Analysis Overview
SHA256
de5512870659824110a206fb3f960bb8dd913c981fc0eb87cf2f49159436d78b
Threat Level: Likely malicious
The file erdre gdps.7z was found to be: Likely malicious.
Malicious Activity Summary
Modifies Installed Components in the registry
Executes dropped EXE
Enumerates connected drives
Checks installed software on the system
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Modifies data under HKEY_USERS
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-18 10:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-18 10:17
Reported
2024-06-18 10:20
Platform
win10-20240404-en
Max time kernel
134s
Max time network
135s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\erdre gdps\readme"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.17.178.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-18 10:17
Reported
2024-06-18 10:20
Platform
win10v2004-20240508-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\erdre gdps\readme"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.249.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 10:17
Reported
2024-06-18 10:19
Platform
win10-20240404-en
Max time kernel
99s
Max time network
101s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-L499T.tmp\erdre GDPS install.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-L499T.tmp\erdre GDPS install.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-L499T.tmp\erdre GDPS install.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-L499T.tmp\erdre GDPS install.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe
"C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"
C:\Users\Admin\AppData\Local\Temp\is-L499T.tmp\erdre GDPS install.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L499T.tmp\erdre GDPS install.tmp" /SL5="$60230,775972,730112,C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"
C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe
"C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\38CE.tmp\38CF.tmp\38D0.bat "C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe""
C:\Windows\system32\chcp.com
chcp 1251
C:\Windows\system32\taskkill.exe
Taskkill /f /im explorer.exe
C:\Windows\system32\shutdown.exe
shutdown /r
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3af0055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
Files
memory/4672-0-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/4672-2-0x0000000000401000-0x00000000004A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-L499T.tmp\erdre GDPS install.tmp
| MD5 | fe9bea77f231fb8526ce2a8a2ccd58dc |
| SHA1 | 0c502b1e730e1274e90e08b35cb5f62430db3862 |
| SHA256 | 0b91ffec7e9c97010e43860f019ce22f5378efda2b4d9761240290c907a92eb7 |
| SHA512 | c6cda66ce548c060ba89760edb6790133da38f41c9ab19563ffabd6debab463d71efa1041905acc950e415a2180e95eef63670b1ec81ccd35ea3aae01c3a3855 |
memory/4856-6-0x0000000000400000-0x00000000006F3000-memory.dmp
memory/4672-7-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/4856-8-0x0000000000400000-0x00000000006F3000-memory.dmp
memory/4672-10-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/4856-11-0x0000000000400000-0x00000000006F3000-memory.dmp
memory/4856-27-0x0000000000400000-0x00000000006F3000-memory.dmp
memory/4856-30-0x0000000000400000-0x00000000006F3000-memory.dmp
memory/4672-31-0x0000000000400000-0x00000000004C0000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe
| MD5 | 1f2cec484d93617fa81ecff025ebd981 |
| SHA1 | 2a0e9083aa48236edd47a140380b800dc56579c1 |
| SHA256 | 2aac7fa52b946aaad1e84bf0175a7568d89472e88eda1dc725081288ba2271d8 |
| SHA512 | 57c1b3aa98a0facad57e285d6552de42450df04d8c97a4cb4374bc05df80c9e63a5809a6f2c5735e77c470b2fde438d76b423326819b4c931bec6ea08501e562 |
C:\Users\Admin\AppData\Local\Temp\38CE.tmp\38CF.tmp\38D0.bat
| MD5 | d46f641fd04723e353e062eff5679ef6 |
| SHA1 | 319637221e4edaf0d59836285d065e58542afbdb |
| SHA256 | 94c2dac57889d420b04efcc085787c1e82468c1d6a283545f6b73f8989dacb74 |
| SHA512 | 9d166240aa9eb2c0197da3154914f86dd83a7188093a98f13adf8fce60d137bb77355f1f7e182a309fda14897ed76cab7e6beed2a1bc542e4729e38142dc734b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 10:17
Reported
2024-06-18 10:20
Platform
win10v2004-20240508-en
Max time kernel
118s
Max time network
151s
Command Line
Signatures
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-37KFB.tmp\erdre GDPS install.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4124900551-4068476067-3491212533-1000\{1BE36BE8-5602-4CA8-BA76-2826415B6AC3} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-37KFB.tmp\erdre GDPS install.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-37KFB.tmp\erdre GDPS install.tmp | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-37KFB.tmp\erdre GDPS install.tmp | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe
"C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"
C:\Users\Admin\AppData\Local\Temp\is-37KFB.tmp\erdre GDPS install.tmp
"C:\Users\Admin\AppData\Local\Temp\is-37KFB.tmp\erdre GDPS install.tmp" /SL5="$C0066,775972,730112,C:\Users\Admin\AppData\Local\Temp\erdre gdps\erdre GDPS install.exe"
C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe
"C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CEF3.tmp\CEF4.tmp\CEF5.bat "C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe""
C:\Windows\system32\chcp.com
chcp 1251
C:\Windows\system32\taskkill.exe
Taskkill /f /im explorer.exe
C:\Windows\explorer.exe
explorer
C:\Windows\system32\taskkill.exe
taskkill /f /IM explorer.exe
C:\Windows\system32\calc.exe
calc
C:\Windows\system32\calc.exe
calc
C:\Windows\system32\calc.exe
calc
C:\Windows\explorer.exe
explorer
C:\Windows\system32\calc.exe
calc
C:\Windows\system32\calc.exe
calc
C:\Windows\system32\calc.exe
calc
C:\Windows\system32\calc.exe
calc
C:\Windows\system32\calc.exe
calc
C:\Windows\system32\calc.exe
calc
C:\Windows\system32\calc.exe
calc
C:\Windows\system32\calc.exe
calc
C:\Windows\system32\mspaint.exe
mspaint
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\explorer.exe
explorer
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\charmap.exe
charmap
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
Network
Files
memory/2952-0-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2952-2-0x0000000000401000-0x00000000004A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-37KFB.tmp\erdre GDPS install.tmp
| MD5 | fe9bea77f231fb8526ce2a8a2ccd58dc |
| SHA1 | 0c502b1e730e1274e90e08b35cb5f62430db3862 |
| SHA256 | 0b91ffec7e9c97010e43860f019ce22f5378efda2b4d9761240290c907a92eb7 |
| SHA512 | c6cda66ce548c060ba89760edb6790133da38f41c9ab19563ffabd6debab463d71efa1041905acc950e415a2180e95eef63670b1ec81ccd35ea3aae01c3a3855 |
memory/5064-6-0x0000000000400000-0x00000000006F3000-memory.dmp
memory/2952-8-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/5064-9-0x0000000000400000-0x00000000006F3000-memory.dmp
memory/5064-25-0x0000000000400000-0x00000000006F3000-memory.dmp
C:\Users\Admin\AppData\Local\Programs\erdre GDPS\erdresem`s GDPS.exe
| MD5 | 1f2cec484d93617fa81ecff025ebd981 |
| SHA1 | 2a0e9083aa48236edd47a140380b800dc56579c1 |
| SHA256 | 2aac7fa52b946aaad1e84bf0175a7568d89472e88eda1dc725081288ba2271d8 |
| SHA512 | 57c1b3aa98a0facad57e285d6552de42450df04d8c97a4cb4374bc05df80c9e63a5809a6f2c5735e77c470b2fde438d76b423326819b4c931bec6ea08501e562 |
memory/5064-43-0x0000000000400000-0x00000000006F3000-memory.dmp
memory/2952-45-0x0000000000400000-0x00000000004C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CEF3.tmp\CEF4.tmp\CEF5.bat
| MD5 | d46f641fd04723e353e062eff5679ef6 |
| SHA1 | 319637221e4edaf0d59836285d065e58542afbdb |
| SHA256 | 94c2dac57889d420b04efcc085787c1e82468c1d6a283545f6b73f8989dacb74 |
| SHA512 | 9d166240aa9eb2c0197da3154914f86dd83a7188093a98f13adf8fce60d137bb77355f1f7e182a309fda14897ed76cab7e6beed2a1bc542e4729e38142dc734b |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133631796143401822.txt
| MD5 | 0255165ad57beec49a17586c484a729c |
| SHA1 | e60fc94b72aa3eb2e2a653fa5e18cbf8e4cb1ff6 |
| SHA256 | 68220a47bb7243356c3cc316d40153a0cf5c0cde2cd4dde96cb494a5bab395cd |
| SHA512 | 1f5ebbabd3d9b66553d07d5ba4e8802d51b22190f288c9679a57f7c87de1b4845d25ac540a561bc1140668ad018d41820d4520817600130b617b0b654232c1b7 |