp

memory/2628-25-0x00000000003C0000-0x00000000003F6000-memory.dmp

memory/2628-31-0x00000000003C0000-0x00000000003F6000-memory.dmp

memory/2628-32-0x00000000020C0000-0x00000000024C0000-memory.dmp

memory/2628-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2772-35-0x00000000002A0000-0x00000000002A7000-memory.dmp

memory/2772-36-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2772-37-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2772-38-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2772-39-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2772-41-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2772-43-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2772-44-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2772-45-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2772-46-0x0000000077750000-0x00000000778F9000-memory.dmp

memory/2772-47-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2772-48-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2772-49-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/2772-50-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe

MD5 614d1cd9e8513df074caa93ac0aeeb2e
SHA1 5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA256 3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA512 11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe

MD5 614d1cd9e8513df074caa93ac0aeeb2e
SHA1 5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA256 3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA512 11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

memory/1540-55-0x0000000000050000-0x0000000000098000-memory.dmp

memory/1540-58-0x00000000747D0000-0x0000000074EBE000-memory.dmp

memory/1540-57-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2772-54-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp

memory/1540-60-0x0000000000680000-0x00000000006B4000-memory.dmp

memory/1540-59-0x0000000001E70000-0x0000000001EB0000-memory.dmp

memory/2964-63-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2964-69-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2964-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2964-71-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2964-75-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe

MD5 614d1cd9e8513df074caa93ac0aeeb2e
SHA1 5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA256 3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA512 11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

memory/2772-83-0x0000000077750000-0x00000000778F9000-memory.dmp

memory/2820-82-0x00000000003E0000-0x0000000000424000-memory.dmp

memory/2820-85-0x00000000747D0000-0x0000000074EBE000-memory.dmp

memory/2820-87-0x00000000049C0000-0x0000000004A00000-memory.dmp

memory/2964-88-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2820-86-0x0000000000430000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

MD5 2931ff8f30f41984e58e2bb3d4c82000
SHA1 c71353633077fadacbe07ed6e2939262f89f9ad3
SHA256 ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7
SHA512 0a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

MD5 2931ff8f30f41984e58e2bb3d4c82000
SHA1 c71353633077fadacbe07ed6e2939262f89f9ad3
SHA256 ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7
SHA512 0a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0

memory/2820-99-0x00000000747D0000-0x0000000074EBE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

MD5 2931ff8f30f41984e58e2bb3d4c82000
SHA1 c71353633077fadacbe07ed6e2939262f89f9ad3
SHA256 ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7
SHA512 0a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

MD5 2931ff8f30f41984e58e2bb3d4c82000
SHA1 c71353633077fadacbe07ed6e2939262f89f9ad3
SHA256 ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7
SHA512 0a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

MD5 2931ff8f30f41984e58e2bb3d4c82000
SHA1 c71353633077fadacbe07ed6e2939262f89f9ad3
SHA256 ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7
SHA512 0a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

MD5 2931ff8f30f41984e58e2bb3d4c82000
SHA1 c71353633077fadacbe07ed6e2939262f89f9ad3
SHA256 ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7
SHA512 0a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

MD5 2931ff8f30f41984e58e2bb3d4c82000
SHA1 c71353633077fadacbe07ed6e2939262f89f9ad3
SHA256 ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7
SHA512 0a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

MD5 2931ff8f30f41984e58e2bb3d4c82000
SHA1 c71353633077fadacbe07ed6e2939262f89f9ad3
SHA256 ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7
SHA512 0a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0

C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe

MD5 614d1cd9e8513df074caa93ac0aeeb2e
SHA1 5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA256 3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA512 11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

MD5 2931ff8f30f41984e58e2bb3d4c82000
SHA1 c71353633077fadacbe07ed6e2939262f89f9ad3
SHA256 ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7
SHA512 0a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

MD5 2931ff8f30f41984e58e2bb3d4c82000
SHA1 c71353633077fadacbe07ed6e2939262f89f9ad3
SHA256 ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7
SHA512 0a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0

memory/592-101-0x00000000747D0000-0x0000000074EBE000-memory.dmp

memory/592-102-0x00000000045C0000-0x0000000004600000-memory.dmp

memory/2820-84-0x0000000000260000-0x00000000002A4000-memory.dmp

memory/2964-81-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

MD5 2931ff8f30f41984e58e2bb3d4c82000
SHA1 c71353633077fadacbe07ed6e2939262f89f9ad3
SHA256 ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7
SHA512 0a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0

C:\Users\Admin\AppData\Local\Microsoft\2rYyz.exe

MD5 2931ff8f30f41984e58e2bb3d4c82000
SHA1 c71353633077fadacbe07ed6e2939262f89f9ad3
SHA256 ab0af2ff7ab695e35c31343278ef0bde960dc88554f015034eb16cad94d6a9b7
SHA512 0a807c28c1b81c348c35c379dca1185e366993288a45c176c5619cf324acca655abf81dc42683404de2f0cdc2c8781db681964188d6037a30d64ac78f45067f0

memory/1540-78-0x00000000747D0000-0x0000000074EBE000-memory.dmp

memory/2964-67-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2964-65-0x0000000000400000-0x0000000000413000-memory.dmp

memory/2964-61-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\ot{G7.exe

MD5 614d1cd9e8513df074caa93ac0aeeb2e
SHA1 5a4fb3bac3521d7cb9a403dc9239a9cf1db9cd89
SHA256 3d805293a70df3a5e1e392ee05ed7b88eda054ee97072eac5590baecfc44cb74
SHA512 11f191ce52d4c3997433a4a0bcdd7d80f0da2940fb2ed87b0ed304ca39c81fc646bf56917c65be75c484db5f57c8e89754361125477d7bbde9ec8b2bfb30e289

memory/592-120-0x00000000747D0000-0x0000000074EBE000-memory.dmp

memory/996-122-0x0000000000401000-0x000000000040A000-memory.dmp

memory/2772-123-0x00000000002A0000-0x00000000002A2000-memory.dmp

memory/2772-124-0x0000000077750000-0x00000000778F9000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.id[A8F4A2BE-3483].[[email protected]].8base

MD5 2a22233409a4d4336d629f11408d44c0
SHA1 01fefacadc46178e0dd202d73ac5b1729a8234c6
SHA256 f902b1e11e728e9c4876952d7c4782e6597b4d036337e26f713fa811786bc6dc
SHA512 f1836e9cd1e914924986b5647d1bbd73e51e755c6f84e1710115268b114a942222a17bd83832e88f705e3b498ef0968deedca83bae9d6bf36e82db5b048638c1

memory/2964-361-0x0000000000400000-0x0000000000413000-memory.dmp

C:\info.hta

MD5 c5f9ec542a8671eb0e364c618de61a3e
SHA1 4a9085549050f3d411c53f87bc8a216dc0cf47a5
SHA256 e7ed417cafc275ca36eed25baab91fb431d7c6598fff5f9fdd7ad3259610159f
SHA512 19eef45225ceea8efe733b004becf8ebcf82fcc9388040d9cbd0c7588a6982ff08dccf2d68d9b345f51a1303398e3a74217209da5c5de3c9c35ff031537116fa

F:\info.hta

MD5 c5f9ec542a8671eb0e364c618de61a3e
SHA1 4a9085549050f3d411c53f87bc8a216dc0cf47a5
SHA256 e7ed417cafc275ca36eed25baab91fb431d7c6598fff5f9fdd7ad3259610159f
SHA512 19eef45225ceea8efe733b004becf8ebcf82fcc9388040d9cbd0c7588a6982ff08dccf2d68d9b345f51a1303398e3a74217209da5c5de3c9c35ff031537116fa

C:\info.hta

MD5 c5f9ec542a8671eb0e364c618de61a3e
SHA1 4a9085549050f3d411c53f87bc8a216dc0cf47a5
SHA256 e7ed417cafc275ca36eed25baab91fb431d7c6598fff5f9fdd7ad3259610159f
SHA512 19eef45225ceea8efe733b004becf8ebcf82fcc9388040d9cbd0c7588a6982ff08dccf2d68d9b345f51a1303398e3a74217209da5c5de3c9c35ff031537116fa

C:\Users\Admin\Desktop\info.hta

MD5 c5f9ec542a8671eb0e364c618de61a3e
SHA1 4a9085549050f3d411c53f87bc8a216dc0cf47a5
SHA256 e7ed417cafc275ca36eed25baab91fb431d7c6598fff5f9fdd7ad3259610159f
SHA512 19eef45225ceea8efe733b004becf8ebcf82fcc9388040d9cbd0c7588a6982ff08dccf2d68d9b345f51a1303398e3a74217209da5c5de3c9c35ff031537116fa

C:\users\public\desktop\info.hta

MD5 c5f9ec542a8671eb0e364c618de61a3e
SHA1 4a9085549050f3d411c53f87bc8a216dc0cf47a5
SHA256 e7ed417cafc275ca36eed25baab91fb431d7c6598fff5f9fdd7ad3259610159f
SHA512 19eef45225ceea8efe733b004becf8ebcf82fcc9388040d9cbd0c7588a6982ff08dccf2d68d9b345f51a1303398e3a74217209da5c5de3c9c35ff031537116fa