Analysis Overview
SHA256
60e55ca2aeeeacc6428a1e9c1b43742009a8f50807bbebee0d1527ba155268b8
Threat Level: Known bad
The file LisectAVT_2403002B_153.exe was found to be: Known bad.
Malicious Activity Summary
Gandcrab
Renames multiple (285) files with added filename extension
Renames multiple (269) files with added filename extension
Deletes shadow copies
Credentials from Password Stores: Windows Credential Manager
Loads dropped DLL
ASPack v2.12-2.42
Checks computer location settings
Drops startup file
Executes dropped EXE
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Checks processor information in registry
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-25 00:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-25 00:58
Reported
2024-07-25 01:01
Platform
win7-20240708-en
Max time kernel
143s
Max time network
144s
Command Line
Signatures
Gandcrab
Deletes shadow copies
Renames multiple (285) files with added filename extension
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\WIMFZFOBXY-DECRYPT.txt | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\1256e3851256e469311.lock | C:\Windows\SysWOW64\wermgr.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\wermgr.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" | C:\Windows\SysWOW64\wermgr.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jre7\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\RequestSearch.dotm | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\UseSet.tiff | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MSASCui.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\sidebar.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File created | C:\Program Files (x86)\WIMFZFOBXY-DECRYPT.txt | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\misc.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\sidebar.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\InstallRestart.vsw | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\jp2launcher.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\WinMail.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\DenyUnlock.xhtml | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\EnableSave.hta | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\wab.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\1256e3851256e469311.lock | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Hearts\Hearts.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Mail\wabmig.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wermgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\wermgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\wermgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\wermgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wermgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wermgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe
"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe"
C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe
C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe
C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\System32\wermgr.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\0017094c.bat" "
C:\Windows\SysWOW64\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ddos.dnsnb8.net | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | www.2mmotorsport.biz | udp |
| DE | 77.75.249.22:443 | www.2mmotorsport.biz | tcp |
| DE | 77.75.249.22:443 | www.2mmotorsport.biz | tcp |
| DE | 77.75.249.22:443 | www.2mmotorsport.biz | tcp |
| DE | 77.75.249.22:443 | www.2mmotorsport.biz | tcp |
| US | 8.8.8.8:53 | www.haargenau.biz | udp |
| CH | 217.26.53.161:443 | www.haargenau.biz | tcp |
| CH | 217.26.53.161:443 | www.haargenau.biz | tcp |
| CH | 217.26.53.161:443 | www.haargenau.biz | tcp |
| CH | 217.26.53.161:443 | www.haargenau.biz | tcp |
| US | 8.8.8.8:53 | www.bizziniinfissi.com | udp |
| US | 8.8.8.8:53 | www.holzbock.biz | udp |
| CH | 94.126.20.68:443 | www.holzbock.biz | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 92.123.143.185:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | www.schreiner-freiamt.ch | udp |
| CH | 94.126.20.68:443 | www.schreiner-freiamt.ch | tcp |
| US | 8.8.8.8:53 | www.fliptray.biz | udp |
| US | 8.8.8.8:53 | www.pizcam.com | udp |
| CH | 185.177.62.27:443 | www.pizcam.com | tcp |
| CH | 185.177.62.27:443 | www.pizcam.com | tcp |
| CH | 185.177.62.27:443 | www.pizcam.com | tcp |
| CH | 185.177.62.27:443 | www.pizcam.com | tcp |
| US | 8.8.8.8:53 | www.swisswellness.com | udp |
| DE | 83.138.86.12:443 | www.swisswellness.com | tcp |
| US | 8.8.8.8:53 | www.hotelweisshorn.com | udp |
| HK | 38.207.226.122:443 | www.hotelweisshorn.com | tcp |
| HK | 38.207.226.122:443 | www.hotelweisshorn.com | tcp |
| HK | 38.207.226.122:443 | www.hotelweisshorn.com | tcp |
| US | 8.8.8.8:53 | www.whitepod.com | udp |
| CH | 83.166.138.7:443 | www.whitepod.com | tcp |
| CH | 83.166.138.7:443 | www.whitepod.com | tcp |
| CH | 83.166.138.7:443 | www.whitepod.com | tcp |
| CH | 83.166.138.7:443 | www.whitepod.com | tcp |
| US | 8.8.8.8:53 | www.hardrockhoteldavos.com | udp |
| US | 18.207.88.16:443 | www.hardrockhoteldavos.com | tcp |
| US | 8.8.8.8:53 | www.hardrockhotels.com | udp |
| US | 151.101.3.52:443 | www.hardrockhotels.com | tcp |
| US | 151.101.3.52:443 | www.hardrockhotels.com | tcp |
| US | 151.101.3.52:443 | www.hardrockhotels.com | tcp |
| US | 151.101.3.52:443 | www.hardrockhotels.com | tcp |
| US | 8.8.8.8:53 | www.belvedere-locarno.com | udp |
| US | 104.26.6.206:443 | www.belvedere-locarno.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 92.123.143.169:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 95.100.245.168:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | www.hotelfarinet.com | udp |
| GB | 18.132.18.63:443 | www.hotelfarinet.com | tcp |
| GB | 18.132.18.63:443 | www.hotelfarinet.com | tcp |
| GB | 18.132.18.63:443 | www.hotelfarinet.com | tcp |
| GB | 18.132.18.63:443 | www.hotelfarinet.com | tcp |
| US | 8.8.8.8:53 | www.hrk-ramoz.com | udp |
| HK | 156.235.147.122:443 | www.hrk-ramoz.com | tcp |
| US | 8.8.8.8:53 | www.morcote-residenza.com | udp |
| CH | 194.191.24.37:443 | www.morcote-residenza.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 92.123.142.59:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.seitensprungzimmer24.com | udp |
| DE | 136.243.162.140:443 | www.seitensprungzimmer24.com | tcp |
| US | 8.8.8.8:53 | seitensprungzimmer24.com | udp |
| DE | 136.243.162.140:443 | seitensprungzimmer24.com | tcp |
| US | 8.8.8.8:53 | www.arbezie-hotel.com | udp |
| FR | 213.186.33.5:443 | www.arbezie-hotel.com | tcp |
| FR | 213.186.33.5:443 | www.arbezie-hotel.com | tcp |
| FR | 213.186.33.5:443 | www.arbezie-hotel.com | tcp |
| US | 8.8.8.8:53 | www.aubergemontblanc.com | udp |
| CH | 83.166.138.13:443 | www.aubergemontblanc.com | tcp |
| CH | 83.166.138.13:443 | www.aubergemontblanc.com | tcp |
| CH | 83.166.138.13:443 | www.aubergemontblanc.com | tcp |
| CH | 83.166.138.13:443 | www.aubergemontblanc.com | tcp |
| US | 8.8.8.8:53 | www.torhotel.com | udp |
| CH | 128.65.195.228:443 | www.torhotel.com | tcp |
| CH | 128.65.195.228:443 | www.torhotel.com | tcp |
| CH | 128.65.195.228:443 | www.torhotel.com | tcp |
| CH | 128.65.195.228:443 | www.torhotel.com | tcp |
| US | 8.8.8.8:53 | www.alpenlodge.com | udp |
| CH | 217.26.55.76:443 | www.alpenlodge.com | tcp |
| CH | 217.26.55.76:443 | www.alpenlodge.com | tcp |
| CH | 217.26.55.76:443 | www.alpenlodge.com | tcp |
| CH | 217.26.55.76:443 | www.alpenlodge.com | tcp |
| US | 8.8.8.8:53 | www.aparthotelzurich.com | udp |
| US | 104.17.182.58:443 | www.aparthotelzurich.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 172.217.169.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | www.bnbdelacolline.com | udp |
| CH | 128.65.195.174:443 | www.bnbdelacolline.com | tcp |
| CH | 128.65.195.174:443 | www.bnbdelacolline.com | tcp |
| CH | 128.65.195.174:443 | www.bnbdelacolline.com | tcp |
| CH | 128.65.195.174:443 | www.bnbdelacolline.com | tcp |
| US | 8.8.8.8:53 | www.elite-hotel.com | udp |
| CH | 80.74.144.93:443 | www.elite-hotel.com | tcp |
| CH | 80.74.144.93:443 | www.elite-hotel.com | tcp |
| CH | 80.74.144.93:443 | www.elite-hotel.com | tcp |
| CH | 80.74.144.93:443 | www.elite-hotel.com | tcp |
| US | 8.8.8.8:53 | www.bristol-adelboden.com | udp |
| IE | 52.17.119.105:443 | www.bristol-adelboden.com | tcp |
| IE | 52.17.119.105:443 | www.bristol-adelboden.com | tcp |
| IE | 52.17.119.105:443 | www.bristol-adelboden.com | tcp |
| IE | 52.17.119.105:443 | www.bristol-adelboden.com | tcp |
| US | 8.8.8.8:53 | www.nationalzermatt.com | udp |
| CH | 94.126.23.52:443 | www.nationalzermatt.com | tcp |
| CH | 94.126.23.52:443 | www.nationalzermatt.com | tcp |
| CH | 94.126.23.52:443 | www.nationalzermatt.com | tcp |
| CH | 94.126.23.52:443 | www.nationalzermatt.com | tcp |
| US | 8.8.8.8:53 | www.waageglarus.com | udp |
| US | 8.8.8.8:53 | www.limmathof.com | udp |
| US | 198.185.159.145:443 | www.limmathof.com | tcp |
| US | 8.8.8.8:53 | www.apartmenthaus.com | udp |
| CH | 217.26.60.27:443 | www.apartmenthaus.com | tcp |
| CH | 217.26.60.27:443 | www.apartmenthaus.com | tcp |
| CH | 217.26.60.27:443 | www.apartmenthaus.com | tcp |
| CH | 217.26.60.27:443 | www.apartmenthaus.com | tcp |
| US | 8.8.8.8:53 | www.berginsel.com | udp |
| CH | 80.74.145.65:443 | www.berginsel.com | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 92.123.143.169:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | berginsel-oberems.ch | udp |
| CH | 80.74.145.65:443 | berginsel-oberems.ch | tcp |
| US | 8.8.8.8:53 | www.chambre-d-hote-chez-fleury.com | udp |
| IE | 52.215.95.29:443 | www.chambre-d-hote-chez-fleury.com | tcp |
| US | 8.8.8.8:53 | www.hotel-blumental.com | udp |
| CH | 94.126.21.30:443 | www.hotel-blumental.com | tcp |
| CH | 94.126.21.30:443 | www.hotel-blumental.com | tcp |
| US | 8.8.8.8:53 | crl.geotrust.com | udp |
| SE | 192.229.221.95:80 | crl.geotrust.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 163.70.147.35:443 | www.facebook.com | tcp |
| SE | 192.229.221.95:80 | crl.geotrust.com | tcp |
| US | 8.8.8.8:53 | www.la-fontaine.com | udp |
| DE | 213.199.57.77:443 | www.la-fontaine.com | tcp |
| DE | 213.199.57.77:443 | www.la-fontaine.com | tcp |
| DE | 213.199.57.77:443 | www.la-fontaine.com | tcp |
| DE | 213.199.57.77:443 | www.la-fontaine.com | tcp |
| IE | 54.194.127.198:443 | www.chambre-d-hote-chez-fleury.com | tcp |
| US | 8.8.8.8:53 | www.hotelalbanareal.com | udp |
| DE | 3.67.141.185:443 | www.hotelalbanareal.com | tcp |
| DE | 3.67.141.185:443 | www.hotelalbanareal.com | tcp |
| DE | 3.67.141.185:443 | www.hotelalbanareal.com | tcp |
| DE | 3.67.141.185:443 | www.hotelalbanareal.com | tcp |
| US | 8.8.8.8:53 | www.geneva.frasershospitality.com | udp |
| US | 8.8.8.8:53 | www.luganohoteladmiral.com | udp |
| CH | 185.181.206.95:443 | www.luganohoteladmiral.com | tcp |
| CH | 185.181.206.95:443 | www.luganohoteladmiral.com | tcp |
| CH | 185.181.206.95:443 | www.luganohoteladmiral.com | tcp |
| CH | 185.181.206.95:443 | www.luganohoteladmiral.com | tcp |
| US | 8.8.8.8:53 | www.bellevuewiesen.com | udp |
| GB | 159.65.93.218:443 | www.bellevuewiesen.com | tcp |
| GB | 159.65.93.218:443 | www.bellevuewiesen.com | tcp |
| GB | 159.65.93.218:443 | www.bellevuewiesen.com | tcp |
| GB | 159.65.93.218:443 | www.bellevuewiesen.com | tcp |
| US | 8.8.8.8:53 | www.hoteltruite.com | udp |
| NL | 185.107.56.195:443 | www.hoteltruite.com | tcp |
| US | 8.8.8.8:53 | survey-smiles.com | udp |
| US | 199.59.243.226:80 | survey-smiles.com | tcp |
| US | 8.8.8.8:53 | www.hotelgarni-battello.com | udp |
| US | 8.8.8.8:53 | www.seminarhotel.com | udp |
| CH | 151.248.236.144:443 | www.seminarhotel.com | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 92.123.143.185:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | www.roemerturm.ch | udp |
| CH | 151.248.236.144:443 | www.roemerturm.ch | tcp |
| US | 8.8.8.8:53 | www.kroneregensberg.com | udp |
| CH | 217.26.60.254:443 | www.kroneregensberg.com | tcp |
| CH | 217.26.60.254:443 | www.kroneregensberg.com | tcp |
| CH | 217.26.60.254:443 | www.kroneregensberg.com | tcp |
| CH | 217.26.60.254:443 | www.kroneregensberg.com | tcp |
| US | 8.8.8.8:53 | www.puurehuus.com | udp |
| CH | 217.26.54.189:443 | www.puurehuus.com | tcp |
| CH | 217.26.54.189:443 | www.puurehuus.com | tcp |
| CH | 217.26.54.189:443 | www.puurehuus.com | tcp |
| CH | 217.26.54.189:443 | www.puurehuus.com | tcp |
| US | 8.8.8.8:53 | www.hotel-zermatt.com | udp |
| CH | 82.220.37.45:443 | www.hotel-zermatt.com | tcp |
| US | 8.8.8.8:53 | www.stchristophesa.com | udp |
| CH | 83.166.133.76:443 | www.stchristophesa.com | tcp |
| CH | 83.166.133.76:443 | www.stchristophesa.com | tcp |
| CH | 83.166.133.76:443 | www.stchristophesa.com | tcp |
| CH | 83.166.133.76:443 | www.stchristophesa.com | tcp |
| US | 8.8.8.8:53 | www.nh-hotels.com | udp |
| GB | 2.17.70.109:443 | www.nh-hotels.com | tcp |
| GB | 2.17.70.109:443 | www.nh-hotels.com | tcp |
| GB | 2.17.70.109:443 | www.nh-hotels.com | tcp |
| GB | 2.17.70.109:443 | www.nh-hotels.com | tcp |
| US | 8.8.8.8:53 | www.schwendelberg.com | udp |
| CH | 193.17.199.27:443 | www.schwendelberg.com | tcp |
| CH | 193.17.199.27:443 | www.schwendelberg.com | tcp |
| CH | 193.17.199.27:443 | www.schwendelberg.com | tcp |
| CH | 193.17.199.27:443 | www.schwendelberg.com | tcp |
| US | 8.8.8.8:53 | www.stalden.com | udp |
| CH | 193.33.128.144:443 | www.stalden.com | tcp |
| US | 8.8.8.8:53 | www.vignobledore.com | udp |
| GB | 213.129.84.57:443 | www.vignobledore.com | tcp |
| US | 8.8.8.8:53 | www.eyholz.com | udp |
| CH | 81.201.201.94:443 | www.eyholz.com | tcp |
| CH | 81.201.201.94:443 | www.eyholz.com | tcp |
| CH | 81.201.201.94:443 | www.eyholz.com | tcp |
| CH | 81.201.201.94:443 | www.eyholz.com | tcp |
| US | 8.8.8.8:53 | www.flemings-hotel.com | udp |
| NL | 188.227.206.226:443 | www.flemings-hotel.com | tcp |
| NL | 188.227.206.226:443 | www.flemings-hotel.com | tcp |
| NL | 188.227.206.226:443 | www.flemings-hotel.com | tcp |
| NL | 188.227.206.226:443 | www.flemings-hotel.com | tcp |
| US | 8.8.8.8:53 | www.hiexgeneva.com | udp |
| CH | 81.23.73.70:443 | www.hiexgeneva.com | tcp |
| US | 8.8.8.8:53 | www.expressgeneva.com | udp |
| CH | 81.23.73.70:443 | www.expressgeneva.com | tcp |
| US | 8.8.8.8:53 | www.petit-paradis.com | udp |
| GB | 185.151.30.132:443 | www.petit-paradis.com | tcp |
| GB | 185.151.30.132:443 | www.petit-paradis.com | tcp |
| GB | 185.151.30.132:443 | www.petit-paradis.com | tcp |
| GB | 185.151.30.132:443 | www.petit-paradis.com | tcp |
| US | 8.8.8.8:53 | www.berghaus-toni.com | udp |
| US | 34.149.87.45:443 | www.berghaus-toni.com | tcp |
| US | 8.8.8.8:53 | www.hotelglanis.com | udp |
| US | 34.149.87.45:443 | www.hotelglanis.com | tcp |
| US | 8.8.8.8:53 | www.16eme.com | udp |
| US | 34.149.87.45:443 | www.16eme.com | tcp |
| US | 8.8.8.8:53 | www.staubbach.com | udp |
| DE | 104.248.24.229:443 | www.staubbach.com | tcp |
| US | 8.8.8.8:53 | www.samnaunerhof.com | udp |
| AT | 94.198.139.116:443 | www.samnaunerhof.com | tcp |
| US | 8.8.8.8:53 | www.airporthotelbasel.com | udp |
| US | 104.17.186.58:443 | www.airporthotelbasel.com | tcp |
| US | 8.8.8.8:53 | www.elite-biel.com | udp |
| CH | 94.126.23.52:443 | www.elite-biel.com | tcp |
| CH | 94.126.23.52:443 | www.elite-biel.com | tcp |
| CH | 94.126.23.52:443 | www.elite-biel.com | tcp |
| CH | 94.126.23.52:443 | www.elite-biel.com | tcp |
| US | 8.8.8.8:53 | www.aubergecouronne.com | udp |
| FR | 46.105.204.26:443 | www.aubergecouronne.com | tcp |
| US | 8.8.8.8:53 | www.le-saint-hubert.com | udp |
| US | 34.149.87.45:443 | www.le-saint-hubert.com | tcp |
| US | 8.8.8.8:53 | www.bonmont.com | udp |
| CH | 195.141.14.125:443 | www.bonmont.com | tcp |
| US | 8.8.8.8:53 | www.cm-lodge.com | udp |
| CH | 149.126.4.89:443 | www.cm-lodge.com | tcp |
| US | 8.8.8.8:53 | www.experimentalchalet.com | udp |
| US | 35.241.50.205:443 | www.experimentalchalet.com | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 172.217.169.3:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | www.guardagolf.com | udp |
| CH | 83.166.138.8:443 | www.guardagolf.com | tcp |
| CH | 83.166.138.8:443 | www.guardagolf.com | tcp |
| CH | 83.166.138.8:443 | www.guardagolf.com | tcp |
| CH | 83.166.138.8:443 | www.guardagolf.com | tcp |
| US | 8.8.8.8:53 | www.hotelchery.com | udp |
| CH | 185.220.247.251:443 | www.hotelchery.com | tcp |
| CH | 185.220.247.251:443 | www.hotelchery.com | tcp |
| CH | 185.220.247.251:443 | www.hotelchery.com | tcp |
| CH | 185.220.247.251:443 | www.hotelchery.com | tcp |
| US | 8.8.8.8:53 | www.ibis.com | udp |
| US | 165.160.13.20:443 | www.ibis.com | tcp |
| US | 165.160.15.20:443 | www.ibis.com | tcp |
Files
memory/2332-0-0x0000000000400000-0x000000000046F000-memory.dmp
\Users\Admin\AppData\Local\Temp\MGTDPP.exe
| MD5 | f7d21de5c4e81341eccd280c11ddcc9a |
| SHA1 | d4e9ef10d7685d491583c6fa93ae5d9105d815bd |
| SHA256 | 4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794 |
| SHA512 | e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3 |
memory/2332-9-0x0000000000260000-0x0000000000269000-memory.dmp
memory/2992-11-0x00000000013C0000-0x00000000013C9000-memory.dmp
memory/2332-8-0x0000000000260000-0x0000000000269000-memory.dmp
memory/2332-14-0x0000000000400000-0x000000000046F000-memory.dmp
memory/2332-15-0x0000000000414000-0x000000000041B000-memory.dmp
C:\MSOCache\WIMFZFOBXY-DECRYPT.txt
| MD5 | 209410f96f3db0862f7e91a15780bac8 |
| SHA1 | 52c77d623157b1da470e75efda577122ce95a43f |
| SHA256 | 6b2152d1a217b92982a497d7200442c7599216cb24e7625a9d361a5eaf41aad9 |
| SHA512 | a63bf10ec0e6873f96e88d21b9365de80441f7ae7e213796e8e58d489cd17232ffee03c38c51b83072dbf4bf52d22cac02108d7eef4967e978e97d9e2f305280 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\k2[1].rar
| MD5 | d3b07384d113edec49eaa6238ad5ff00 |
| SHA1 | f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 |
| SHA256 | b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c |
| SHA512 | 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6 |
C:\Users\Admin\AppData\Local\Temp\28BC5723.exe
| MD5 | 20879c987e2f9a916e578386d499f629 |
| SHA1 | c7b33ddcc42361fdb847036fc07e880b81935d5d |
| SHA256 | 9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31 |
| SHA512 | bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f |
C:\Users\Admin\AppData\Local\Temp\0017094c.bat
| MD5 | bde2ecaa466d7648b04e39498c35ef8f |
| SHA1 | b348fda345219e0a3c44be4843fcee1cf3bdf6c6 |
| SHA256 | 66ea0e33a20a065e8add0cb57110ea274953816159528f84c7207c20cc1bbefe |
| SHA512 | b1f4b72e9ae4eb65b2ecea05244bf4adcd79f79596ad6d56298086aef7d91f7d71e9eabe3e903c74de41bd17e7b06ba03d159f7d39d6baf44cab422d71a10f01 |
memory/2992-416-0x00000000013C0000-0x00000000013C9000-memory.dmp
memory/2772-819-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab4980.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar4A3F.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 09e34f6608faf68d83e98448181c6eb8 |
| SHA1 | ddb771c1b84dc056b51f5519743ba3ed438dc9b1 |
| SHA256 | bcf6a6db95145f23b2a1df7108a2dae95a34ef7220359be4dd588ba216f8ca30 |
| SHA512 | 50dff6a505f3af5c70abc4ad1ddc76ed05a4042d56424ced75172d38c3363bf5bb21abee7d9037bfaf2db3458609424cef8f035d750fda0f6d3258d90cb20b6c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-25 00:58
Reported
2024-07-25 01:01
Platform
win10v2004-20240709-en
Max time kernel
6s
Max time network
153s
Command Line
Signatures
Gandcrab
Deletes shadow copies
Renames multiple (269) files with added filename extension
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\LKLXS-DECRYPT.txt | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\2a33eaf12a33ed1d311.lock | C:\Windows\SysWOW64\wermgr.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\wermgr.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\idlj.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\RegisterWrite.WTV | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javapackager.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jcmd.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\crashreporter.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Windows Photo Viewer\ImagingDevices.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstat.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jjs.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\rmid.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\misc.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\default-browser-agent.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File created | C:\Program Files (x86)\LKLXS-DECRYPT.txt | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\DisableRegister.pptx | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javacpl.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\codecpacks.VP9.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Mail\wabmig.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\RenameFormat.mp4 | C:\Windows\SysWOW64\wermgr.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\minidump-analyzer.exe | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wermgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\wermgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\wermgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\wermgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wermgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wermgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wermgr.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wermgr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe
"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002B_153.exe"
C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe
C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\70db0da5.bat" "
C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\System32\wermgr.exe"
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\SysWOW64\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ddos.dnsnb8.net | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | 105.84.221.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 44.221.84.105:799 | ddos.dnsnb8.net | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.2mmotorsport.biz | udp |
| DE | 77.75.249.22:443 | www.2mmotorsport.biz | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 92.123.143.169:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 22.249.75.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.haargenau.biz | udp |
| CH | 217.26.53.161:443 | www.haargenau.biz | tcp |
| US | 8.8.8.8:53 | 161.53.26.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.bizziniinfissi.com | udp |
| US | 8.8.8.8:53 | www.holzbock.biz | udp |
| CH | 94.126.20.68:443 | www.holzbock.biz | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 92.123.143.185:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 68.20.126.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.schreiner-freiamt.ch | udp |
| CH | 94.126.20.68:443 | www.schreiner-freiamt.ch | tcp |
| US | 8.8.8.8:53 | www.fliptray.biz | udp |
| US | 8.8.8.8:53 | www.pizcam.com | udp |
| CH | 185.177.62.27:443 | www.pizcam.com | tcp |
| US | 8.8.8.8:53 | 185.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.62.177.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.swisswellness.com | udp |
| DE | 83.138.86.12:443 | www.swisswellness.com | tcp |
| US | 8.8.8.8:53 | www.hotelweisshorn.com | udp |
| HK | 38.207.226.122:443 | www.hotelweisshorn.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.whitepod.com | udp |
| CH | 83.166.138.7:443 | www.whitepod.com | tcp |
| US | 8.8.8.8:53 | 7.138.166.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.hardrockhoteldavos.com | udp |
| US | 18.207.88.16:443 | www.hardrockhoteldavos.com | tcp |
| US | 8.8.8.8:53 | www.hardrockhotels.com | udp |
| US | 151.101.131.52:443 | www.hardrockhotels.com | tcp |
| US | 8.8.8.8:53 | 16.88.207.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.131.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | crl.starfieldtech.com | udp |
| US | 192.124.249.31:80 | crl.starfieldtech.com | tcp |
| US | 8.8.8.8:53 | hotel.hardrock.com | udp |
| US | 151.101.67.52:443 | hotel.hardrock.com | tcp |
| US | 8.8.8.8:53 | 31.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.belvedere-locarno.com | udp |
| US | 104.26.7.206:443 | www.belvedere-locarno.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 95.100.245.168:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | www.hotelfarinet.com | udp |
| GB | 18.132.18.63:443 | www.hotelfarinet.com | tcp |
| US | 8.8.8.8:53 | www.hrk-ramoz.com | udp |
| HK | 156.235.147.122:443 | www.hrk-ramoz.com | tcp |
| US | 8.8.8.8:53 | 206.7.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.18.132.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.67.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.morcote-residenza.com | udp |
| CH | 194.191.24.37:443 | www.morcote-residenza.com | tcp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.seitensprungzimmer24.com | udp |
| DE | 136.243.162.140:443 | www.seitensprungzimmer24.com | tcp |
| US | 8.8.8.8:53 | 140.162.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | seitensprungzimmer24.com | udp |
| DE | 136.243.162.140:443 | seitensprungzimmer24.com | tcp |
| US | 8.8.8.8:53 | www.arbezie-hotel.com | udp |
| FR | 213.186.33.5:443 | www.arbezie-hotel.com | tcp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.33.186.213.in-addr.arpa | udp |
| FR | 213.186.33.5:443 | www.arbezie-hotel.com | tcp |
| FR | 213.186.33.5:443 | www.arbezie-hotel.com | tcp |
| US | 8.8.8.8:53 | www.aubergemontblanc.com | udp |
| CH | 83.166.138.13:443 | www.aubergemontblanc.com | tcp |
| US | 8.8.8.8:53 | 13.138.166.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.torhotel.com | udp |
| CH | 128.65.195.228:443 | www.torhotel.com | tcp |
| US | 8.8.8.8:53 | 228.195.65.128.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.alpenlodge.com | udp |
| CH | 217.26.55.76:443 | www.alpenlodge.com | tcp |
| US | 8.8.8.8:53 | 76.55.26.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.aparthotelzurich.com | udp |
| US | 104.17.186.58:443 | www.aparthotelzurich.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 172.217.169.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 58.186.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.bnbdelacolline.com | udp |
| CH | 128.65.195.174:443 | www.bnbdelacolline.com | tcp |
| US | 8.8.8.8:53 | 174.195.65.128.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.elite-hotel.com | udp |
| CH | 80.74.144.93:443 | www.elite-hotel.com | tcp |
| US | 8.8.8.8:53 | elite-hotel.com | udp |
| CH | 80.74.144.93:443 | elite-hotel.com | tcp |
| US | 8.8.8.8:53 | 93.144.74.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.bristol-adelboden.com | udp |
| IE | 63.35.51.142:443 | www.bristol-adelboden.com | tcp |
| US | 8.8.8.8:53 | www.nationalzermatt.com | udp |
| CH | 94.126.23.52:443 | www.nationalzermatt.com | tcp |
| US | 8.8.8.8:53 | 142.51.35.63.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.23.126.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nationalzermatt.ch | udp |
| CH | 94.126.23.52:443 | nationalzermatt.ch | tcp |
| US | 8.8.8.8:53 | www.waageglarus.com | udp |
| US | 8.8.8.8:53 | www.limmathof.com | udp |
| US | 198.185.159.144:443 | www.limmathof.com | tcp |
| US | 8.8.8.8:53 | www.apartmenthaus.com | udp |
| CH | 217.26.60.27:443 | www.apartmenthaus.com | tcp |
| US | 8.8.8.8:53 | 144.159.185.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.berginsel.com | udp |
| CH | 80.74.145.65:443 | www.berginsel.com | tcp |
| US | 8.8.8.8:53 | 27.60.26.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | berginsel-oberems.ch | udp |
| CH | 80.74.145.65:443 | berginsel-oberems.ch | tcp |
| US | 8.8.8.8:53 | 65.145.74.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.chambre-d-hote-chez-fleury.com | udp |
| IE | 3.255.48.233:443 | www.chambre-d-hote-chez-fleury.com | tcp |
| US | 8.8.8.8:53 | www.hotel-blumental.com | udp |
| CH | 94.126.21.30:443 | www.hotel-blumental.com | tcp |
| CH | 94.126.21.30:443 | www.hotel-blumental.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 163.70.147.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | 30.21.126.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.147.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.48.255.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.la-fontaine.com | udp |
| DE | 213.199.57.77:443 | www.la-fontaine.com | tcp |
| US | 8.8.8.8:53 | 77.57.199.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.mountainhostel.com | udp |
| IE | 54.194.127.198:443 | www.mountainhostel.com | tcp |
| US | 8.8.8.8:53 | www.hotelalbanareal.com | udp |
| DE | 3.67.141.185:443 | www.hotelalbanareal.com | tcp |
| US | 8.8.8.8:53 | www.geneva.frasershospitality.com | udp |
| US | 8.8.8.8:53 | www.luganohoteladmiral.com | udp |
| CH | 185.181.206.95:443 | www.luganohoteladmiral.com | tcp |
| US | 8.8.8.8:53 | 198.127.194.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.141.67.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.bellevuewiesen.com | udp |
| GB | 159.65.93.218:443 | www.bellevuewiesen.com | tcp |
| US | 8.8.8.8:53 | www.hoteltruite.com | udp |
| NL | 185.107.56.195:443 | www.hoteltruite.com | tcp |
| US | 8.8.8.8:53 | 95.206.181.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.93.65.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | survey-smiles.com | udp |
| US | 199.59.243.226:80 | survey-smiles.com | tcp |
| US | 8.8.8.8:53 | www.hotelgarni-battello.com | udp |
| US | 8.8.8.8:53 | www.seminarhotel.com | udp |
| CH | 151.248.236.144:443 | www.seminarhotel.com | tcp |
| US | 8.8.8.8:53 | www.roemerturm.ch | udp |
| CH | 151.248.236.144:443 | www.roemerturm.ch | tcp |
| US | 8.8.8.8:53 | 195.56.107.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.236.248.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.kroneregensberg.com | udp |
| CH | 217.26.60.254:443 | www.kroneregensberg.com | tcp |
| US | 8.8.8.8:53 | kroneregensberg.com | udp |
| CH | 217.26.60.254:443 | kroneregensberg.com | tcp |
| US | 8.8.8.8:53 | 254.60.26.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.puurehuus.com | udp |
| CH | 217.26.54.189:443 | www.puurehuus.com | tcp |
| US | 8.8.8.8:53 | www.hotel-zermatt.com | udp |
| CH | 82.220.37.45:443 | www.hotel-zermatt.com | tcp |
| US | 8.8.8.8:53 | www.stchristophesa.com | udp |
| CH | 83.166.133.76:443 | www.stchristophesa.com | tcp |
| US | 8.8.8.8:53 | 189.54.26.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.37.220.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.nh-hotels.com | udp |
| GB | 2.17.70.109:443 | www.nh-hotels.com | tcp |
| US | 8.8.8.8:53 | www.schwendelberg.com | udp |
| CH | 193.17.199.27:443 | www.schwendelberg.com | tcp |
| US | 8.8.8.8:53 | 76.133.166.83.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.70.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.stalden.com | udp |
| CH | 193.33.128.144:443 | www.stalden.com | tcp |
| US | 8.8.8.8:53 | www.vignobledore.com | udp |
| GB | 213.129.84.57:443 | www.vignobledore.com | tcp |
| US | 8.8.8.8:53 | www.eyholz.com | udp |
| CH | 81.201.201.94:443 | www.eyholz.com | tcp |
| US | 8.8.8.8:53 | 27.199.17.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.128.33.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.84.129.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.201.201.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.eyholz.info | udp |
| CH | 81.201.201.94:443 | www.eyholz.info | tcp |
| US | 8.8.8.8:53 | www.flemings-hotel.com | udp |
| NL | 188.227.206.226:443 | www.flemings-hotel.com | tcp |
| NL | 188.227.206.226:443 | www.flemings-hotel.com | tcp |
| NL | 188.227.206.226:443 | www.flemings-hotel.com | tcp |
| US | 8.8.8.8:53 | www.hiexgeneva.com | udp |
| CH | 81.23.73.70:443 | www.hiexgeneva.com | tcp |
| US | 8.8.8.8:53 | www.expressgeneva.com | udp |
| CH | 81.23.73.70:443 | www.expressgeneva.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.206.227.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.73.23.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.petit-paradis.com | udp |
| GB | 185.151.30.132:443 | www.petit-paradis.com | tcp |
| US | 8.8.8.8:53 | www.berghaus-toni.com | udp |
| US | 34.149.87.45:443 | www.berghaus-toni.com | tcp |
| US | 8.8.8.8:53 | 116.139.198.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.184.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| CH | 94.126.23.52:443 | www.elite-biel.com | tcp |
| FR | 46.105.204.26:443 | tcp | |
| US | 8.8.8.8:53 | www.le-saint-hubert.com | udp |
| US | 34.149.87.45:443 | www.le-saint-hubert.com | tcp |
| US | 8.8.8.8:53 | www.bonmont.com | udp |
| CH | 195.141.14.125:443 | www.bonmont.com | tcp |
| US | 8.8.8.8:53 | 125.14.141.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.cm-lodge.com | udp |
| CH | 149.126.4.89:443 | www.cm-lodge.com | tcp |
| US | 8.8.8.8:53 | 89.4.126.149.in-addr.arpa | udp |
| CH | 83.166.138.8:443 | tcp | |
| US | 8.8.8.8:53 | guardagolf.com | udp |
| CH | 83.166.138.8:80 | guardagolf.com | tcp |
| CH | 83.166.138.8:443 | guardagolf.com | tcp |
| US | 8.8.8.8:53 | www.hotelchery.com | udp |
| CH | 185.220.247.251:443 | www.hotelchery.com | tcp |
| US | 165.160.13.20:443 | tcp | |
| US | 165.160.15.20:443 | tcp |
Files
memory/1436-0-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MGTDPP.exe
| MD5 | f7d21de5c4e81341eccd280c11ddcc9a |
| SHA1 | d4e9ef10d7685d491583c6fa93ae5d9105d815bd |
| SHA256 | 4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794 |
| SHA512 | e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3 |
memory/1688-4-0x0000000000430000-0x0000000000439000-memory.dmp
memory/1436-8-0x0000000000414000-0x000000000041B000-memory.dmp
memory/1436-7-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\52FA2C60.exe
| MD5 | 20879c987e2f9a916e578386d499f629 |
| SHA1 | c7b33ddcc42361fdb847036fc07e880b81935d5d |
| SHA256 | 9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31 |
| SHA512 | bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MDMHN06X\k2[1].rar
| MD5 | d3b07384d113edec49eaa6238ad5ff00 |
| SHA1 | f1d2d2f924e986ac86fdf7b36c94bcdf32beec15 |
| SHA256 | b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c |
| SHA512 | 0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6 |
memory/1688-48-0x0000000000430000-0x0000000000439000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\70db0da5.bat
| MD5 | c74ab11b29ba6e63de588277a9892300 |
| SHA1 | 8026bbba6b39e5334ef226e3101c0a8fb179cda5 |
| SHA256 | aea1b22012c716cd36203f338048b1e1f710af0a976a2bbca04d0ce7b3a0b082 |
| SHA512 | b24222ffba33ea90d2332b753de8d214ccf3bb319c4d4d6f0a66e8b59728e84db0f981330829ad1958476b45b2ddb035c3449ee55449f5107100a41c5da0bb9a |
memory/1628-50-0x0000000000400000-0x0000000000428000-memory.dmp
C:\$Recycle.Bin\LKLXS-DECRYPT.txt
| MD5 | 53dc00d9d71e920f7c59119f4e90c0ef |
| SHA1 | 7780c4c32f43a0d8b09aa1e6e918bb4b4d2eb7dd |
| SHA256 | dd1d3250e11a545a0dedca054b9295118727dfba9923a36691ec04bbcbe4a817 |
| SHA512 | 01ee3c60f1a7075fd572653336b7b25948775db9fcf064f75776d16709d5936dfebdad616e3c934491a582bb8c06bac6ab6096a9bbb79e5f5a7e270f9dc16767 |
memory/1628-928-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1628-936-0x0000000000400000-0x0000000000428000-memory.dmp