Analysis Overview
SHA256
ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6
Threat Level: Known bad
The file e6f506f57365deb1b24b84eafbd9271f was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Detect rhadamanthys stealer shellcode
Phobos
Ammyy Admin
SmokeLoader
Rhadamanthys
AmmyyAdmin payload
Deletes shadow copies
Downloads MZ/PE file
Modifies Windows Firewall
Deletes itself
Executes dropped EXE
Drops startup file
Accesses Microsoft Outlook profiles
Adds Run key to start application
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
Suspicious behavior: MapViewOfSection
Uses Volume Shadow Copy service COM API
outlook_win_path
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
Suspicious use of AdjustPrivilegeToken
Interacts with shadow copies
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-13 03:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-13 03:53
Reported
2023-10-18 03:22
Platform
win7-20230831-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2600 created 1200 | N/A | C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe | C:\Windows\Explorer.EXE |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2800 set thread context of 2600 | N/A | C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe | C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\certreq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\certreq.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe | N/A |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe
"C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe"
C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe
C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe
C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | amxt25.xyz | udp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
Files
memory/2800-0-0x0000000000E80000-0x0000000000EFC000-memory.dmp
memory/2800-1-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/2800-2-0x0000000000DF0000-0x0000000000E68000-memory.dmp
memory/2800-3-0x0000000004910000-0x0000000004950000-memory.dmp
memory/2800-4-0x00000000046B0000-0x0000000004718000-memory.dmp
memory/2800-5-0x0000000000510000-0x000000000055C000-memory.dmp
memory/2600-6-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2600-7-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2600-8-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2600-10-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2600-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2600-14-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2600-16-0x0000000000400000-0x0000000000473000-memory.dmp
memory/2800-17-0x00000000743B0000-0x0000000074A9E000-memory.dmp
memory/2600-18-0x0000000000140000-0x0000000000147000-memory.dmp
memory/2600-19-0x0000000002300000-0x0000000002700000-memory.dmp
memory/2600-20-0x0000000002300000-0x0000000002700000-memory.dmp
memory/2600-21-0x0000000002300000-0x0000000002700000-memory.dmp
memory/2600-22-0x0000000002300000-0x0000000002700000-memory.dmp
memory/2600-23-0x0000000002300000-0x0000000002700000-memory.dmp
memory/2520-24-0x0000000000060000-0x0000000000063000-memory.dmp
memory/2600-25-0x0000000000230000-0x0000000000266000-memory.dmp
memory/2520-31-0x0000000000060000-0x0000000000063000-memory.dmp
memory/2600-32-0x0000000000230000-0x0000000000266000-memory.dmp
memory/2600-33-0x0000000002300000-0x0000000002700000-memory.dmp
memory/2600-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2520-36-0x00000000001A0000-0x00000000001A7000-memory.dmp
memory/2520-38-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2520-37-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2520-39-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2520-40-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2520-42-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2520-44-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2520-45-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2520-46-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2520-47-0x00000000771B0000-0x0000000077359000-memory.dmp
memory/2520-48-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2520-49-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2520-50-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2520-51-0x00000000771B0000-0x0000000077359000-memory.dmp
memory/2520-52-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2520-53-0x000007FFFFE80000-0x000007FFFFFAF000-memory.dmp
memory/2520-54-0x00000000001A0000-0x00000000001A2000-memory.dmp
memory/2520-55-0x00000000771B0000-0x0000000077359000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-13 03:53
Reported
2023-10-18 03:22
Platform
win10v2004-20230915-en
Max time kernel
151s
Max time network
158s
Command Line
Signatures
Ammyy Admin
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phobos
Rhadamanthys
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3360 created 3180 | N/A | C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe | C:\Windows\Explorer.EXE |
Deletes shadow copies
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\certreq.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\FC4D.exe | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
Executes dropped EXE
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FC4D = "C:\\Users\\Admin\\AppData\\Local\\FC4D.exe" | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FC4D = "C:\\Users\\Admin\\AppData\\Local\\FC4D.exe" | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-919254492-3979293997-764407192-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-919254492-3979293997-764407192-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1576 set thread context of 3360 | N/A | C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe | C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe |
| PID 1624 set thread context of 3232 | N/A | C:\Users\Admin\AppData\Local\Microsoft\-%7_Yf`Ls3.exe | C:\Users\Admin\AppData\Local\Microsoft\-%7_Yf`Ls3.exe |
| PID 1000 set thread context of 4828 | N/A | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | C:\Users\Admin\AppData\Local\Temp\FC4D.exe |
| PID 3692 set thread context of 4640 | N/A | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | C:\Users\Admin\AppData\Local\Temp\FC4D.exe |
| PID 2384 set thread context of 4420 | N/A | C:\Users\Admin\AppData\Local\Temp\FD57.exe | C:\Users\Admin\AppData\Local\Temp\FD57.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\Lang\uk.txt | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.id[BA1C0A8A-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\msadox.dll | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ru.pak.id[BA1C0A8A-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\bn.txt.id[BA1C0A8A-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\it.txt.id[BA1C0A8A-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z.id[BA1C0A8A-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[BA1C0A8A-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\fr-FR\wab32res.dll.mui | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File created | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak.id[BA1C0A8A-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\cs.pak | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\external_extensions.json | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File created | C:\Program Files\7-Zip\7-zip.dll.id[BA1C0A8A-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File created | C:\Program Files\7-Zip\7z.sfx.id[BA1C0A8A-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zCon.sfx | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.id[BA1C0A8A-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\az.txt | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.id[BA1C0A8A-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ku.txt | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\msxactps.dll | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sq.txt | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.id[BA1C0A8A-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\adovbs.inc | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ms.pak | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\vi.txt | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.id[BA1C0A8A-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\mk.txt.id[BA1C0A8A-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ba.txt | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\si.txt.id[BA1C0A8A-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\sq.txt.id[BA1C0A8A-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\nl.txt.id[BA1C0A8A-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.id[BA1C0A8A-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sr-spc.txt | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\Ole DB\sqloledb.rll | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\eo.txt | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\ta.txt.id[BA1C0A8A-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\tt.txt | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\gu.txt | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ms.txt | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ug.txt | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.id[BA1C0A8A-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Services\verisign.bmp | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Microsoft\-%7_Yf`Ls3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Microsoft\-%7_Yf`Ls3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Microsoft\-%7_Yf`Ls3.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\certreq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\certreq.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\-%7_Yf`Ls3.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FD57.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FC4D.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe
"C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe"
C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe
C:\Users\Admin\AppData\Local\Temp\e6f506f57365deb1b24b84eafbd9271f.exe
C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
"C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe"
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
C:\Users\Admin\AppData\Local\Microsoft\-%7_Yf`Ls3.exe
"C:\Users\Admin\AppData\Local\Microsoft\-%7_Yf`Ls3.exe"
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
C:\Users\Admin\AppData\Local\Microsoft\-%7_Yf`Ls3.exe
C:\Users\Admin\AppData\Local\Microsoft\-%7_Yf`Ls3.exe
C:\Users\Admin\AppData\Local\Temp\FC4D.exe
C:\Users\Admin\AppData\Local\Temp\FC4D.exe
C:\Users\Admin\AppData\Local\Temp\FD57.exe
C:\Users\Admin\AppData\Local\Temp\FD57.exe
C:\Users\Admin\AppData\Local\Temp\FC4D.exe
C:\Users\Admin\AppData\Local\Temp\FC4D.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\FC4D.exe
"C:\Users\Admin\AppData\Local\Temp\FC4D.exe"
C:\Users\Admin\AppData\Local\Temp\FC4D.exe
C:\Users\Admin\AppData\Local\Temp\FC4D.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\FD57.exe
"C:\Users\Admin\AppData\Local\Temp\FD57.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\FD57.exe
"C:\Users\Admin\AppData\Local\Temp\FD57.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\3ACD.tmp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\3ACD.tmp\svchost.exe -debug
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | amxt25.xyz | udp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| US | 8.8.8.8:53 | 61.66.131.45.in-addr.arpa | udp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| DE | 45.131.66.61:80 | amxt25.xyz | tcp |
| US | 8.8.8.8:53 | servermlogs27.xyz | udp |
| DE | 45.131.66.120:80 | servermlogs27.xyz | tcp |
| US | 8.8.8.8:53 | zamned17.xyz | udp |
| DE | 5.182.207.92:80 | zamned17.xyz | tcp |
| US | 8.8.8.8:53 | 120.66.131.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.207.182.5.in-addr.arpa | udp |
| DE | 45.131.66.120:80 | servermlogs27.xyz | tcp |
| DE | 45.131.66.120:80 | servermlogs27.xyz | tcp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
memory/1576-0-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/1576-1-0x0000000000430000-0x00000000004AC000-memory.dmp
memory/1576-2-0x00000000053D0000-0x0000000005974000-memory.dmp
memory/1576-3-0x0000000004E90000-0x0000000004F08000-memory.dmp
memory/1576-4-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/1576-5-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/1576-6-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/1576-7-0x0000000004F10000-0x0000000004F78000-memory.dmp
memory/1576-8-0x0000000004F90000-0x0000000004FDC000-memory.dmp
memory/3360-9-0x0000000000400000-0x0000000000473000-memory.dmp
memory/3360-12-0x0000000000400000-0x0000000000473000-memory.dmp
memory/3360-13-0x0000000000400000-0x0000000000473000-memory.dmp
memory/1576-14-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/3360-15-0x0000000001560000-0x0000000001567000-memory.dmp
memory/3360-16-0x00000000032F0000-0x00000000036F0000-memory.dmp
memory/3360-17-0x00000000032F0000-0x00000000036F0000-memory.dmp
memory/3360-18-0x00000000032F0000-0x00000000036F0000-memory.dmp
memory/3360-19-0x00000000032F0000-0x00000000036F0000-memory.dmp
memory/3360-20-0x0000000000400000-0x0000000000473000-memory.dmp
memory/3360-21-0x00000000032F0000-0x00000000036F0000-memory.dmp
memory/3360-22-0x00000000032F0000-0x00000000036F0000-memory.dmp
memory/4484-23-0x000001D6896A0000-0x000001D6896A3000-memory.dmp
memory/3360-24-0x0000000004070000-0x00000000040A6000-memory.dmp
memory/3360-31-0x00000000032F0000-0x00000000036F0000-memory.dmp
memory/3360-30-0x0000000004070000-0x00000000040A6000-memory.dmp
memory/3360-32-0x0000000000400000-0x0000000000473000-memory.dmp
memory/3360-33-0x00000000032F0000-0x00000000036F0000-memory.dmp
memory/4484-34-0x000001D6896A0000-0x000001D6896A3000-memory.dmp
memory/4484-35-0x000001D68B750000-0x000001D68B757000-memory.dmp
memory/4484-36-0x00007FF46BE20000-0x00007FF46BF4F000-memory.dmp
memory/4484-37-0x00007FF46BE20000-0x00007FF46BF4F000-memory.dmp
memory/4484-38-0x00007FF46BE20000-0x00007FF46BF4F000-memory.dmp
memory/4484-39-0x00007FF46BE20000-0x00007FF46BF4F000-memory.dmp
memory/4484-40-0x00007FF46BE20000-0x00007FF46BF4F000-memory.dmp
memory/4484-42-0x00007FF46BE20000-0x00007FF46BF4F000-memory.dmp
memory/4484-44-0x00007FF46BE20000-0x00007FF46BF4F000-memory.dmp
memory/4484-45-0x00007FF46BE20000-0x00007FF46BF4F000-memory.dmp
memory/4484-46-0x00007FF46BE20000-0x00007FF46BF4F000-memory.dmp
memory/4484-47-0x00007FFBF7F90000-0x00007FFBF8185000-memory.dmp
memory/4484-48-0x00007FF46BE20000-0x00007FF46BF4F000-memory.dmp
memory/4484-49-0x00007FF46BE20000-0x00007FF46BF4F000-memory.dmp
memory/4484-50-0x00007FF46BE20000-0x00007FF46BF4F000-memory.dmp
memory/4484-51-0x00007FF46BE20000-0x00007FF46BF4F000-memory.dmp
memory/4484-52-0x00007FF46BE20000-0x00007FF46BF4F000-memory.dmp
memory/4484-53-0x00007FFBF7F90000-0x00007FFBF8185000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
memory/5060-57-0x0000000000860000-0x00000000008A0000-memory.dmp
memory/5060-58-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/5060-60-0x0000000002CE0000-0x0000000002D1E000-memory.dmp
memory/5060-62-0x0000000005130000-0x000000000515C000-memory.dmp
memory/5060-61-0x0000000002D30000-0x0000000002D40000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\-%7_Yf`Ls3.exe
| MD5 | 4a97cfd7be5c68006c2e09dd71343ecd |
| SHA1 | db5d13f2768a73eb8f72fe08575c9911b49abfc5 |
| SHA256 | 5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e |
| SHA512 | a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9 |
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
memory/1624-76-0x0000000000FD0000-0x0000000001038000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
memory/1624-77-0x0000000074480000-0x0000000074C30000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
C:\Users\Admin\AppData\Local\Microsoft\-%7_Yf`Ls3.exe
| MD5 | 4a97cfd7be5c68006c2e09dd71343ecd |
| SHA1 | db5d13f2768a73eb8f72fe08575c9911b49abfc5 |
| SHA256 | 5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e |
| SHA512 | a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9 |
C:\Users\Admin\AppData\Local\Microsoft\J3F$.exe
| MD5 | 2544c951135bba7846e943cf22a7eb59 |
| SHA1 | 099bf354174088d2c0cf68638bb441be60d7775f |
| SHA256 | 14eed4f96b35da8dec987d582a64b691a3be3f0f3e6a0ccab47ba4b5717969a9 |
| SHA512 | e4a44e1b0969dce3cd2181ca77ed4dce6efa2a5510ac8136309402391a2d09c2cbf78c8261a895edcdca5dcb9c28c437f63ff02d2ddea0b7a2bd49e9d1ca2bff |
memory/1624-78-0x0000000005850000-0x0000000005894000-memory.dmp
memory/5060-79-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/1624-81-0x00000000058C0000-0x00000000058F2000-memory.dmp
memory/1624-80-0x0000000005950000-0x0000000005960000-memory.dmp
memory/3232-82-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\-%7_Yf`Ls3.exe
| MD5 | 4a97cfd7be5c68006c2e09dd71343ecd |
| SHA1 | db5d13f2768a73eb8f72fe08575c9911b49abfc5 |
| SHA256 | 5a7d72de3bb021b832bc1de6cd53e0b1202950b95d16bb6d197302d7714eb24e |
| SHA512 | a7143c491ccb8506d257d45aeadc7bb37b3965c8f325d0e0275d333e9827caecb766391e0cfdc4d9674804b35bcfc554cf6f41672d139e8d5af42b4e3dc569e9 |
memory/3232-85-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1624-86-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/3180-87-0x0000000002D30000-0x0000000002D46000-memory.dmp
memory/3232-89-0x0000000000400000-0x000000000040B000-memory.dmp
memory/4484-91-0x000001D68B750000-0x000001D68B755000-memory.dmp
memory/4484-92-0x00007FFBF7F90000-0x00007FFBF8185000-memory.dmp
memory/3180-93-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-95-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-94-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-96-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-98-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-97-0x0000000002D60000-0x0000000002D62000-memory.dmp
memory/3180-100-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-102-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-104-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-99-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-105-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-106-0x0000000002D70000-0x0000000002D80000-memory.dmp
memory/3180-107-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-108-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-109-0x0000000002D70000-0x0000000002D80000-memory.dmp
memory/3180-112-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-111-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-114-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-113-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-110-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-116-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-117-0x0000000002D60000-0x0000000002D62000-memory.dmp
memory/3180-115-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-118-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-121-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-122-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-123-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-124-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-126-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-120-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-119-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
memory/3180-127-0x0000000002DD0000-0x0000000002DE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FC4D.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
C:\Users\Admin\AppData\Local\Temp\FC4D.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
memory/1000-138-0x0000000000AC0000-0x0000000000B0E000-memory.dmp
memory/1000-139-0x0000000074480000-0x0000000074C30000-memory.dmp
memory/1000-141-0x0000000002D50000-0x0000000002D96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FD57.exe
| MD5 | 20bb118569b859e64feaaf30227e04b8 |
| SHA1 | 3fb2c608529575ad4b06770e130eb9d2d0750ed7 |
| SHA256 | c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674 |
| SHA512 | 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c |
C:\Users\Admin\AppData\Local\Temp\FD57.exe
| MD5 | 20bb118569b859e64feaaf30227e04b8 |
| SHA1 | 3fb2c608529575ad4b06770e130eb9d2d0750ed7 |
| SHA256 | c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674 |
| SHA512 | 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c |
memory/1000-145-0x0000000005390000-0x00000000053C4000-memory.dmp
memory/2384-146-0x0000000074480000-0x0000000074C30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FC4D.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
memory/4828-148-0x0000000000400000-0x0000000000413000-memory.dmp
memory/4828-155-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FC4D.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FC4D.exe.log
| MD5 | 4a911455784f74e368a4c2c7876d76f4 |
| SHA1 | a1700a0849ffb4f26671eb76da2489946b821c34 |
| SHA256 | 264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c |
| SHA512 | 4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d |
memory/3680-165-0x0000000000110000-0x000000000017B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FC4D.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
memory/3812-196-0x00000000003C0000-0x00000000003CC000-memory.dmp
memory/3768-204-0x0000000000B30000-0x0000000000B3B000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\FC4D.exe
| MD5 | dc78f4828dbb4c0da15f789d059d700c |
| SHA1 | c9375db9533f60612b9d4bc19965fb797e88bf6b |
| SHA256 | 8f2da1f44d85506d69b1a4573f9bb9a62a61591d284638469af67fb2591c160e |
| SHA512 | 6455549a5d58a222352c89665f0f1a2606c680cf40a4e94049dd11328239080e1b32f0ec9ef779fa8c7ba55c7774743a74d3fc263783ae7628b7905a330e7b15 |
C:\Users\Admin\AppData\Local\Temp\FD57.exe
| MD5 | 20bb118569b859e64feaaf30227e04b8 |
| SHA1 | 3fb2c608529575ad4b06770e130eb9d2d0750ed7 |
| SHA256 | c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674 |
| SHA512 | 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c |
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[BA1C0A8A-3483].[[email protected]].8base
| MD5 | fa76ba670f86600da6fab06f46238640 |
| SHA1 | ebfacd2c603edd7f7eeff92a014f3c8812d5e976 |
| SHA256 | 2339fe3c788244e241c02929e9dfadaa8dbeaabb08342dc91a2558b9e19fb346 |
| SHA512 | 7a3ea301158d6b74dfc79620a861f72642660b96403374ed5e1aa08fc641aaab1c6398b4322feaff897995a5cd8e23a63db299dc94e9ad8b47bcadd30d6ce3f1 |
C:\Users\Admin\AppData\Local\Temp\3ACD.tmp\svchost.exe
| MD5 | 90aadf2247149996ae443e2c82af3730 |
| SHA1 | 050b7eba825412b24e3f02d76d7da5ae97e10502 |
| SHA256 | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a |
| SHA512 | eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be |
C:\Users\Admin\AppData\Local\Temp\FD57.exe
| MD5 | 20bb118569b859e64feaaf30227e04b8 |
| SHA1 | 3fb2c608529575ad4b06770e130eb9d2d0750ed7 |
| SHA256 | c1d2e8b7b961e48a1ee4877d3f527f038697e0dfcda69b8cd470900b73e1e674 |
| SHA512 | 567906d7b98058ec24c1455d5167ee13127ce6739350f1f38954c01e46f96ba0851d6c88ef49a192edb53c5f759ab8663c7ac9fcc795c35db98165d11259587c |