Malware Analysis Report

2024-08-06 14:44

Sample ID 240627-sn6vhsxcmf
Target 167cc413faac757b6a7e57133ceedd0e_JaffaCakes118
SHA256 32a820b30108102245b1c458b9237893e80a644fe1113dca3d4b2132a93f5db3
Tags
nanocore evasion keylogger persistence privilege_escalation spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32a820b30108102245b1c458b9237893e80a644fe1113dca3d4b2132a93f5db3

Threat Level: Known bad

The file 167cc413faac757b6a7e57133ceedd0e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence privilege_escalation spyware stealer trojan

NanoCore

Enumerates connected drives

Adds Run key to start application

Checks whether UAC is enabled

Checks computer location settings

Suspicious use of SetThreadContext

Loads dropped DLL

Drops file in Program Files directory

Executes dropped EXE

Drops file in Windows directory

Event Triggered Execution: Installer Packages

Enumerates physical storage devices

Program crash

Suspicious behavior: MapViewOfSection

Modifies data under HKEY_USERS

Uses Volume Shadow Copy service COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Event Triggered Execution
T1546
Installer Packages
T1546.016
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Event Triggered Execution
T1546
Installer Packages
T1546.016
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-27 15:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 15:17

Reported

2024-06-27 15:19

Platform

win7-20240220-en

Max time kernel

150s

Max time network

144s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\167cc413faac757b6a7e57133ceedd0e_JaffaCakes118.msi

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Installer\MSI3C28.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\WDLropUtil = "C:\\Users\\Admin\\WDLropUtil.exe" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Subsystem = "C:\\Program Files (x86)\\TCP Subsystem\\tcpss.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\WDLropUtil = "C:\\Users\\Admin\\WDLropUtil.exe" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 768 set thread context of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2336 set thread context of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\TCP Subsystem\tcpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File opened for modification C:\Program Files (x86)\TCP Subsystem\tcpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f763b4c.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f763b4f.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3BF7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f763b4f.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f763b4c.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3C28.tmp C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Installer\MSI3C28.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Installer\MSI3C28.tmp N/A
N/A N/A C:\Windows\Installer\MSI3C28.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 1452 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI3C28.tmp
PID 2468 wrote to memory of 1452 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI3C28.tmp
PID 2468 wrote to memory of 1452 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI3C28.tmp
PID 2468 wrote to memory of 1452 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI3C28.tmp
PID 1452 wrote to memory of 768 N/A C:\Windows\Installer\MSI3C28.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
PID 1452 wrote to memory of 768 N/A C:\Windows\Installer\MSI3C28.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
PID 1452 wrote to memory of 768 N/A C:\Windows\Installer\MSI3C28.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
PID 1452 wrote to memory of 768 N/A C:\Windows\Installer\MSI3C28.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
PID 768 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 768 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 768 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 768 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1552 wrote to memory of 1636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1552 wrote to memory of 1636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1552 wrote to memory of 1636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1552 wrote to memory of 1636 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 768 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 768 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 768 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 768 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1896 wrote to memory of 340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1896 wrote to memory of 340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1896 wrote to memory of 340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1896 wrote to memory of 340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 768 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 768 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 768 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 768 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 768 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 768 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 768 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 768 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 768 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
PID 768 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
PID 768 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
PID 768 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
PID 2336 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2336 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2336 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2336 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1264 wrote to memory of 1060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 1060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 1060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 1060 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 704 wrote to memory of 1620 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 704 wrote to memory of 1620 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 704 wrote to memory of 1620 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 704 wrote to memory of 1620 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2336 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2336 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2336 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2336 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2328 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2328 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2328 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2328 wrote to memory of 2104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1264 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2336 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2336 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2336 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2336 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\167cc413faac757b6a7e57133ceedd0e_JaffaCakes118.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005AC" "00000000000003C8"

C:\Windows\Installer\MSI3C28.tmp

"C:\Windows\Installer\MSI3C28.tmp"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tfotbjir\tfotbjir.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E86.tmp" "c:\Users\Admin\AppData\Local\Temp\tfotbjir\CSC2A8EB007886F4CC0B29075731CDA75E2.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3ccqb1ea\3ccqb1ea.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F13.tmp" "c:\Users\Admin\AppData\Local\Temp\3ccqb1ea\CSC28ADD20F114243D88D7A56282C9E4258.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rje3ry5q\rje3ry5q.cmdline"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC1D9.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1F8.tmp" "c:\Users\Admin\AppData\Local\Temp\rje3ry5q\CSC6212267F3E894A2CB8C32F175495BE.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dzmbox2o\dzmbox2o.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC284.tmp" "c:\Users\Admin\AppData\Local\Temp\dzmbox2o\CSCDE454407FAC347EFA2FE6263165E1BE7.TMP"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC2F2.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 544

Network

Country Destination Domain Proto
US 8.8.8.8:53 manifest.duckdns.org udp
NG 197.210.54.237:61970 manifest.duckdns.org tcp
US 8.8.8.8:53 manifest.duckdns.org udp
NG 197.210.54.237:61970 manifest.duckdns.org tcp
US 8.8.8.8:53 manifest.duckdns.org udp
NG 197.210.54.237:61970 manifest.duckdns.org tcp
US 8.8.8.8:53 manifest.duckdns.org udp
NG 197.210.54.237:61970 manifest.duckdns.org tcp
US 8.8.8.8:53 manifest.duckdns.org udp
NG 197.210.54.237:61970 manifest.duckdns.org tcp
US 8.8.8.8:53 manifest.duckdns.org udp
NG 197.210.54.237:61970 manifest.duckdns.org tcp

Files

C:\Windows\Installer\MSI3C28.tmp

MD5 7997a52983aa768553d9e039f011e9a8
SHA1 9b2955a38238fdc5c5511dbb8c578c63a9e19495
SHA256 1ea29b91f3647b1cf4822cff87a2e5a7030f2ad92c88013381a6eb4a4088f4c0
SHA512 2682afb87b6f860395d286df4ba4a519586b8c4a5fdaa5495ceb964eb2c2c35a7f08896a8c6d28ec691e87b2084c43afc5a7062f9369fbafcbec6c4881d3d083

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe

MD5 ac692fdb7dc25fdea0c0a82819b9ca05
SHA1 2b94177f0144e34dbd39b847e6bc3305ba7fe080
SHA256 afdceace49e12768aa2500489c6102293a1f6e7cb9c844610a655fa741ce0cdb
SHA512 04303b051c722d28d8e382acf62997766478cde0ef36473c85ba71c648001a4960f08417e3493d10fb582be5c6293be851eed459c063d6b36561defdc307e2ba

memory/768-23-0x0000000001290000-0x00000000012B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5

MD5 b73c6439a2302db41bb7737de87b8835
SHA1 a3f1fb5fc06083f5e0adfe7e26ddb094883b7d6b
SHA256 2f28247f05c070b5dd9c869b152e7b4084254d7b162a193a9a43b5c8b2419c1f
SHA512 68e3f65502cbc32d4d2c1e699e9ca07a3493e554cecf058e632f82874ecec61a63367de56ad693db94ec069e076a44701ce3068deb8748b739c0d6dbcaa70991

\??\c:\Users\Admin\AppData\Local\Temp\tfotbjir\tfotbjir.cmdline

MD5 6636a9d89510980dc39f569b20e2c31f
SHA1 4df4e32b1c300cd2ced3bf78079b609320a37e5a
SHA256 9b8fae8d9d15056ee2d4998598ced5015a65e7ab49d3a33a64b0b5d5c923ffe5
SHA512 4b629c21c7ca6492f7c7a9e210e28c820d1feb0f95d496a435fe3142a6b17e631d42c3fa904929a8a3c65258aab1e5c59fbaa2b2b6c1b7ded4af635e1340bbc9

\??\c:\Users\Admin\AppData\Local\Temp\tfotbjir\tfotbjir.0.cs

MD5 b5d745ad124400fe21ea0c07e7d0e8bc
SHA1 4e8cb83eb077c46240e9c0c372a3404763c6c132
SHA256 a75d60a3aba62d7137461fd31761cba8d6f6c7f8db75cf9d491d1a53c254e95e
SHA512 a9c96c2f56c8f4134cafd2bbc8599e57e7fc1c469afd151ce861e28667c27c6e89e0f35606c2fd6ea64c192f549bdabdc4fc20d7059179d935b94dd94f800e8b

\??\c:\Users\Admin\AppData\Local\Temp\tfotbjir\CSC2A8EB007886F4CC0B29075731CDA75E2.TMP

MD5 db87782e895cd82cdc24175299fff756
SHA1 67e3edb45a7f5dd3e0094ae569846e6ee65ab8fd
SHA256 683da3abc12d803970f3ded9ac0f7f7c54ec7fbd3c7c82296e497b9108f3a179
SHA512 66d7bd60fbbae0337f4c474702280d15de0fc0e9f130df46c8bb86a8b682c16170a220f2cedadc5d451a863be9de173788364e8905657a1471e2afaec8676b52

C:\Users\Admin\AppData\Local\Temp\RES3E86.tmp

MD5 639a0352bb86776e2fe927bc28860a68
SHA1 a46f06e3b7e3c98f0672f1617b9064983919f043
SHA256 b54b0c17c4caf83004d101395a9adf30c9e1067dcc579f55031ad8fdfe53ffc0
SHA512 e579d68187039202a2391e3fb4e5a42a032d577ded17e1cd4472c5931e57dec238643f9b763a95dedcc427857e4ed2b3834625fe79f6afad32b5436f24182eb9

C:\Users\Admin\AppData\Local\Temp\tfotbjir\tfotbjir.dll

MD5 23e80110ba883fd0acfc2f706c216388
SHA1 9c4032b9ab3b8347931ae5236aa5a24daf682ee2
SHA256 c93192360deefcb18ecf7c0246e109ff1ca9662b4394b9f131bcfe91f6ff149a
SHA512 b64da09fcc1b1a8f5bfee7e7eddff977875f302a776df909ddeb911d34376a385d6b42f86f51e6251f6173e931041198601b40b893d5a0612fd19786a781f8ec

memory/768-37-0x0000000000940000-0x00000000009E4000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\3ccqb1ea\3ccqb1ea.cmdline

MD5 ed4fcac88c13828307e5a5a7d470c221
SHA1 e9da0176b6c158d63e00ee09de1f7e614a0c8e37
SHA256 77a0e08592f9fefbf6f5e62b83073dfdccd12a28719a63ae0deb024d6ab8f2d9
SHA512 dd3b9f6508c5f669b7a5d313631a6530f320fcf67c7adfcee3056ee8ae6cbe9d43385557ca454453315835d296ef12ba1a0c2e5d24e929f9069fe794b1d52855

\??\c:\Users\Admin\AppData\Local\Temp\3ccqb1ea\CSC28ADD20F114243D88D7A56282C9E4258.TMP

MD5 2c3d4ee93d95073e227eea419ee2637f
SHA1 420bb20ff5a0af396c28250563462d3e894ae795
SHA256 cfe40698224866b71ad5a869431b480f27209a3bb548202011a240afbe5ce1c3
SHA512 0842bed4c880a924a48c6e8fc33d15fd07cd1f3f695e448670aab71b785fbde9a2691c3edd17c1931a086313be9bc0fe9a9f67b90c8673db682fa563741c93bd

C:\Users\Admin\AppData\Local\Temp\RES3F13.tmp

MD5 a8fdafd9115969805b0acffda3eb6593
SHA1 52f9448a7853759b473a664676bec4c5b71ce8c4
SHA256 bef9f45371d81f46eccfc020547c85a1407c9da648f82f504f01c2fedaf7dabc
SHA512 a7802d510903b1bc4d537332127786ef9beef14996b3bd82227c5aa5a62afdfd2626d98207846370bbb261eb27721df84560ff63aa4486b955e1cd74f8f3c289

C:\Users\Admin\AppData\Local\Temp\3ccqb1ea\3ccqb1ea.dll

MD5 854ee7e7aaa8698f36a216806bc04ca4
SHA1 31c3c0be81436b6bcedea29ea5602c0055118051
SHA256 7e23d07a6474d6cfbb6a5685f2dd44e0a2d61fdd7ea1a1c9f349ce02a8f5602c
SHA512 34b3a3da6d4268771c23d4ab63fd38ed4d916ce4030a1f1e2df6aa6db589dfe0cf0364717305120c2da8ed7e0bfd21d704ba33106fbe9d497a17858f806d72e5

memory/768-51-0x0000000000CF0000-0x0000000000D94000-memory.dmp

memory/768-53-0x00000000009E0000-0x0000000000A22000-memory.dmp

memory/1264-57-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1264-59-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1264-58-0x0000000000400000-0x0000000000438000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\rje3ry5q\rje3ry5q.cmdline

MD5 983af9b59193e486329ec722bde0e040
SHA1 4617a51ba213dd9b2551f3a383d555cda8ac2362
SHA256 465c49b5ee7cd2dcd1f9fb0fbb3887a172ab1e16025823054c682b813708c66a
SHA512 e06a869ccc9159476b78505c88ec4097daf0c9342aeeff5a8d8d29326afcf71a970de919cd3cfd049c6ce8a614afa6a29456692c291439f326c478fe6047fea5

C:\Users\Admin\AppData\Local\Temp\rje3ry5q\rje3ry5q.dll

MD5 bdffef07a18efb3e823a07ff2d9aa059
SHA1 b45d813c206ab421667efb3487387c9e2a2fe1fa
SHA256 b7aa834d86476c35ec8c5a10f5436c72c05593e3c4382fda0d6d8e4745c8d2dd
SHA512 6c9121a6ea2b49775c4c077c83af94093a322da27579c5c282f7b71eb51b8e90e3f2567db8bf396ea7e89dad78222217c125009f3b9abbba0021d27b4b58b0b4

memory/2336-77-0x0000000000B40000-0x0000000000BE4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RESC1F8.tmp

MD5 2205da7b6ea8ee1b778595d2d5ab8193
SHA1 5a3a68b93d5bcfaca9aeeef50b298a51eaf61b25
SHA256 128dcc56c464bf2af20abf0e9ad3b78d7fab54607c59cc07e0cd525733f0ea5b
SHA512 74d47ef7e4abc718db5383b3495c3b6031b739b70515a7c5143274843785070d2b76ee2a8fabd19407755f9c31c996a8a8dbaaa5f2d356f627105dfe3c016331

\??\c:\Users\Admin\AppData\Local\Temp\rje3ry5q\CSC6212267F3E894A2CB8C32F175495BE.TMP

MD5 bbbfc0c7cfb2a35078e9fb488da66763
SHA1 85a630981c7462f25c27435d7fcd023a16549dc2
SHA256 db971468e03b47d3f1a210824fa4f12109e9f64815a17bb44360a9eff4d5a42f
SHA512 324af00d603a795ce71a6db02961d6e490cbf298f9f63b6c4b55247ba4c23c68974e4e8a44005c7efb6992419258e687779227729debf011fbe3e7d3d71a64ad

C:\Users\Admin\AppData\Local\Temp\tmpC1D9.tmp

MD5 48ef7fa9033389ad7929d7a6b9d10298
SHA1 9db6cb7325c8bdf66a15f7b5f34703709a45aeb6
SHA256 0c1b5f67eeb276d1d4205b138ce32bc6149924e02281a2db8e4623a700e88f15
SHA512 ac8bd104ecbacc9bccce9e087f67e5b18072d59367ccd31d4e66132b6baaea520cba5b9b59464483d86abf74826b382c402f12e9a586c99bda8c78a0de33944e

\??\c:\Users\Admin\AppData\Local\Temp\dzmbox2o\dzmbox2o.cmdline

MD5 58c47230a4e55a4c823a08d159b6baa9
SHA1 f27eaf76518513417ed145a3f87939d610fdf580
SHA256 ef2d3be7549cceb3b9c5058d2779a428c8b8aec1641da8be3a2df4fc88894375
SHA512 5721784d9c8a7008cd6b36e4ba68a82cc029eeb6c0b2cf94ee41c3837aaa0a1e3a1abcda1221a3fe85c686e49962eca00af55e56f0f779fa97223af61ebc67a3

memory/2336-94-0x00000000003C0000-0x0000000000402000-memory.dmp

memory/2336-92-0x0000000000C30000-0x0000000000CD4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dzmbox2o\dzmbox2o.dll

MD5 f58992a3e62df69180849eeab6fdfc67
SHA1 205a342d25b7a9ccd05bca235b56fab598e6fb1c
SHA256 4e67d65da09e3eb168f4d3c3e9d09bb47acfda97a5183e68cbdf23f10319bf8c
SHA512 a2f63d28d56ecfe587af0fe3649ef3d376ffb685789314f9f3dada2fc3d61de9b4cde423aac79e6f5910817c75a23b44b4e65c2b3c7c67021bc09a98a699a563

C:\Users\Admin\AppData\Local\Temp\RESC284.tmp

MD5 d9df7d277a854099892ee95063185aa0
SHA1 34dc0820c1f932b41ae0567eef4f9cd2cd26745e
SHA256 6fd1ae8cca2f1cd7553d88c1788331e689d800b17cc2559e86a86a6e3aa79e24
SHA512 1dfce99fce8c07f098a12a95920c8614bb2e29080152a8c1587793fe39701f7d39e08c507a7530289021831d25bd904c40495cea49246a51a0398c0d891795a4

\??\c:\Users\Admin\AppData\Local\Temp\dzmbox2o\CSCDE454407FAC347EFA2FE6263165E1BE7.TMP

MD5 92732d290af70c29cdf086e1a6cbb9c3
SHA1 9ec199bfc03557c44198adeb5b2dcdc4a450ca34
SHA256 3e2b041b83dc5ab47f390007ea1eb222ba9f0ec44be9cc6a6867357761f2d9be
SHA512 b39633a440edd5bc4f3cdcc30f40f8ea5cf53e8abb4be36188ffe814dd84c3c7bf4a58094f95af468961f0ac39f44f2835c725b9c58c953d8f0bdbc238c85246

C:\Users\Admin\AppData\Local\Temp\tmpC2F2.tmp

MD5 4b7ef560289c0f62d0baf6f14f48a57a
SHA1 8331acb90dde588aa3196919f6e847f398fd06d1
SHA256 062844155306130d6fafc4fe10ac9e5ddd2ed462532b729c50cdc979c0d83207
SHA512 ecaa27c4b703d95f9f9b37d8c339982970482e7dab968c2010e0aa644bbfa31973111aafb827565af30c423d1d14e4ff997ec149614e713ff7ef3456894d02d8

memory/1264-98-0x00000000007E0000-0x00000000007EA000-memory.dmp

memory/1264-99-0x00000000007F0000-0x000000000080E000-memory.dmp

memory/1264-100-0x0000000000810000-0x000000000081A000-memory.dmp

C:\Config.Msi\f763b50.rbs

MD5 e7a7a7d9cdf437084af0b9154f8e212d
SHA1 1ef50ae276874a597330e7ca670cf2c1a6aa798a
SHA256 852e5cacd8a2e769eedb0389423842576723b191279394c345cbd7304aef1e31
SHA512 5608a9bbc6e566cac1635c51009378a919ccb6fccf9b2d068a6aacdb33956019e589c03a532aacabbc84fe65d571924e4ca2d053bed1af0a4d616d81c86dc362

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 15:17

Reported

2024-06-27 15:20

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

157s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\167cc413faac757b6a7e57133ceedd0e_JaffaCakes118.msi

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WDLropUtil = "C:\\Users\\Admin\\WDLropUtil.exe" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Windows\Installer\MSI8D82.tmp N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WDLropUtil = "C:\\Users\\Admin\\WDLropUtil.exe" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3852 set thread context of 2932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\SMTP Subsystem\smtpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
File created C:\Program Files (x86)\SMTP Subsystem\smtpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI8D82.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5986ab.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5986ab.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8BAC.tmp C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Installer\MSI8D82.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000064efbbd21686319b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000064efbbd20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090064efbbd2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d64efbbd2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000064efbbd200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4084 wrote to memory of 1968 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4084 wrote to memory of 1968 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4084 wrote to memory of 892 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI8D82.tmp
PID 4084 wrote to memory of 892 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI8D82.tmp
PID 4084 wrote to memory of 892 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI8D82.tmp
PID 892 wrote to memory of 3852 N/A C:\Windows\Installer\MSI8D82.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
PID 892 wrote to memory of 3852 N/A C:\Windows\Installer\MSI8D82.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
PID 892 wrote to memory of 3852 N/A C:\Windows\Installer\MSI8D82.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
PID 3852 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3852 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3852 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3460 wrote to memory of 4008 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3460 wrote to memory of 4008 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3460 wrote to memory of 4008 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3852 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3852 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3852 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4464 wrote to memory of 4412 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4464 wrote to memory of 4412 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4464 wrote to memory of 4412 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3852 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3852 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3852 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3852 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3852 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3852 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3852 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3852 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
PID 3852 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
PID 3852 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe
PID 4232 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4232 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4232 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2932 wrote to memory of 3184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 3184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 3184 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2348 wrote to memory of 376 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2348 wrote to memory of 376 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2348 wrote to memory of 376 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4232 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4232 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4232 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2932 wrote to memory of 3324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 3324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 2932 wrote to memory of 3324 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\SysWOW64\schtasks.exe
PID 4056 wrote to memory of 5104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4056 wrote to memory of 5104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 4056 wrote to memory of 5104 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\167cc413faac757b6a7e57133ceedd0e_JaffaCakes118.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4148 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\Installer\MSI8D82.tmp

"C:\Windows\Installer\MSI8D82.tmp"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pgdau5lr\pgdau5lr.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9C27.tmp" "c:\Users\Admin\AppData\Local\Temp\pgdau5lr\CSC41AD57B7170A4068A884627ACF34D3CA.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g3uu3iea\g3uu3iea.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9EA7.tmp" "c:\Users\Admin\AppData\Local\Temp\g3uu3iea\CSCA61695FBB97D4E4A97155E7A71A9822F.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gssgse2b\gssgse2b.cmdline"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "SMTP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2FDB.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30B6.tmp" "c:\Users\Admin\AppData\Local\Temp\gssgse2b\CSC230F842BDF4E462890DE50E86E17ABE0.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\euza5w00\euza5w00.cmdline"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "SMTP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp31B1.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES327B.tmp" "c:\Users\Admin\AppData\Local\Temp\euza5w00\CSC21AC80ACE5BA4AD1BCA796329BBBFD4.TMP"

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 167.57.26.184.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 manifest.duckdns.org udp
NG 197.210.54.237:61970 manifest.duckdns.org tcp

Files

C:\Windows\Installer\MSI8D82.tmp

MD5 7997a52983aa768553d9e039f011e9a8
SHA1 9b2955a38238fdc5c5511dbb8c578c63a9e19495
SHA256 1ea29b91f3647b1cf4822cff87a2e5a7030f2ad92c88013381a6eb4a4088f4c0
SHA512 2682afb87b6f860395d286df4ba4a519586b8c4a5fdaa5495ceb964eb2c2c35a7f08896a8c6d28ec691e87b2084c43afc5a7062f9369fbafcbec6c4881d3d083

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5.exe

MD5 ac692fdb7dc25fdea0c0a82819b9ca05
SHA1 2b94177f0144e34dbd39b847e6bc3305ba7fe080
SHA256 afdceace49e12768aa2500489c6102293a1f6e7cb9c844610a655fa741ce0cdb
SHA512 04303b051c722d28d8e382acf62997766478cde0ef36473c85ba71c648001a4960f08417e3493d10fb582be5c6293be851eed459c063d6b36561defdc307e2ba

memory/3852-23-0x0000000000510000-0x0000000000532000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xTMUmRNSplXXLMhgma5

MD5 b73c6439a2302db41bb7737de87b8835
SHA1 a3f1fb5fc06083f5e0adfe7e26ddb094883b7d6b
SHA256 2f28247f05c070b5dd9c869b152e7b4084254d7b162a193a9a43b5c8b2419c1f
SHA512 68e3f65502cbc32d4d2c1e699e9ca07a3493e554cecf058e632f82874ecec61a63367de56ad693db94ec069e076a44701ce3068deb8748b739c0d6dbcaa70991

\??\c:\Users\Admin\AppData\Local\Temp\pgdau5lr\pgdau5lr.cmdline

MD5 6ed631aac772250a157f00a5c1cebbc6
SHA1 c22b94d1263169a5e6cff6f28fd38c17d9134fe6
SHA256 701c309daf9beabc6b6e78a6c821dfd87e575ef9a4fba143bb3ec8e3cb098bc2
SHA512 4419b241a4dd708f3df124d6639a381fcf5862e7c41b4656d1945d0b46edc09f4a3aa797ee06f17d301fc2c26a8daa12f007eda8489030eacefde624299fb559

\??\c:\Users\Admin\AppData\Local\Temp\pgdau5lr\pgdau5lr.0.cs

MD5 b5d745ad124400fe21ea0c07e7d0e8bc
SHA1 4e8cb83eb077c46240e9c0c372a3404763c6c132
SHA256 a75d60a3aba62d7137461fd31761cba8d6f6c7f8db75cf9d491d1a53c254e95e
SHA512 a9c96c2f56c8f4134cafd2bbc8599e57e7fc1c469afd151ce861e28667c27c6e89e0f35606c2fd6ea64c192f549bdabdc4fc20d7059179d935b94dd94f800e8b

\??\c:\Users\Admin\AppData\Local\Temp\pgdau5lr\CSC41AD57B7170A4068A884627ACF34D3CA.TMP

MD5 00430f871f23c197e7d871a961eceb50
SHA1 52c3424fd44fd8841186bbbe830b9fee72ef05b4
SHA256 202e0b06663ef699874324adafc35b611c9086ab8b480a6e47abad623332c6bb
SHA512 2922742c6d0c6d4622cdba1c304ff0339886809a09fb61763b93b518ba301982530054b2a654c33a53399a704ad9aa90a215f7048eadc05116bf2b1ab4a10fb5

C:\Users\Admin\AppData\Local\Temp\RES9C27.tmp

MD5 88b1054906e974e53fdf6b645607ef75
SHA1 fa7eefc1538bcd35c5bcf24ab9d5cf5efd41bfc1
SHA256 efae90c28f6c89bd044457b0b2bb42bd96fed5f083d42ed19452a4b6492c2ede
SHA512 f04b9e85f44f20e754a6e5ba45748519b218c412177d5e142e6427c63ef8a0823101be1e83c7b361b642a9b2dd671193ee65b8c0ba17ead0e4bd530c4cfa718e

C:\Users\Admin\AppData\Local\Temp\pgdau5lr\pgdau5lr.dll

MD5 0c492c980ddb428f872950f260632a79
SHA1 507cd7344da40b9992633810df94cd65f2b3c863
SHA256 62f5e559b6c5d65cdb3f60951b08891eb87f31b3b5ed1287e853af67f10c0670
SHA512 227824c1c9b7e914fdb36e30e2883f0f50d0e6b8cadef77b72e1761ff85966e69ed43abae5275663e0f400229818e0deb8fbaff5a5c63e6f63b79fdfd700da72

memory/3852-37-0x0000000004E00000-0x0000000004EA4000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\g3uu3iea\g3uu3iea.cmdline

MD5 c19a0fdeb33cbfba9aafd88d480b909d
SHA1 9283bc5cb8ce5fb20e9f17df165fae4162a87fd2
SHA256 95819c24d969f9e6609c3b57d82c558ba7e3f194cef83761ae3e9f4b684838d0
SHA512 4d5ae2e07bd8ed3bc4a83219d0b5019c0b9b1b047bf835853e9f06da258b60466443dadcf462acbcba53f50d012a1f5b20dde2431512804752be8a81746bef33

\??\c:\Users\Admin\AppData\Local\Temp\g3uu3iea\CSCA61695FBB97D4E4A97155E7A71A9822F.TMP

MD5 dbbd4c9e25d1d62cc91e6a2b22e5206a
SHA1 c6894b91256092d14466a23f8abae41db2a8ad4c
SHA256 065a44fbde4ca4c150800b58f7905ef46d1199d81a65b1ed729029c03c54b9a8
SHA512 cf64612881d006f0dd52a07c8f7f952ee696bbd3692738ce3b59218e1aec55b25ac0f2d31f8cafec6b4fed6a3aced38018d62b3879e5741c35864037268f7662

C:\Users\Admin\AppData\Local\Temp\RES9EA7.tmp

MD5 897163bb9b11f8d7c5521fec0bf2df90
SHA1 4da9b13bddc5d3ea9a40ed019ae3882f6d2048f4
SHA256 6f902a0132035315a0523a06a8227e1fe48af17df40837d699e0c835f8639dcf
SHA512 937ed305bc16922022e63b47cd23f12cee1ef3e2923c85ad7fc88c5f16b0b39c3a1ab530233fbbb1f501101705a6948c5d6d2303d6dfa35f4546006886caeff4

C:\Users\Admin\AppData\Local\Temp\g3uu3iea\g3uu3iea.dll

MD5 e65a84b05a013eaf8b961c460703ef08
SHA1 a58e189f24f3cd8af9e1bc9285380df9dc35f0ae
SHA256 2d288f6b2fb3adcbbbf3bf0d0f62ed9543d41812448f9be5328df975b8139dee
SHA512 bf0cd8dfd2485bf6111c26922767b3925dab8b8eb45aee4eb6a7d99ab3da191e621c65cb0004eccd3de11d4b686cf02fcc3c4d1fb7fde37ed077146fead1a906

memory/3852-51-0x0000000004EA0000-0x0000000004F44000-memory.dmp

memory/3852-53-0x0000000004F40000-0x0000000004F82000-memory.dmp

\??\Volume{d2bbef64-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{424f01d8-38b7-4964-9359-de78fed1d63a}_OnDiskSnapshotProp

MD5 5535ca3b838d7b7c4c8d534907c07586
SHA1 510b4cea6def78d1366a01f5d38c8a0cf23d4eb4
SHA256 7ef2dc7d320158979ee849b85b9a7c807e9775bcee92b156b193ac942b6d1080
SHA512 c970b815e6da6fde6f4f0d4470d7c28ff2708c705a4f7fce0345dfbc4d4293991bd54602bdc7ea3388a78fbcf8cd72d00c6c2ba6691c7aae91344578c0b1bec5

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 a67436841d3cc8087f817f9617a94991
SHA1 0108b407817dcc61ae7f645941ea962bafb5cef3
SHA256 ad2b8737549a33a903b83532c62e12c7b46ef9ffdec82b7b19afd490d7072fec
SHA512 21f635ef3f76acdad828e93e1c368d82f4d4c8b70b0a7478959ce784f37b3ba4a2fbd9961761f3ad3b9b0f6961dc9036e2c487a4b61db7c10c547adf5073b399

memory/2932-58-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2932-59-0x0000000005E30000-0x00000000063D4000-memory.dmp

memory/2932-60-0x00000000057B0000-0x0000000005842000-memory.dmp

memory/2932-61-0x0000000005920000-0x00000000059BC000-memory.dmp

memory/2932-62-0x0000000005860000-0x000000000586A000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\gssgse2b\gssgse2b.cmdline

MD5 f0ea6027fbb2696f916d2751fc028d9f
SHA1 e2e8e0af5b75f0f6582575ef2874d0b164b14878
SHA256 e7d15be1932b9fa62938ee2e9c16d6c4921f5e60cbb387dffc86f491b9f38b32
SHA512 0e2ebcaf5aaeb0c9a94d7d737aa5d2adf50ca23afc89aa3a34518625dd9e083e879d1c0da9122dc097682225ed88813351819ffb3c70bb0ae56122865ba25308

\??\c:\Users\Admin\AppData\Local\Temp\gssgse2b\CSC230F842BDF4E462890DE50E86E17ABE0.TMP

MD5 f7261ab3cceb63493c4f6c191830aea6
SHA1 c352ad41fd0e434ff2b79e7f5c5743b1fe82b3e2
SHA256 fae4270c31c739d0c19863a8979b8cf0b7e223bcb32d2b241e22e2299a828518
SHA512 7642527a33d9456ae89b2dd4ef2b7af72c8e94245e9e1097d83c7ee25101b63f259716703a74968a2f9bc43fc255b2263db2c806c216054f1eb31b3c1285dfa7

C:\Users\Admin\AppData\Local\Temp\RES30B6.tmp

MD5 af4cf1330d8a44ca7b2391fdd160ab7d
SHA1 cdc622524760912559f3bf3b612d895db0701378
SHA256 4c7498a543055236bd47fe8f0b0e8796ad97790ff9ef07637e1a9a7442f98e24
SHA512 9e7c74f505ef332c45888b56a789dbabe916a080399cc6b7892eb4b475061e9ace17737b918eab4bf5a2a33e0a5c0c3827db03cbd673b6186d559e925faa90f7

C:\Users\Admin\AppData\Local\Temp\gssgse2b\gssgse2b.dll

MD5 552d7717ddbc0f3a748fafd6f8bf6377
SHA1 2f6a69435938352135cdb1b2df7c1ccc65d7a079
SHA256 e27caae87a6c48761a81821d6ea054c39da899386c5928bea78243af14dce353
SHA512 1d1677e89d4b38a1231f552df62dc39983d8e78791ee68298ee69f03f0341a24131822be6a4c2c12f32f5f20744d4c8f2701ba2043b95e1b09d7ff0abe3bfb24

memory/4232-79-0x0000000004850000-0x00000000048F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2FDB.tmp

MD5 48ef7fa9033389ad7929d7a6b9d10298
SHA1 9db6cb7325c8bdf66a15f7b5f34703709a45aeb6
SHA256 0c1b5f67eeb276d1d4205b138ce32bc6149924e02281a2db8e4623a700e88f15
SHA512 ac8bd104ecbacc9bccce9e087f67e5b18072d59367ccd31d4e66132b6baaea520cba5b9b59464483d86abf74826b382c402f12e9a586c99bda8c78a0de33944e

\??\c:\Users\Admin\AppData\Local\Temp\euza5w00\euza5w00.cmdline

MD5 21cb17ab6f72104c6f3a8f6c7cc570e1
SHA1 952d90c9f3e5451677b6fb0d94408318ead9a7f5
SHA256 624a77bac480091fd0f5d3202debf94ae9c31f611ea6c8be752a7341023d123f
SHA512 576b3a674a70fc5fb759329b299b45bab6eee75c989c29a3de3500b5d1e58ba70d3eb064e3e5e3079670c19b59fdf311c9ef508fb1d76b5288df5f4acf08e1b7

C:\Users\Admin\AppData\Local\Temp\tmp31B1.tmp

MD5 0339b45ef206f4becc88be0d65e24b9e
SHA1 6503a1851f4ccd8c80a31f96bd7ae40d962c9fad
SHA256 3d568a47a8944a47f4aed6982755ac7ff7dda469cc1c81c213ecaa5d89de1f83
SHA512 c98f4513db34d50510dd986e0d812545c442bd5bef26932032b165759627fab4e00c95fe907ab3416a8a1042bfa77aa516c479f1ff7d1ec2f21ae66df8f72551

memory/2932-92-0x00000000058F0000-0x00000000058FA000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\euza5w00\CSC21AC80ACE5BA4AD1BCA796329BBBFD4.TMP

MD5 bf4e841fb044af93af010115e32e94ec
SHA1 f3a40d11e7a1f21aa742134defce0c9e6c0a9157
SHA256 1975377087a0961a6a5c039e73084a9b7b6493984d0065be7cb036a2244718db
SHA512 7728951df5a1e271d90c68101bb77c109a552796e373141d7c53dd65c4bb832115d97d4e7823760cd8cbaf4b418588fbea7be5939c5f7772b005a92e848cfec4

C:\Users\Admin\AppData\Local\Temp\RES327B.tmp

MD5 e2108c198c1081d9cc3f293210a30b26
SHA1 d318d98cd46020b36b44ef3f152eba55072f3606
SHA256 801667d86d7394f40688091552ebf5665f10ba617800d791231b14fe04616cd4
SHA512 28a968b76cbc47bb9f44a648ab8fcedb56be0c9357b442def75ef2720afb6d685e5889961e17472ee6f24252c0fece6cbc0ff914fe8d36cb48e7eaa11a00a02e

memory/2932-97-0x0000000005900000-0x000000000591E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\euza5w00\euza5w00.dll

MD5 37123fe217b5024ad55eb56b08bd0dd9
SHA1 5e0a65ba64379f5e0eed8dcc52dd160faadb510b
SHA256 855f78b05dc33014027203e5c54b5a3051396d930e421042e51324944aa1752f
SHA512 b3307db1cf4f5f18255009e4ca6faa74bf9e6ecd81f471b263f0f5693fbce1f554ed09fe1b89c601ea75b9919e14ac823b06d0b1235fc5dfbeb4c01d0afc3409

memory/4232-99-0x00000000048F0000-0x0000000004994000-memory.dmp

memory/2932-101-0x0000000005E20000-0x0000000005E2A000-memory.dmp