Malware Analysis Report

2024-12-07 09:57

Sample ID 241114-gd6afsymem
Target Ransomware.TeslaCrypt.zip
SHA256 3b246faa7e4b2a8550aa619f4da893db83721aacf62b46e5863644a5249aa87e
Tags
defense_evasion discovery persistence ransomware spyware stealer execution impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b246faa7e4b2a8550aa619f4da893db83721aacf62b46e5863644a5249aa87e

Threat Level: Known bad

The file Ransomware.TeslaCrypt.zip was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence ransomware spyware stealer execution impact

Renames multiple (6004) files with added filename extension

Renames multiple (735) files with added filename extension

Deletes shadow copies

Renames multiple (374) files with added filename extension

Renames multiple (359) files with added filename extension

Renames multiple (4011) files with added filename extension

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Enumerates connected drives

Adds Run key to start application

Looks up external IP address via web service

Indicator Removal: File Deletion

Drops file in System32 directory

Sets desktop wallpaper using registry

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Modifies Control Panel

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 05:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 05:42

Reported

2024-11-14 05:44

Platform

win10ltsc2021-20241023-en

Max time kernel

82s

Max time network

88s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe"

Signatures

Renames multiple (6004) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crypto13 = "C:\\Users\\Admin\\AppData\\Roaming\\hugufdp.exe" C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\es-ES\PSDSCxMachine.strings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\TrustedPlatformModule.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\Licenses\neutral\_Default\EnterpriseS\license.rtf C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ISE\ise.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\de-DE\PackageProvider.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\en-US\MSFT_ProcessResource.strings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\uk-UA\MSFT_ProcessResource.strings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetQos\NetQos.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\de-DE\MSFT_ScriptResourceStrings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\DefaultAccountTile.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\lpeula.rtf C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\lpeula.rtf C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\Volume\EnterpriseS\license.rtf C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\fr-FR\Microsoft.PowerShell.ODataUtilsStrings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetNat\NetNat.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\it-IT\MSFT_UserResource.strings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\DesktopSpotlightToastIcon_Light.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\OEM\EnterpriseS\license.rtf C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\it-IT\AssignedAccessMsg.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Storage\Storage.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_c60443fdc3285a98\MPDW-constraints.js C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\uk-UA\MSFT_GroupResource.strings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\ja-JP\PackageProvider.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\de-DE\MSFT_ServiceResource.strings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\Licenses\neutral\Volume\EnterpriseS\license.rtf C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\SecurityAndMaintenance_Alert.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\uk-UA\lipeula.rtf C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\fr-FR\BitLocker.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\de-DE\MSFT_GroupResource.strings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\OEM\EnterpriseS\license.rtf C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\IntegratedServicesRegionPolicySet.json C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\Microsoft.PowerShell.ODataUtilsStrings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\ja-JP\TestDtc.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\WindowsPackageCab.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsUpdate\WindowsUpdate.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\en-US\MSFT_RoleResourceStrings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\@EnrollmentToastIcon.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\PrintManagement.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\de-DE\BitLocker.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\MsDtc.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\es-ES\RunAsHelper.strings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\@AppHelpToast.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\System32\LogFiles\WMI\Diagtrack-Listener.etl.001 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\Licenses\neutral\OEM\EnterpriseS\license.rtf C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\uk-UA\MSFT_RegistryResource.strings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\fr-FR\PSDesiredStateConfiguration.Resource.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\WebDownloadManager.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\lpeula.rtf C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\Licenses\neutral\OEM\EnterpriseS\de-license.rtf C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\es-ES\ArchiveProvider.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\it-IT\MSFT_RegistryResource.strings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\uk-UA\MSFT_ScriptResourceStrings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\Volume\EnterpriseS\license.rtf C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\System32\LogFiles\WMI\CloudExperienceHostOobe.etl.001 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\fr-FR\ArchiveProvider.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\fr-FR\MSFT_EnvironmentResource.strings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\es-ES\MSFT_WindowsOptionalFeature.strings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\_Default\EnterpriseS\license.rtf C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\HELP_TO_DECRYPT_YOUR_FILES.bmp" C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\km.pak C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ca.pak C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\gu.pak C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\es-419.pak C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ne.txt C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\en-US.pak.DATA C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\fa.pak.DATA C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\CommonCapabilities.json C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\PackageManagementDscUtilities.strings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\SmallLogoCanary.png.DATA C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\MSFT_PackageManagement.strings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\it.pak.DATA C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ur.pak C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogo.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.White.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\MSFT_PackageManagement.strings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_100_percent.pak C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ja.pak C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\MSFT_PackageManagementSource.strings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jmc.txt C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_BeforeEach_AfterEach.help.txt C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\resources.pak.DATA C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\hi.pak C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoCanary.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\mecontrol.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\WordCapabilities.json C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\MSFT_PackageManagementSource.strings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\gl.txt C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sw.txt C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\notice.txt C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ca-Es-VALENCIA.pak C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\hu.pak C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\es.pak.DATA C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\MSFT_PackageManagement.strings.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\es-419.pak C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\de.pak.DATA C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-l..erprisegn.resources_31bf3856ad364e35_10.0.19041.4529_en-us_8a581914d7661aed\f\license.rtf C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.3636_none_3473be4cdeacc98a\f\divider.css C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..erymanager.appxmain_31bf3856ad364e35_10.0.19041.4355_none_20749689b588f6b3\Splashscreen.scale-100.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.546_none_476476bb5c3a0bbc\SquareTile44x44.scale-400.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..ast-black.searchapp_31bf3856ad364e35_10.0.19041.1_none_e479c512c8bfeb66\AppListIcon.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.4355_none_c25ba12abfc23968\RequestedDownloadsLargeCloudIcon.contrast-white_scale-400.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-ecapp.appxmain_31bf3856ad364e35_10.0.19041.4474_none_71c1b099416624ca\f\cursordot.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-s..ets.icons.searchapp_31bf3856ad364e35_10.0.19041.3996_none_8d465235315175e4\f\smalltile.scale-150.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\DropAccept.scale-100.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_hyperv-vmchipset_31bf3856ad364e35_10.0.19041.4355_none_49f7f1fb41e2907c\VmChipset Third-Party Notices.txt C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.19041.1_none_91b1f58702057373\DefaultSystemNotification.scale-125.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_systemresource-wind..-ui-accountscontrol_31bf3856ad364e35_10.0.19041.1_none_8805ef3af31f4b8c\Outlook.Theme-Dark_Scale-125.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_ppi-ppiskype-c-a_31bf3856ad364e35_10.0.19041.3636_none_e69f3bd188919f86\f\available_oof2x1.scale-180.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WindowsBackup\Assets\StoreLogo.scale-400.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\instructionPointerGlyph.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\autopilotwhitegloveresult-page.js C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.4474_none_8f6f71a24c482e0d\System.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.19041.1_none_91b1f58702057373\WiFiNetworkManagerWarningToast.scale-400.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\Formatter\workerMessaging.js C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-w..aincompat.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_aa50e6949c4270bb.manifest C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-apprep-chxapp.appxmain_31bf3856ad364e35_10.0.19041.3636_none_ac810a70c7943041\f\templatestyle.css C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\f\app.js C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_10.0.19041.4529_fr-ca_706fc2143064e6f0\f\license.rtf C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\Assets\Square44x44Logo.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_de-de_93077b1bb6202083\CL_LocalizationData.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-x..jectdialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_d93ee361fbbc8f0a\SquareTile310x150.scale-200.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-s..in.assets.searchapp_31bf3856ad364e35_10.0.19041.3636_none_0ec6635ad8612aaf\f\smallicon.targetsize-16.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\header\Images\foreground.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..er.appxmain.ratings_31bf3856ad364e35_10.0.19041.1_none_ff46bbc9afee54c5\RatingStars49.contrast-white_scale-200.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.4355_none_c25ba12abfc23968\f\tabletmode.scale-100.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeprovisioningentry-vm.js C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.3636_none_3473be4cdeacc98a\console.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\addXHRBreakpoint.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.4355_none_70ae1507b206e5a7\f\splashscreen.contrast-white_scale-100.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\VisualProfiler\js\CpuUsage\Grid.css C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\unifiedEnrollmentProvisioningProgressPage.js C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\StateMachine.js C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-64.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SystemResources\Windows.UI.Shell\Images\RequestedDownloadsLargeCloudIcon.scale-150.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..er.appxmain.ratings_31bf3856ad364e35_10.0.19041.1_none_ff46bbc9afee54c5\RatingStars38.contrast-black_scale-200.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\wow64_microsoft-windows-s..tore-main.resources_31bf3856ad364e35_10.0.19041.4529_nb-no_ba31a636ad7073a3.manifest C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-a..g-whatsnew.appxmain_31bf3856ad364e35_10.0.19041.4355_none_ee89351905ec7ddf\f\newforyoubadgelogo.scale-100_contrast-black.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.4529_ar-sa_7f51b48ac5d79fc0\f\license.rtf C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\wow64_windowssearchengine_31bf3856ad364e35_7.0.19041.4355_none_f69176c636ff34b8\f\search.protocolhandler.mapi2.dll C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.3636_none_3473be4cdeacc98a\htmlMode.js C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.19041.1_none_91b1f58702057373\CellularToast.scale-125_contrast-white.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-edp-task_31bf3856ad364e35_10.0.19041.1023_none_67d9ae9ccb89c9b7\@bitlockertoastimage.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.4474_none_08f8dfcf0c193741\NarratorUWPSquare44x44Logo.targetsize-60_contrast-black.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\DiagTrack\Settings\utc.tracing.json C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.4529_th-th_9e177be6c44cece3\f\license.rtf C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-i..edia-base.resources_31bf3856ad364e35_10.0.19041.3636_ro-ro_5cab57ff22d2bb12\f\vofflps.rtf C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.4474_none_fb628aaf7e87b8df\n\cbs\screenclipping\assets\storelogo.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\r\ssprerror-page.js C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft.powershell.archive.resources_31bf3856ad364e35_10.0.19041.1_en-us_c64fb0a26d1f3fed\ArchiveResources.psd1 C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\f\discovery.js C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Local\Desktop\17.js C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\settings-desktop.css C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_10.0.19041.4529_lv-lv_6a52eae10ae28d05\f\license.rtf C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-l..terprises.resources_31bf3856ad364e35_10.0.19041.4529_tr-tr_05a82ecb196d30f1\f\license.rtf C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.3636_none_3473be4cdeacc98a\f\snapshottileview.css C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Assets\Square150x150Logo.scale-125.png C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-l..terprises.resources_31bf3856ad364e35_10.0.19041.1_it-it_039386304bc8adc1\license.rtf C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\f\localngc.js C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\f\provisionedapplications.svg C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\Desktop\WallpaperStyle = "0" C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2484 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe C:\Users\Admin\AppData\Roaming\hugufdp.exe
PID 2484 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe C:\Users\Admin\AppData\Roaming\hugufdp.exe
PID 2484 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe C:\Users\Admin\AppData\Roaming\hugufdp.exe
PID 2484 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3156 wrote to memory of 3744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2744 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2744 wrote to memory of 5116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1784 wrote to memory of 2672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1784 wrote to memory of 2672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2340 wrote to memory of 320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2340 wrote to memory of 320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2216 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2216 wrote to memory of 2800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3528 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3528 wrote to memory of 2500 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4704 wrote to memory of 1364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4704 wrote to memory of 1364 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5044 wrote to memory of 2120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5044 wrote to memory of 2120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1668 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1668 wrote to memory of 2076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3792 wrote to memory of 3324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3792 wrote to memory of 3324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2116 wrote to memory of 636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2116 wrote to memory of 636 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4320 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\hugufdp.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2900 wrote to memory of 3128 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe

"C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe"

C:\Users\Admin\AppData\Roaming\hugufdp.exe

C:\Users\Admin\AppData\Roaming\hugufdp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3372C1~1.EXE >> NUL

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x134,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x134,0x138,0x13c,0x110,0x140,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x134,0x138,0x13c,0x110,0x140,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x134,0x138,0x13c,0x110,0x140,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 7tno4hib47vlep5o.tor2web.org udp
AU 103.198.0.111:443 7tno4hib47vlep5o.tor2web.org tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 29.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.65.92:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 92.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.168.117.173:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 173.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 7tno4hib47vlep5o.tor2web.blutmagie.de udp
US 8.8.8.8:53 7tno4hib47vlep5o.tor2web.fi udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.168.117.173:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 52.168.117.173:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.168.117.173:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.182.143.212:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 212.143.182.52.in-addr.arpa udp
AU 103.198.0.111:443 7tno4hib47vlep5o.tor2web.org tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.73.29:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.168.117.173:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 7tno4hib47vlep5o.tor2web.blutmagie.de udp
US 8.8.8.8:53 7tno4hib47vlep5o.tor2web.fi udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.42.65.92:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.182.143.212:443 nw-umwatson.events.data.microsoft.com tcp

Files

C:\Users\Admin\AppData\Roaming\hugufdp.exe

MD5 209a288c68207d57e0ce6e60ebf60729
SHA1 e654d39cd13414b5151e8cf0d8f5b166dddd45cb
SHA256 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370
SHA512 ce4a7e42738154183fc53702f0841dfd4ad1eb0567b13cc1ff0909f1d330e9cd2fb994375efc6f02e7eddaaae1f465ff93458412143266afdaff1c6bf6477fc3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 557df060b24d910f788843324c70707a
SHA1 e5d15be40f23484b3d9b77c19658adcb6e1da45c
SHA256 83cb7d7b4f4a9b084202fef8723df5c5b78f2af1a60e5a4c25a8ed407b5bf53b
SHA512 78df1a48eed7d2d297aa87b41540d64a94f5aa356b9fc5c97b32ab4d58a8bc3ba02ce829aed27d693f7ab01d31d5f2052c3ebf0129f27dd164416ea65edc911c

C:\Users\Admin\AppData\Roaming\log.html

MD5 d1da269f6089fb8a33e891dd15966708
SHA1 198c37fd751e5d7aac1860a30ea4bf269fe24de1
SHA256 451c181202291292a224adc66adfa5dd9e298ae1e022826f8739acc6c3403a7a
SHA512 6d1332396728a58b279775d4be211337a85ac139a12d77e43b16865c93104279c5cb463678827f73c6cf1ccc9ea889958d37a0316bb09e6d1651ebca7fe6df48

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\9f321210-0b78-4f7b-ae89-bdf8a11cad6a.dmp

MD5 33bde62ccb4724d94bad95e3d2cfa24e
SHA1 167cdf7a2c6ca6d2419a7b9d397a0cf86f9f5144
SHA256 70364a7b30fb152bbd3130d9d40d7389609bb887952d466c2b86bc0b78abd9c9
SHA512 89f48b5ecc564933b2724bd9532f49f422fc56022a5b7e24534878aad898dac7db16e4b7778200e4ee80a87aa85baab553edf6e43347c9f6cdbcf18be139b39d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4424d24f244b5af02f89eadba4a83e4f
SHA1 e43738ab165c3782f6b2e4ead0ab16d14315b011
SHA256 cee7d013dc26d0a9ab6e280ddb8be0a7becc4facee6e4486fb02181fc517f70a
SHA512 1d566516d154ae3519ee6b494aa2b9314008488312be5057d4b6489739b8423fc6d8042cb9cf9fdaa95c95e4740aee98eb92f92fc7edbaee0e21cb0d813594cf

C:\Users\Admin\AppData\Local\Temp\edge_shutdown_crash.txt

MD5 06d49632c9dc9bcb62aeaef99612ba6b
SHA1 e91fe173f59b063d620a934ce1a010f2b114c1f3
SHA256 e79e418e48623569d75e2a7b09ae88ed9b77b126a445b9ff9dc6989a08efa079
SHA512 849b2f3f63322343fddc5a3c8da8f07e4034ee4d5eb210a5ad9db9e33b6aec18dea81836a87f9226a4636c6c77893b0bd3408f6d1fe225bb0907c556a8111355

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\watson_metadata

MD5 ab847bf74ee214f81fcbae6fefffacf9
SHA1 9772415aaa0aa4260ef91ec1149e44100f5da5e0
SHA256 293f0e556deaf954b075a953bef41a94edc05e06dfde582d48386761d7ce479d
SHA512 c53beebe29ce2d8c0b138a4abf9854ffccdb8b8911fad33741af1524f1b0377ae8f39079189d947fc699083fee859d7e11d05b7828cabb0676f4c14dbeb2c3b7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 5d2e849cab09cd480200090cbd781d14
SHA1 64e0699263e6a1fcb1178466bd1cc522412fc478
SHA256 363df0025c4ee6d18089f5aa3d13c0532f0dd7c3b2969a41d4c14ff81983a286
SHA512 6ac5d36c2669d2eeeff322daa1bc5275c3c363423d4b37b963cf681dfa5b83a6b0db5b3e0bb4a5b0f63827cb44ea7561f431b8f48ce7983e06309fc6ee3d5932

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\f687667e-f740-4ad9-a27e-e80722d8b234.dmp

MD5 3b03be560f6156dcb523e4ce12f2e328
SHA1 c6dfe97efdf171d6ac06f17b143f1b629466bc8e
SHA256 a13f33eb361f78df57f31e00b7912436b3b82da67ca3046617c716aa1a144867
SHA512 8b7a3a9a4d11c8c5caef9de377d0c4875529cf6dee264b43e396cea7cdd8dc2208c6471e45a2908b42606804a38925330fea7f8f983d24fd4bf43837224b0491

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 dce5a280b7baea6c5ad7c5687fd832d0
SHA1 330efdb805fc09b39cd5e810f138b41f3e80442e
SHA256 f9bb71dd089d3a1cbf9d788aab2e74f9adde8f537060d8d0275df4fd0be704df
SHA512 fb1305cd3b5e54f0ab6004d1d4438227b6dd16bab7f02e6d682aad0586c1a284045edd3fe36e36412eea8c2593b6f754d1d9668b5bc16d0bc08951f2eef8b692

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\watson_metadata

MD5 7cee8cb5654ad4c9012bf54d9fc3548b
SHA1 fc8f6acbc601a22538acff84652cde8d2a1d6540
SHA256 ab369fcec161ecbaa36bbdd6c2ab821cbd1fa926f2e353d5fc7cd6b2f008e369
SHA512 dbf2b971cd00ac70662556dc74bf24a6aaaa3dedc36b4bd2787d6ce10b1a8264f289bfd4c412702cbb97c57e2b2a6ce0e4cf7ce32eb20d37c49da31eae55fcd8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\438983ec-99da-4de4-8e96-b7248b61bb0b.dmp

MD5 c9996841eb7d19743041dc2ae9c216a6
SHA1 4c4db11c8f58c369242f82d9c8dab67c6c49597e
SHA256 d7ea57a40704d13d4cf0e6103b534a9e7c87f09e76a96320a116149452a1fb86
SHA512 8d102289c71c069d00c26c01865c76cdf76ac243d9beedc86f4e7a7f6fbb7aaa00dec306d5cf7e6180993971a1f813e8d1d5797750778c96990adf547455a144

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8bbff5aa56f2e299f93c4ff645e2aa23
SHA1 e17b560791c7589a2220bd9a233620673e725d97
SHA256 ecc519f4034aa54ca05009fbadf4a341e2f764b68d7adfd2a6e46cb42ace355e
SHA512 eff93f24c698aec30d7824ba3092097180deeeeccc7b7ca38ba7302bbcf62fe8b56dc266f7ffca25b39ed15d82a44e7bd59cde9ca7c00765b2e99d620f9ce0ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 7c344a3861d5de5a08a5ba9ea1e7e277
SHA1 07510269bba5ba22d57e32a57f76a3c7bc04072a
SHA256 16058766934ada97fcc4e47abe0c59eaadadab9f8f0d51a7f05e2f5613842ac9
SHA512 533d3f0e37f5b91272186cd6a1b43cc6df70683b72d0f145576b7c33ed5aad266b563c79867df69ea5a6ce1672f724dd276a49ebaaa7862cfa45e1a1db0a2a30

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 7e325a9103a86619fc36ef45b1b2bfaa
SHA1 3ebd538319fdcf94757ed209659235238445538d
SHA256 7b7360d2554f2a0bb13f2ea253591b1170c4719befabf5fe47fe439af728c3dc
SHA512 65b88958fb58930656bff7f362af806ea2d88f52e4298978201e56ff71552b48d3b722df4bc5f55bdefeda27798963468ac209d27fe031598c80693184b03508

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\0ae8dd79-0409-4de2-9886-4e05e59c0263.dmp

MD5 fa7b195fa56ba7f3b4a0b7321bf4f52c
SHA1 dc63cbe9eac7c93a57617ba79c90835a154bb068
SHA256 ba829193975d6c1e56c3daae098fff24fd926c495b07d05a10cce24e53f05d60
SHA512 cfd92cf43bc6f5f845f450e615d283763d7320a6cf44afeaddda906e83086bdc6151dbf58ad47ff70aa864f96efd05a8b97286878647a5b449c759d034db988f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\watson_metadata

MD5 cee57a0d3753bbeb443e3e35c725154d
SHA1 8ab55d109c14c8a44823bb3f4db9bcb1b9e6db9c
SHA256 c13677a79d5c5245fc391d92417dd365fc0d8fac431e149a242d4765a06c068a
SHA512 2d0c6e6565a0f0388f1e236b53b59f05c5471166489221f1208b11ceb5f7b8d76f3b2676df2f22a0a61e00c57eb4c392724db26f3a50b50771b7f309667024f2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0f01b5d89d3550be168ea638ce2a2106
SHA1 c17f488cdbcf6431d3141b384b71691fc7994f39
SHA256 eb3197ef76bb138392e4c54ab5a6e7ba388384321f9d9a610dc6d5b172cce23e
SHA512 8839d1aae301822dbda04595c32040ca897da535ab2fe60d6031bf694a942446735915e4674ea00e6c837c5e892c3caecc24214ea80c2283d07d782f3880aca9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\watson_metadata

MD5 ce0fc13582312be30d7a6694c4bfd392
SHA1 e9f31058ca4be56ba1e527db4a46da4f1b62d7ce
SHA256 af6c60736772c4095f80d9d458854c3427e20994cc7404ce0385181a86d9d338
SHA512 a1e4b70cb9d86e35e2d51e03310317bf709ea3abed333ec65078e7b74e058a4b747f67c0f6e3a3f5fbd661e98a288462ddab57ebcb9220e404fd2a0e1bd9c344

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\035da337-7174-47bf-8467-fadb30004996.dmp

MD5 451415e7e01821e418674cc2ea97a596
SHA1 1ffb4c85b636ea7b8ba7d248b478c2e990c8ae33
SHA256 3c5937ae88121d1c01412aca6072b7939b4d273b1d4d76661faa002cedc36717
SHA512 d978b135a5fe1ac828c31c09c4b19841a366c7540422ddc0440a9deeba33df5fda9c4472acb1fe6e0ea3f11ec5a0aa47c6ff35a25450c17381e7bac712cc96ad

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 924ae9e1a5a82fe9ccea5c17f7ee24ba
SHA1 43dea81c44330cc0bca1985ac7d89fba182a2fcb
SHA256 5e823a6db56be01defb09a266958daad4142ce271a6bca7b731cb1a35f5a4c32
SHA512 aa41def2329c574ed1363341fb3cc1d58060e542bd01ae26e6c757f7d5d9f4ecd4d3f82ec70c714ddf0c098b81cec793076d5f2c2d91c4aeac2e53ef0eb0adee

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 6a58824a795abfa4c8c5969e6d230704
SHA1 9fccb18cfc39e0c4056a21156461fe971e602094
SHA256 83f53ef5eb3d588597e3f222ebcaaab91f751782b9da5c0935befc076e6c16ad
SHA512 5c22cf68baad582475afb1b7603d3001969c686681594a9264ea041867d967349c62e8b207465c70a60cf45ab4e53e694e9eb98f6bbfd5d94bc0042617a7d5fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\watson_metadata

MD5 a472a86729cd9c55cdd42175aca7272b
SHA1 d623cbe2d1d9fbaeb9e2321116b27507eb043b86
SHA256 32c1fa61a99f8ca4957915691754602a1e7134502f13e9731ba586e1e94300cd
SHA512 33f860ea3f9c3ee7dd812b58bc28a127ed3ade90416a311705000876744d876e05bc61973d7a0bcd20a35a092183b45fb31ff4f74700a5007f7c3976903ff9d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\7d295bb3-d17a-489c-9c02-f69a018a6ce3.dmp

MD5 ffbd05c3da6ae348b96c9fa3eae5e5be
SHA1 9610edf832a87bf22822022e599095146b74ca99
SHA256 d516332f6d20dfa70bdcea0b7090cd9afd31d8f486019282d6939a7727d70687
SHA512 fa5b18b47e3f3a556dc8b120d0c7dc7f14389878a52f2b808c82b108d5d0679c0a4ed0b68c36b503e2bc90afb591870154aaa11ccfcf1219f43900bd839cb091

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 9ae6f15398b6ba8cb1b528e453067f7a
SHA1 c1dc55907cd1f6c21d38101d9b1965a14c961645
SHA256 a9e6de278e351f872a5291953544774a47e8ccc79bd1bef636585661c3fe053d
SHA512 a097df68a328faa8de9ef802baf1cf24d139468d14af87bd3e7bb0650731a24a96d6d5bc9bb056788d14ed1a5b43c14c224af84a0f17bf6d4c4e6018fe0e28fc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bfc98260f9aef8a483c65785fb94705d
SHA1 d72e78f46342ec78c45989e6b6cd399fcb15e125
SHA256 7c28e43f83376f9f3354d8c52f23c58213e3b7db501a033e3f4da0caa29cb2e6
SHA512 fdebbfc058ac812ab8db5f0894880d205888414bd1f80f24392ac0d3a840702f004ad47ee522a9f4d34dbc02adaddb45095e8d28cfe4785e1a5775b15fc1f393

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\watson_metadata

MD5 620080d2437eb3201789e7962247d89a
SHA1 e5ba1f81a5567f5169dcb9d62e14284e2956dd02
SHA256 84f579f40f1a5b443236145d7dffba62a94645f36b2096a31726a5b4f7338e96
SHA512 790ab9c9ab696cd732b8570395f698b04c2eeb5dbda729a2e200e9a1fac17c6fec805f3b6a678bd92c4b65f87b757567564a535db2dd38984f5cfac275de55a9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 0219a8ed6f2aea2f640b8e68490f21b4
SHA1 9fc849ae38e2c9b7f89f6364a01e5ef9cc471299
SHA256 1b9fc8ce610ca19581b5538f2266c30d8b01b1d0c5a7ca02ab82c3b4921b9365
SHA512 d81f01601b3ac3c6fa766f7eee2d195988bc868eaf88ee26f1220c8654b239e644d3991d5f3e8605d2024f65d8e3406daa0f3183cb876a4734c869fc2c9e5996

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\484d5056-bf18-40b6-bdf6-da04e6142756.dmp

MD5 d5b9a3d9e19a4d3b69394e3e343fe8c3
SHA1 1a35e931efc6c5a51ac33f31702348768eda489f
SHA256 dd14d7d2ade72e291fb3229b21a96b2eafadc091b5d61e647d7a1dd8dfecdc51
SHA512 746ac38ac3e8f2ac936d97fead0167b4e79c01f5955e4b855c2bd2912ba0b4c6a02c089c84b38b77a933213a38a128b4df6eea066e751c5948cfb598c8e53f2a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4ad7327aba9ef27157e727ab4fa2d26c
SHA1 01aadd85db08b3f48f5e32a76f531d5c2f865506
SHA256 b06ecef6acd7d05a1fc5b4aacc6b8f3ca54e822c74fb3f5deb81bbd399230890
SHA512 9c2cf62359f96cedb6ac1683f6e8c10356ec9b6fbfc46d38b60ea1ace82d7493e301b779d63524cd8245134d2b1fff2a6d4c0e674401bcd9ad4cf5bf4ebe6afd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\watson_metadata

MD5 ecba53dffe3425383c7c3478e9426e51
SHA1 9a2782062f1a405050a07a89efcfbd5a2e2e1908
SHA256 ad690033c62605107c5ef5e7d7a20e73684c6d537bd70b0b9dbb0e32b20db103
SHA512 55464564a3c240a7ab303df8fc8f999264ec5460ec9f17f90ab949cc3cb181130eaa1af5099960c836ce4edf081560f174f72aebe5f2081677155e4fe55af476

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\f9d41a58-fff9-494f-8b09-6f5f70b05f61.dmp

MD5 71f9654fea0e8f1bd23586a918e94f89
SHA1 f5b6f274b17ab97477e96e0a4241e3bcec1cb573
SHA256 873756031dcd3f7b5e04e23a5ecd9f692e30972a1f6ce25511d4e62c47620530
SHA512 77d3f8cd1a9c67f57aa5adff8aa1223b0108905a3c669a4580093b69fb3222dce32908bca16b8e528c7aaa59045e71d84ab32eccc0710dd159a78d9484d029d4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e8511948589f48b440602db6d8fadacb
SHA1 ac63a2da4d1aa3a5170905596946f322a03a043a
SHA256 e33ea0ac9728e9ce874a6fbe6ae7dad4d5a7bfdda3e5d3723f21220f6e3caa15
SHA512 909c66561d6ed154b5bba9639efc14411495544b53aea202069fff91adae86f412a887d963f891de23b296025e0f9f58e0f4e2cfe657640c7c0c9717004251c8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 f138d10a912b31a51837761117c11fd4
SHA1 1c271ffcc3f487df63f8f8820a4b2a66c07ab8f3
SHA256 104b3a91ced55bb2055822aafab043432c281c93f1ba10ef5e8545e833422570
SHA512 022b49b5345af4db35721fbc2d89e85e8e3bf2712caa7bedb965c6f0d1ec10a887d95eb6e72e3286cee7f49c05e7b5d797519f9db5e107a51a34133c93620794

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\7e3914da-e0ef-4320-9bb4-8e68e9602b49.dmp

MD5 3c54b95dfaa9af00bca21f33200b5f1b
SHA1 07f57bf6fad746d7f8f45c828e8d509cdc16663b
SHA256 a1c9665ad1e512988f260f9fc20fbbf6f5a71e039d79f6e5399c26e044ab4381
SHA512 2f624f589e5bd90f543bda927df436acc8dcee02f51ad1ef450308524866e234b09a5467a08f56d9dadbc05ab36371a49da8524cf0ff1e402e2f99356df489bf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a0195f883f19c1bd522fb82e1149fc49
SHA1 675c9eef7fb809447ccfa39ddfe63faee5e39fa9
SHA256 6f064e90c549d71aacb5af1d949ef5f11d8b21bce5fa3d698910a0a1d5998079
SHA512 b5fd75ab870f1d5e26eb1e7822b8be382e0411fbbcdf7af7ed4357b3404d3943ef1992f33eae12e8d665b7a8ce69afc89f0bdaf0de4ba1a389415b6c67f898a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 f89d15c4f7fc9c6655d39bc766873d36
SHA1 1ddb60f6fb3b5b0772f341ca13a13b369f2492f4
SHA256 5bebd90447baf407de5be817059a4cb67725739110b1d91aa958b23d648fc1e0
SHA512 8242067a94b631d4b4f42e31fb710b4b649770cf8bfcb9724609b07f83f48b9e2789350a3edcd5a1d35503cdb48818361ae01db1e106a898c63255f27f55ace6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\watson_metadata

MD5 d0a5de8ae0db394a37f55fdaa4185008
SHA1 5c4a13f255c76ba4c41502dbba609f6bcac920da
SHA256 e3de23df00db9364a53c3b1fde2cd40de7020a809b923d3e726d4dad105fbe0a
SHA512 582489f97cb2729b17ceb3cfae356dbf3081a1237a2b08f8d4a131300ec61d80c767da14d53358242a5efd6a34bc1dc0753bdcb1f22852a2b4980b5daac534d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\5e60c884-6d94-44ea-b170-ce57f64e0f5e.dmp

MD5 9beb773a40b8bc535e88bcdd77b374a1
SHA1 def70cb36875e8344d06332fd86d4f48927a4a65
SHA256 8c2046a2c2f3982ef87b30295ac55e63c94371e788edd7db5065b7d60b65b9ac
SHA512 4153f1bd4157cdb6138a79c35fa4214ab0131b1e8061dc3bf33922ef43f767607f28338dcbc7679d4029dce9fde61c687dea5b1dc6760b9bca6c762646642201

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6c2d2b13aecc0640ff6699a10e2cec61
SHA1 5407afdce74f6abce3c4cd4a27c7faebe601f6ba
SHA256 cdb48d4205f2cf822d571bd98cbb1fb5dd2039d3ef096291084ee3149f476af2
SHA512 532f94c85c64bb43ae610741d81115f7032269ce89dfca5494712e32f20104c91b608ff68c016f8f08020da8b12f147e8c93923325e51ba0ba8ac224155a1d47

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

MD5 ec1f4771a0eec2b2b834397f7358ce73
SHA1 2f83497265c56715aa95e968ba7435c6dc2ed5b5
SHA256 2ee652b89a202ecc112b47fc37b6fec63c02d572c520dc9ee1f1ebc5a6ffd5de
SHA512 e39e68d6fcb69c13b38977a335c70f406550f1b8d931cce9cf9d86096305270499bf2d0908c853ef845e496bbe364ff88b3718a4ca18eab0f99a9c361765e728

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\e1b193b8-c9fd-4277-9203-d9a34c05bfb3.dmp

MD5 4f61f19f8a883dafeae453aada613081
SHA1 0b3754e1b4878718931ef79d1cd6ce139d04e832
SHA256 c1381baed7604478e3e86f9311177ea85fdcb7eba7bba421be53c2fc19560796
SHA512 dd0829f7d53e7ddacd896c836fd4197ff954204b73290968345c13876acc821a74ee09a114083b2094d822dd8f34dbabca54a86c61fc9b1884000863d22599e5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9daf8f31562dc4723ede842708baf493
SHA1 fca28c2c2795dc75bdd5e96edd986ea7019142dd
SHA256 03b3a427481866f403ce992275d3e46ad0da6c52bf40ed214f8bc27456722535
SHA512 818fcf8229fb4a8aec4b7f00e8c009e2bf9df7cd3b0b5ddb21b4343e3ccb2a90e7fbecf1c991b950e495e842472846c67797507d29d5cdffce771648a004765b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\6a063607-17f7-4d99-917e-1336841dce5d.dmp

MD5 f4d49ae8b82edd11bcd7248c8d6c6f27
SHA1 47be6c6ffae9b98ad9e9c5eba47b89245c33958d
SHA256 74aed285e2aa039c66659443ea337b7b36d67e429c11a6594a2ed2fa31ad77b0
SHA512 4cb31f771c372ee2984c12de1951035380efa4cf271ea6eff502206e42e8702e5db12ec016c3989a8e5419d96adc531cb40996605641c2d5eb1c8d71eb66ee40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c53099cfb6d41b43830ac5300d32c2a5
SHA1 e748e98368da7bc04b850c64d4afff29d2b68ffc
SHA256 ac3cd6465b051ed18d4aa297b95001405fffeb4b88d8a166da8a9e9e11634f0f
SHA512 423cedf9c728daf71dd5381a090a96b8d443128d406acf89c3ba49d7ac8d4a8feab3221a1ad33ddb881021c70f30f0382813bbc3e9f981c9cf8b83a5051b0dc4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\2fdd3fe7-c2d8-434d-b3f9-872405af98bc.dmp

MD5 03792c5ef3af01ba0ae49db6bdfe30fd
SHA1 653784eae32a67ed15e5ff8e739b6d710945be1f
SHA256 c788ba7eec0136857526119a685d7cfd73a23f208048d0223d426790c4c1fa8e
SHA512 2f918915faacf9edecfeddc40d5eb01bfac58c57ba03b08748076ce769277806602c0f6e789cec7e6c7d56eeb19de2077f2997c22614907b6e2c17df7f80533e

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-14 05:42

Reported

2024-11-14 05:44

Platform

win10ltsc2021-20241023-en

Max time kernel

101s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe

"C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe"

C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe

C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/4928-0-0x0000000000400000-0x0000000000447000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 05:42

Reported

2024-11-14 05:44

Platform

win7-20241010-en

Max time kernel

79s

Max time network

80s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (735) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\crypto13 = "C:\\Users\\Admin\\AppData\\Roaming\\kifyvva.exe" C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Reserved_Words.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Break.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Parsing.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_environment_variables.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_While.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpzpaw72.vdf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_CommonParameters.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\eval\StarterE\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\eval\EnterpriseN\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_regular_expressions.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_try_catch_finally.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_If.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_WMI_Cmdlets.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\Licenses\_Default\HomeBasicN\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\_Default\Enterprise\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\OEM\StarterE\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\_Default\Starter\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Language_Keywords.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\_Default\EnterpriseE\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\wdi\perftrack\HealthCenterInstrumentation.ptxml C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_operators.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_locations.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_CommonParameters.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6000at.vdf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_PSSnapins.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_scopes.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Command_Syntax.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\Licenses\eval\StarterN\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomePremiumN\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\OEM\ProfessionalE\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_logical_operators.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Quoting_Rules.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\_Default\UltimateN\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\wdi\perftrack\AltTab.ptxml C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasic\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\eval\Professional\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomePremium\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_debuggers.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\eval\ProfessionalN\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomePremiumE\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\eval\ProfessionalN\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_format.ps1xml.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\ja-JP\Licenses\eval\UltimateN\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_FAQ.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_wildcards.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\lpeula.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\OEM\ProfessionalE\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Core_Commands.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions_advanced_parameters.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\ImportAllModules.psd1 C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Windows_PowerShell_2.0.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_hash_tables.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\eval\StarterE\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\eval\EnterpriseN\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WCN\ja-JP\Add_a_device_or_computer_to_a_network_usb.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Assignment_Operators.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_pssession_details.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpb8500t.vdf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\Licenses\eval\UltimateE\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_scopes.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Switch.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Assignment_Operators.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\HELP_TO_DECRYPT_YOUR_FILES.bmp" C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ja.pak C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\drag.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePageStyle.css C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIcon.jpg C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\library.js C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\highDpiImageSwap.js C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\vi.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\clock.js C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\settings.css C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\localizedSettings.css C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\localizedSettings.css C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Adobe.css C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DissolveAnother.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\localizedSettings.css C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe Root Certificate.cer C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\6.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\uk.pak C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\settings.css C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\cpu.js C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime.css C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\month.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-left.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\picturePuzzle.js C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\localizedSettings.css C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\settings.js C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\RSSFeeds.js C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\gradient.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_hail.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\clock.css C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es-419.pak C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Maroon.css C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\flyoutBack.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground_PAL.wmv C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\settings.css C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\localizedStrings.js C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\clock.css C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\timeZones.js C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_right.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\diagnostics\system\Power\fr-FR\RS_ResetIdleSleepsetting.psd1 C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7601.17514_it-it_7a6c0813b0185bfc\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_methods.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_6.1.7601.17514_none_61acd141e5332baf\wmpnss_bw32.jpg C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_a79a90daaf5bbeef\dialdot.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_de-de_cc67729ee12fc75e\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Variables.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7601.17514_it-it_02c858bf03c4047d\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_pipelines.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_join.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a56cb41c8b19254a\erofflps.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\ehome\fr-FR\playReady_eula_oem.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_es-es_c820003a29e54552\RS_PhishingFilter.psd1 C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_logical_operators.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_WS-Management_Cmdlets.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7600.16385_de-de_18379b6ee50e8ead\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_789a038687e73e79\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_join.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8ff8d5f6972fa091\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_remote_requirements.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d4f8a2f961a0e7e4\picturePuzzle.css C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..howgadget-insidebar_31bf3856ad364e35_6.1.7600.16385_none_a8d08d1343d8b261\slideshow_glass_frame.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ab03602b9d6cb924\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\diagnostics\system\Performance\fr-FR\CL_LocalizationData.psd1 C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Architecture\img17.jpg C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c9675951dd42e377\slideShow.css C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_de-de_a7b16680ef4ac882\RS_Resetpagesyncpolicy.psd1 C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Signing.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\diagnostics\system\PCW\es-ES\CL_LocalizationData.psd1 C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\diagnostics\system\Power\en-US\RS_AdjustScreenBrightness.psd1 C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\settings_box_divider_left.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..itmap-ms_sans_serif_31bf3856ad364e35_6.1.7600.16385_none_ac9f9e10add68c8b_ssee874.fon_594d8854 C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-w..ar-wizard.resources_31bf3856ad364e35_6.1.7600.16385_it-it_708779e3dcd5055c\Add_a_device_or_computer_to_a_network_usb.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_906b5430848de670\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_requires.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_83099b6ac05ef396\CL_LocalizationData.psd1 C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_data_sections.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_Session_Configurations.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\diagnostics\system\Power\en-US\RS_ResetIdleDiskTimeout.psd1 C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-w..coreinstrumentation_31bf3856ad364e35_6.1.7600.16385_none_519a5bdf88429b34\WpdCoreInstrumentation.ptxml C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_remote_troubleshooting.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_a1125f8395160405\lpeula.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\calendar_double_bkg.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\diner_dot.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\trad_m.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-vignette_31bf3856ad364e35_6.1.7600.16385_none_cc1304de922cc585\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\default.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_6.1.7601.17514_none_61acd141e5332baf\wmpnss_color32.jpg C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\Manifests\x86_microsoft-windows-r..sisengine.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e21b444aa158f1f7.manifest C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_253e8c58002c48e1\play_hov.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a479cd0719d5814b\cpu.js C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_ab6782291b0ca7be\rss_headline_glow_floating.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e73ca319a82aa327\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_en-us_7cb9d6b0c095b208\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\White_Chocolate.jpg C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\docked_black_moon-last-quarter.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2867d8179890f1a8\currency.css C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4dd33a919e1787f7\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_it-it_cb41e15d1e0fe8c0\license.rtf C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Garden.jpg C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\redmenu.png C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_command_precedence.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Switch.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Foreach.help.txt C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\WallpaperStyle = "0" C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90b9be135836db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C827E11-A24B-11EF-9D46-D6B302822781} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000046928c5b24df8e6df6a8646658311650827767bb200db8b554229dbb52be1284000000000e8000000002000020000000dcf841d3d9192f9793d48e0eeff60d48df6786477dd03cbb8ddf49b5752893d920000000d80aabd13c79f87ac8e6c5201449032373f58e53ca4dc5cd00646e87474f5236400000000bb292eee62d830a114105a654ee28cf38e573428e4a94be2125b00814ebbb369f907a935ada022ded8903605e2e42073f7ae7668ea96199f41634bead67bd36 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000039bd7dd4e1e161e7f27aef6d30b1a669e94796cabb210ae2a5b38b8a66477cb000000000e8000000002000020000000efac838b8e82c00028701fb7d2848f0806d139cf83e0eb59853d14d8631a44b490000000c6c422902e418b324c1ad070eb1a8e7ee1d83c092d4105fa27e52ac18684026c81d15576bf70c15eab10e7a257d6d645a96b12253564092a113df221863bd35e3313149d652c91af8d6cc9b2d0425b798923ad2e9e96f6997cae62eab3a10471212baa646b05a933be1277bd2cfe1a5faffe6ea897ad6d89c6ffb25bfd2f04dcd415d20d68512a2343742e86c69463f9400000002abfe29bd9c71570ed518691042775f7f038f1be6c74b052c3209a9d725dfd473f5e5c3bcdb31cbe12a3af463ff204b3ddec5867f7b1b5601ec2c89e2f5d4f83 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437724845" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2576 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe C:\Users\Admin\AppData\Roaming\kifyvva.exe
PID 2576 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe C:\Users\Admin\AppData\Roaming\kifyvva.exe
PID 2576 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe C:\Users\Admin\AppData\Roaming\kifyvva.exe
PID 2576 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe C:\Users\Admin\AppData\Roaming\kifyvva.exe
PID 2576 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2568 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2568 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2568 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2568 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2568 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2568 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2568 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Roaming\kifyvva.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2256 wrote to memory of 1876 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 1876 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 1876 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 1876 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2524 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2524 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2524 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2524 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2260 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2260 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2260 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2260 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 1172 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 1172 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 1172 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 1172 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 940 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 940 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 940 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 940 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2800 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2800 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2800 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2800 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2416 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2416 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2416 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 2416 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 3012 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 3012 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 3012 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2256 wrote to memory of 3012 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe

"C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe"

C:\Users\Admin\AppData\Roaming\kifyvva.exe

C:\Users\Admin\AppData\Roaming\kifyvva.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3372C1~1.EXE >> NUL

C:\Windows\SysWOW64\vssadmin.exe

vssadmin delete shadows /all

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:275463 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:275472 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:472075 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:3552279 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:3159056 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:3159076 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:996382 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:2831395 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 7tno4hib47vlep5o.tor2web.org udp
AU 103.198.0.111:443 7tno4hib47vlep5o.tor2web.org tcp
US 8.8.8.8:53 7tno4hib47vlep5o.tor2web.blutmagie.de udp
US 8.8.8.8:53 7tno4hib47vlep5o.tor2web.fi udp
AU 103.198.0.111:443 7tno4hib47vlep5o.tor2web.org tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Roaming\kifyvva.exe

MD5 209a288c68207d57e0ce6e60ebf60729
SHA1 e654d39cd13414b5151e8cf0d8f5b166dddd45cb
SHA256 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370
SHA512 ce4a7e42738154183fc53702f0841dfd4ad1eb0567b13cc1ff0909f1d330e9cd2fb994375efc6f02e7eddaaae1f465ff93458412143266afdaff1c6bf6477fc3

C:\Users\Admin\AppData\Roaming\log.html

MD5 c5dec7cba3faf35f20af2330cc7363ef
SHA1 d8dc879ece2815b7fc88b50ee985c557f232ef6f
SHA256 21c06ccbfc7c9384adb210c41ad198873551e2579280272bdacf7ccdf29d3371
SHA512 507abd729fe93baefa85753ae817eaabe6178e6c032a3b4650ecc9963fe0856ce0013aecf685735bff93ad964df54de5da03782fdbdb5f7837c7c04da9ecfb23

C:\Users\Admin\AppData\Roaming\log.html

MD5 415d5e8d2195ac80b8717205ba32f687
SHA1 2981fd9e353b1ca5adbf3b30c596e06682b728eb
SHA256 d828551b3944600d9f79b98f870313bdd8cf74fbbf390d9b3ddc35cb4181eca7
SHA512 ceaf9ae082b0cb83c59374b8f5ca5d6f30e3e4fdbb14fe70e10528b8e613ac010ec4fe9fde165b68dd61e5f568e260f1b08c11b23f46919fdd5c63862351b4bb

C:\Users\Admin\AppData\Local\Temp\CabCBD9.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarCD15.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0819cfa3fb4f3455d1c0578061b73fa2
SHA1 47edfcf0a21ba7ebb3956e30a2750894b0d1f9c7
SHA256 c59801e3ae61d1087c3d212820dbc38353be8f09e2f619e3dd7fefe1c8b9bf24
SHA512 fdb65f559b12e430e4c608d4cd26bffc593042173c253f45994664a68e98cf9779a7aad8f5b4f1c47ad099e8e891c59125b9388f338ae814ac010efae3bb3775

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60ccd0b5dc0fbb6de5715b3e41965ac5
SHA1 dc84adb6b70c112a2edc68732c44b3232251265f
SHA256 e64c946d29e93d22c02f26e44383c73c0693253c1ace95f7ad8e35fb1cd739ab
SHA512 aede0b065c289a4a8c3ea6b7a2dbe2fa1412c54b44311846cedb4cafb3bc21770d96186b8d6fbaa4159db84870792737cd81075b10c941c7ba8c19e1f576e24e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 020dc77ce9f10056917f2f7de2cd3c20
SHA1 5bf59b9970d3918ee92aa1a21098afa41d3f14f8
SHA256 fee718ce4e8bc56e7375d5353fb0ff6ae3f5c2ff77f4bde77fc4bf9aaf656511
SHA512 7bc876a4a0fc107fc061be66ed6616b058ea250f48498426626a5d148d06801f22d55c6720ebd936da3093d606a2e1189d4aa8b63f1a4ea8dbaa373af2c16cef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 827d971cd9cf1e4e5f7bc02391cb9c63
SHA1 5f0fbbfe4e6c01a4059135b16c44161544805b06
SHA256 a65464ee6e9c2fe7f72e85793d8102e50cc626eb8b381922ad036ac30e64159f
SHA512 267d3ff4ab5c545a27052cdc835916987b4a501f61374427923f23686cd5d7155954ead4ab33973dfce78a9de6748ef86aa5417b8b0278c908707428c5291527

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e74ee57d09ff480d63632fdbede3bf38
SHA1 2620fc49a37ac66e69c16fab97ac336924aaa31c
SHA256 e05c28efab9e1671c01aab9b6fe9ce84881e26bfcc4582d509231fbb3652e242
SHA512 c42603503da572a92d187f720e20d2724fd0752da53d5492f8ca0cb74db1104a83a5889b5c6fce416f4d53795be7797eed669b4345171ff6691c0f0b555a1eb4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1966f40573392927f8a4ba8aefc042cd
SHA1 3a0a148871161aa8124d788a259207903582b9b1
SHA256 eb237694bc5fbd3b33494da18b7db98e0098ac3c050e57a827176117e05d75de
SHA512 8c2d78718a3380b4b59a7a2407b58d6d8e908d4db01b082baf44ac486b510d78eba6a496adbc83278f46048078bde44a233c9ba1b80c8682b54d9036aeffa673

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb26b916eb3a3c0eebb0cbf72ee313a1
SHA1 b8ae9810563b80bc680f5e43eb690543bab5986f
SHA256 fe42de7890daf4e40db1e92428bc7e1ca3345725a73764e76a94642f94399bf0
SHA512 e29f5da168296905347e02cf34aaf8edefb2f08b47c63d1063ea28359a57b24b3abf7d4931df21efc0442ae0d690b46f75cf0d3a931d2d0d4d587933400b5a2c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 32f7b5ad8f0c474ef00671bb2c9bb241
SHA1 3fb9b6be5845f315807903a8595aba45b791591b
SHA256 ee6888672be8fa1376f8b7020a455448a63510032aeb377d0fc0c5409fac04f6
SHA512 007fcbd066b7e06c08d923832f91819485130cf9e2918cd27c5e36f35365a7a60875e459f1fc1a655035c846f5298f79ec37f9c9b4cd02bcb276a7117e431bfd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 49811d3f0b0605d98479f5d1e561b039
SHA1 7cfe7320c5633629c80112037d56442500db15a8
SHA256 69c84aef7bb20c3bfcebfc98da93059da49af1967c87079d7415132676b7a9ba
SHA512 d9c37a1198344d98f07ee2f24435314c6b4af8d38ac09c865d0be786566605b474d049bcdcbc141217ed08d167d3fe4cf26a7f35637bb483eb0f338cc7c206f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d2b58f8226a902fb7ed1586fec36a9c0
SHA1 e383172ca82130b3dd10bf2c632c3657ba911a97
SHA256 2b5ea2c12653ae7fb742b55381de1fdabc765940a89518943f4fe07998985812
SHA512 58d5e4321c65c79341a00298ebe679c051e9c52789025a4b75eebff2469510171ec8f1e2423936df8d8a0ecd8bd5974b33ed25d81f36f980499440f6c9e57088

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f8a67e3d2da1e54941ecff70a72c97b
SHA1 f7fc5d6070907047188e2e88bc4009a2ff268b22
SHA256 4c0513e76178ae48cb2dfd49fef4596985665f6975957e58ec30353ceaa9204d
SHA512 530dd158e77a9d46d45d17b6dd593ea4f96ec5513a5ffc31ed28a85f2115747dcbbfae5088e248d831ce834de5743c6f56c4106344202931d75940048f4efe03

C:\Users\Admin\AppData\Roaming\log.html

MD5 a0013763f961d6b0426111aa6a5b05d0
SHA1 e93c2126663767885c1b11415af7bd48c82f8f00
SHA256 5297a69814f67723342e3c51915e76761dd10cbea620ee0ddc2801d096313393
SHA512 1ad26a2813469a41df7f429579051bccd26dea7fb636cb1e442d525804aa01ab09661b37dba13226302089a00572711c8b2e91b5abd5db3dbe0197511923806e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\dnserror[1]

MD5 73c70b34b5f8f158d38a94b9d7766515
SHA1 e9eaa065bd6585a1b176e13615fd7e6ef96230a9
SHA256 3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4
SHA512 927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\NewErrorPageTemplate[1]

MD5 cdf81e591d9cbfb47a7f97a2bcdb70b9
SHA1 8f12010dfaacdecad77b70a3e781c707cf328496
SHA256 204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd
SHA512 977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\errorPageStrings[1]

MD5 e3e4a98353f119b80b323302f26b78fa
SHA1 20ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA256 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512 d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\httpErrorPagesScripts[1]

MD5 3f57b781cb3ef114dd0b665151571b7b
SHA1 ce6a63f996df3a1cccb81720e21204b825e0238c
SHA256 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA512 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

C:\Users\Admin\AppData\Roaming\log.html

MD5 aff820b331f335a8fe146f4e29b1b773
SHA1 c75c4323d3458b416ad7e57c1d09e159dccb1560
SHA256 acbd94697846d032afa51fede69cb73ac3e0f9636640df505a228a32f13a871a
SHA512 84f6d24282ac13a6fff908a81345a664b019edf08e34fca41bfade5bbd36bd243b1fd6e143dded6c4007a66ed141c1b071b297c116ebba8a86cd4ef2ae0d3b7f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 297a0836fef44ee60054b15adc56e048
SHA1 5f7521727bb1bd685c748558f8f138c837e19f31
SHA256 bf7bd9f02e34d453c4c414b84fab15d4e3df370ee40f5cf8a37d94f2587afd25
SHA512 c4be7f3ad71f502e4c106025046c9aad26b78e4ccab9490d83a4210f2c66fcdf12e88d793a8904c8e734c098aa7f62219d191aaca794ed60672b0252e809b494

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9615d7b41ba44757263b0a8d8881234e
SHA1 474c6a1b98bc161c1b4c273ecde828906d4992d6
SHA256 ab94531baff4171658b97340ad509843510fcca6602ee10a2237d05dab8a44c2
SHA512 dd54ca8563f45e54bf89372e693fd656b01d66148229e321f81e5a4758a6a08f5cc9a2eea2b844186a887ead1aff7593fc392322c267173744a5b8d297f0f09a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ebf34eaa8b58b5ab9bc494a693179da
SHA1 7e44251e2482041876fe631418ab25f602e2bfb9
SHA256 625aef39792e0262adbee5eca606e2cd4d92a50ad27e55fc159b68d2175337de
SHA512 972ea60ceca1a76327540e70a36e745f8b623f048975de058bdb7a1274644eccb71c5ac9e52b45db17fc24180380100e7f5ea3da096dd6b90572817cf3d05de9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 859a0cff4275e41014e045006a944dd5
SHA1 60bb60b4c8fb6d966b281f452b88060d0ad61cac
SHA256 0df4c044fe016b58e9d41f947a2472ed7b54ab8944066ccd9369ba9161175c49
SHA512 7802785dcc428bc75b99dc4d3cf7bb7e28ee4ffbdaa9c262fe8f5e948ac0923c0b8e6b33b48b9e1a8398f787368b2593520bbd1e2e759a937fd9ae76e63eed42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d387795ff4709b0db99c9c0cf6e39df
SHA1 19a9b3e7504447daff4bddc9ca15be56e158c1e6
SHA256 a77630a905afb58d145cd8d82e09aad5234d3875d591ffe60f1fd64a0d1c03e5
SHA512 a1e3d5e4c3dd87d2d78ea43728558ab474cd2e0c9c8bf7988f99db4064ee293a9e725b6b9e5faa8f8105249da9ed110b24ec68c834b9b573fd5f7caaec6db1ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 934e62347a4174d71e1fb6983264da70
SHA1 3bcc8c2739c4bf55d0b6ec395991ae7f9320a4b5
SHA256 ac0c73f28079b5bdce6abaec2718136767d65b22f629023c2965ae7b693c9cf6
SHA512 42c8a35ca69e399db3563ce0a67066fa170edfff101617a39e82059de86ada10f8679d501d90bca57e197deeb764104c216ceeaab5a8585abd970419a2ad24db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 803a82b6c7dd89fc63c1ee57b7aabc51
SHA1 7ae5fcd772d9abd80c51ddd42d511577d835a85d
SHA256 cd9d155508135b4c1c5f542a6884d29c64cf3c4267b1fa34d7b84311ab6ab0d6
SHA512 3d6c4fcbe944ff68f2126008c22ac234ab304be1d6d1aa160bcd10390d96a50034bd100eec594d90e79aa77227c65596585047486eb8827eaae2ea6907eac7b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9fb0f59d0ef9ba51078cce2a0023f963
SHA1 ed2d23d28d21fa0acd02324a06f4cc8802f0a49b
SHA256 b565acf191579a324a03ece53c484f2a86565df26e96df49ff65a8454e6079b3
SHA512 f3602daa9723d1723e98ce009189982cf404a19a514983193fe0fd17411d043e593736e0dae6c59708ee3cc43a2d54828a44dd0b566a5aa22a7f883dc85968f0

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-14 05:42

Reported

2024-11-14 05:44

Platform

win11-20241023-en

Max time kernel

91s

Max time network

82s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe"

Signatures

Renames multiple (4011) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\crypto13 = "C:\\Users\\Admin\\AppData\\Roaming\\ysljjud.exe" C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\es-ES\MSFT_RegistryResource.strings.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\es-ES\lipeula.rtf C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Professional\license.rtf C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\fr-FR\AssignedAccessMsg.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetLbfo\NetLbfo.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\ja-JP\MSFT_ProcessResource.strings.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\it-IT\MSFT_GroupResource.strings.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\fr-FR\MSFT_WindowsOptionalFeature.strings.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\ServiceSet\ServiceSet.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\de-DE\AssignedAccessMsg.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\ja-JP\TestDtc.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\de-DE\PSDesiredStateConfiguration.Resource.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\en-US\MSFT_EnvironmentResource.strings.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\ja-JP\MSFT_EnvironmentResource.strings.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SecureBoot\SecureBoot.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\@VpnToastIcon.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\NetEventPacketCapture.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\uk-UA\MSFT_GroupResource.strings.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\lpeula.rtf C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\it-IT\Microsoft.PowerShell.ODataUtilsStrings.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\NetAdapter.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\GroupSet\GroupSet.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\uk-UA\MSFT_RegistryResource.strings.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\de-license.rtf C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ISE\ise.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\license.rtf C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\es-ES\AssignedAccessMsg.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\it-IT\TestDtc.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetTCPIP\NetTCPIP.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\fr-FR\RunAsHelper.strings.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\de-DE\Licenses\OEM\Professional\license.rtf C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\Licenses\Volume\Professional\license.rtf C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\lpeula.rtf C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\Volume\Professional\license.rtf C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\NetSwitchTeam.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\System32\LogFiles\WMI\Diagtrack-Listener.etl.001 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\en-US\MSFT_RegistryResource.strings.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\fr-FR\MSFT_UserResource.strings.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\uk-UA\AssignedAccessMsg.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\EventTracingManagement\EventTracingManagement.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetNat\NetNat.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\ja-JP\WindowsPackageCab.Strings.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\de-DE\MSFT_RoleResourceStrings.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\Licenses\_Default\Professional\license.rtf C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\it-IT\AssignedAccessMsg.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\ja-JP\BitLocker.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\de-DE\MSFT_EnvironmentResource.strings.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\es-ES\MSFT_EnvironmentResource.strings.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\WebDownloadManager.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\de-DE\ArchiveResources.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\en-US\MSFT_GroupResource.strings.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\VMDirectStorage\VMDirectStorage.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SysWOW64\uk-UA\lipeula.rtf C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\HELP_TO_DECRYPT_YOUR_FILES.bmp" C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherAppList.targetsize-32_altform-lightunplated_contrast-black.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpLargeTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.scale-200_contrast-white.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib\motion\FluentMotion.js C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\selection\Selection.types.js C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintAppList.targetsize-48.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\1851_24x24x32.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Locales\devtools\es.pak C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\DocumentCard\DocumentCard.base.js C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-amd\FluentTheme.js C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\NewsAppList.targetsize-30_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\contrast-black\MicrosoftSolitaireAppList.targetsize-36_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-16_contrast-white.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Icons\StickyNotesSmallTile.scale-100_contrast-white.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-100.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Nav.js C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\export.svg C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\ui-strings.js C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SnipSketchLargeTile.scale-125.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-400.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-30_altform-lightunplated_contrast-white.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-16_altform-lightunplated.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\object.js C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sl.txt C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-96_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailBadge.scale-150.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-36.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreStoreLogo.scale-200.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\DatePicker.js C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\SplashScreen.scale-200_contrast-white.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\AppCS\Assets\FirstTimeUse.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\FeedbackHubAppList.targetsize-36_altform-lightunplated.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-80_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreSplashScreen.scale-200_altform-colorful_theme-dark.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-80_contrast-black.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-125.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-30.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\en-US.pak.DATA C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Locales\devtools\ru.pak.DATA C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsMedTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-100.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\ui-strings.js C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-press.svg C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\GetHelpStoreLogo.scale-100_contrast-black.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_contrast-black.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache.scale-150.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlCone.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib-amd\concatStyleSetsWithProps.js C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\theme-2x.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-96_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_neutral_split.scale-125_8wekyb3d8bbwe\Images\splashscreen.scale-125_altform-colorful_theme-dark.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-200_contrast-white.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\FeedbackHubStoreLogo.scale-100.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-64_altform-unplated.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\kok.pak.DATA C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\hololensDiagnostics-vm.js C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.22000.120_none_8faca973dc064b74\NarratorWideTile.scale-400_contrast-white.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.22000.1_es-es_81eb1cc7d8be7772\RS_ResetDisplayIdleTimeout.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\Assets\GetStartedAppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft.packagema..agesource.resources_31bf3856ad364e35_10.0.22000.1_uk-ua_e2e108395fff8956\MSFT_PackageManagementSource.strings.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.22000.120_pl-pl_26899efcc7265be0\f\RS_Balanced.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft.security...gement.policyengine_31bf3856ad364e35_10.0.22000.1_none_8dcd4f75280fb792\AppLocker.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..oem-coren.resources_31bf3856ad364e35_10.0.22000.493_pl-pl_290c927de5ea0ea6\f\license.rtf C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\StartMenu\Assets\FileIcons\32\sysfile.svg C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.22000.120_none_f759261c81fa2ed8\SplashScreen.contrast-white_scale-400.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.22000.493_sk-sk_d77d8e32816e6c92\f\license.rtf C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\autopilot\devicesetupcategoryviewmodel.js C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorWideTile.scale-400_contrast-black.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FileExplorerExtensions\Assets\images\contrast-standard\theme-light\windows.recyclebin.empty.svg C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-u..monotificationuxexe_31bf3856ad364e35_10.0.22000.282_none_618940d4a376d501\RestartTonight_80_contrast-white.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\r\webapps\guidedsetup\network\area-content\kn-IN\area-content.local.json C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-t..torserver.resources_31bf3856ad364e35_10.0.22000.1_en-us_10b767ef1f47f334.manifest C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..ume-coren.resources_31bf3856ad364e35_10.0.22000.493_en-us_0300e1106fa1c9f2\f\license.rtf C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\localAccount.js C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Assets\SquareTile71x71.scale-100.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\contrast-white\GetStartedLargeTile.scale-400_contrast-white.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\AppListIcon.targetsize-80.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\retailDemoShared.js C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-onecore-ras-base-vpn_31bf3856ad364e35_10.0.22000.1_none_72a0f22ae2efe1c9\@VpnToastIcon.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\Cortana.UI\Assets\Icons\SmallTile.scale-400.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\Assets\Splashscreen.scale-100.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeautopilotactivation-vm.js C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\PrintDialog\Assets\splashscreen.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-36_contrast-black.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorWideTile.scale-400.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.22000.469_none_160103e31c4d8d88\logo.targetsize-60.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\CssUtilities.js C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_systemresource-wind..-ui-accountscontrol_31bf3856ad364e35_10.0.22000.1_none_28587f5d588ad881\Generic.Theme-Light_Scale-400.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\Cortana.UI\Assets\dismiss.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\n\FileExplorerExtensions\Assets\images\contrast-standard\theme-light\windows.searchclosetab.svg C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\activity-sync-consent.svg C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.22000.120_none_dd24c7cd1fc6d4b1\PeopleLogo.targetsize-16_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.22000.120_none_f759261c81fa2ed8\Square44x44Logo.contrast-black_scale-100.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\r\Public\wsxpacks\Account\assets\__\lib-localization\dist\resources\az-Latn-AZ.json C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft.powershel..resources.resources_31bf3856ad364e35_10.0.22000.1_it-it_6f0ece72b17b880a\MSFT_ServiceResource.strings.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-black\AppListIcon.targetsize-256_altform-unplated.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\oobelanguage-vm.js C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.22000.1_none_a3e51f070f511641\RequestedDownloadsCloudIcon.contrast-white_scale-150.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\FileExplorerExtensions\Assets\images\contrast-standard\theme-light\windows.newfolder.svg C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\Manifests\amd64_system.runtime.serialization.json_b03f5f7f11d50a3a_4.0.15806.0_none_f74ad672311b8041.manifest C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mccs-syncutil_31bf3856ad364e35_10.0.22000.1_none_271f7818dc552a47\LiveDomainList.txt C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\diagnostics\system\Power\fr-FR\RS_Balanced.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\css\oobe-light.css C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\Public\wsxpacks\Account\assets\__\lib-localization\dist\resources\sr-Latn-RS.json C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\Cortana.UI\Assets\Icons\AppListIcon.scale-100.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\memoryAnalyzer\images\status_heap_increase.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\MessageOverlayControl.css C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\f\resources.js C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\localNgc.js C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\FileExplorerExtensions\Assets\images\contrast-standard\theme-dark\windows.unpinfromstartscreen.svg C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.22000.120_ru-ru_70626ad0aa00edcc\f\RS_Balanced.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\RatingStars42.contrast-white_scale-200.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..honyinteractiveuser_31bf3856ad364e35_10.0.22000.1_none_1e7f12b35c10d87a\TextReply.scale-150.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\wow64_microsoft.powershell.dsc.resources_31bf3856ad364e35_10.0.22000.1_de-de_7bb95fa12dc9f6c5\PSDesiredStateConfiguration.Resource.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\Cursors\link.svg C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\diagnostics\system\IEBrowseWeb\es-ES\RS_RestoreIEconnection.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-k..iagnostic.resources_31bf3856ad364e35_10.0.22000.1_es-es_1e98d7dbbca7bad2\CL_LocalizationData.psd1 C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\serviceworkericon.png C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Control Panel\Desktop\WallpaperStyle = "0" C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5072 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe C:\Users\Admin\AppData\Roaming\ysljjud.exe
PID 5072 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe C:\Users\Admin\AppData\Roaming\ysljjud.exe
PID 5072 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe C:\Users\Admin\AppData\Roaming\ysljjud.exe
PID 5072 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe C:\Windows\SysWOW64\cmd.exe
PID 3652 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3652 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Roaming\ysljjud.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 2108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 2108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 4104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 3672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 3672 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 2692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 2692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 2692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 2692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 2692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 2692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 2692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 2692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 2692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 2692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 2692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4688 wrote to memory of 2692 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe

"C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe"

C:\Users\Admin\AppData\Roaming\ysljjud.exe

C:\Users\Admin\AppData\Roaming\ysljjud.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3372C1~1.EXE >> NUL

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffab87c3cb8,0x7ffab87c3cc8,0x7ffab87c3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffab87c3cb8,0x7ffab87c3cc8,0x7ffab87c3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3904 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffab87c3cb8,0x7ffab87c3cc8,0x7ffab87c3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffab87c3cb8,0x7ffab87c3cc8,0x7ffab87c3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffab87c3cb8,0x7ffab87c3cc8,0x7ffab87c3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffab87c3cb8,0x7ffab87c3cc8,0x7ffab87c3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 7tno4hib47vlep5o.tor2web.org udp
AU 103.198.0.111:443 7tno4hib47vlep5o.tor2web.org tcp
GB 51.140.242.104:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.242.140.51.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
AU 103.198.0.111:443 7tno4hib47vlep5o.tor2web.org tcp
N/A 52.111.227.14:443 tcp

Files

C:\Users\Admin\AppData\Roaming\ysljjud.exe

MD5 209a288c68207d57e0ce6e60ebf60729
SHA1 e654d39cd13414b5151e8cf0d8f5b166dddd45cb
SHA256 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370
SHA512 ce4a7e42738154183fc53702f0841dfd4ad1eb0567b13cc1ff0909f1d330e9cd2fb994375efc6f02e7eddaaae1f465ff93458412143266afdaff1c6bf6477fc3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7bed1eca5620a49f52232fd55246d09a
SHA1 e429d9d401099a1917a6fb31ab2cf65fcee22030
SHA256 49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e
SHA512 afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

\??\pipe\LOCAL\crashpad_4688_PASGRGAINHOKCQXV

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5431d6602455a6db6e087223dd47f600
SHA1 27255756dfecd4e0afe4f1185e7708a3d07dea6e
SHA256 7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763
SHA512 868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 324d3a5e9b6ca20f0d648da739cac6dd
SHA1 a220328f6c759922b327de62495422cb230112e7
SHA256 41bd5a57fb310879724daa61b0ccbb7fbbbf1123f35e67b9a4018c6539b64070
SHA512 53d6cc8a22589ddf65a09516541801a2263bba7c5127024e3d12d32ef0f35cfcd3399e238c262c39a44a678dd202343b6942932099d9957c97d0bc606d7cc1ac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6a0e555f481402da2ea170967e86dedb
SHA1 354450cde633e8ced8f2c24ee0a20f8e2c498164
SHA256 5afe4da6cb737b8b801808ad1db07b954d7b14a4e6704e9907a368b73ce31586
SHA512 85ce75a7474c8139f42381192a2f32d7ca1d5dc3a30a1e4d26a79b5f934048a5f4ec912d0b3b0ba8775453cb198a30d7680643ad1bce8d20c6a8ace69e3d8d2e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1a2e3e0c08197b14173ed434408cac25
SHA1 2bcd0fea7ff30a47d90b98d52bc2d88d56033e2d
SHA256 9d4dee4f2db8e5f1fd656edf4cfe1ff9d924b5c338ef215df661600dd90d4ec6
SHA512 9c2dbe33808cf54e0c5c3a231842497d8545ff1925906a524d1101dcce7b6541388d40cbcea4325f7ef01aba2eeea01b3b8d3240af737015eee016bd59bc3ccb

C:\Users\Admin\AppData\Roaming\log.html

MD5 d98c17cfbf569ddbced6c9f7d0c6c934
SHA1 0894197ca41a71fa1802965cfb6135088a22e878
SHA256 0b95871daa7a4f6501ab6898e35344bba32bc54596578ca83b988ed90db12d71
SHA512 4a9d307eccd6d9cdfa29c792237e9e399692f44bd2782f95b5d7eb020516dbe92337725bca070f65c905a5ccb9ba2baa29d332cada6e60a55b29ee283a70e6ce

C:\Users\Admin\AppData\Roaming\log.html

MD5 f5b185e17f68b1548785e3eaa701ba2c
SHA1 d9488a71ea2d313e24566ec6124c52d4c30d70dd
SHA256 9935cb1963a5176d565de059566170d98c3d0d60bbf7f26d0e31e30fea83376e
SHA512 21657feafe384ce18105dbb896a11fe0aba528f351fbaee98c7ec3b037d739e66bc214f04e15b26dff799baa1231065147d71ba20e4162a0a9c990a061cee99a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 505608fd610f0056ca3303029e539bc5
SHA1 77f197f20fb48915b6d512ffd70acf199ca8ca19
SHA256 a72aba95d99e0d776360dffd6049dddf16b70cdd99cf630549c02b29b374e500
SHA512 c06e568877aaddfd371a5549284dc9cdd285fe5016e26a64bd94752cdfe482f70af5e8a9411f9cb7741d86f2efab3e87c25946a6f0c93ffeff8c71bd49ed97cc

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-14 05:42

Reported

2024-11-14 05:44

Platform

win7-20240903-en

Max time kernel

98s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (374) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Users\\Admin\\AppData\\Roaming\\qrsjojt.exe" C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\HELP_RESTORE_FILES.bmp" C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\locale\fi\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mai\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\Windows Media Player\en-US\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nn.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mousedown.png C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ta\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hy\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-GB.pak C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\Windows Journal\Templates\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mk.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_rest.png C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\icon.png C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ie\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\is\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_settings.png C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\flyout.css C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\tk.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Etc\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\settings.css C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\cs.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\Common Files\System\msadc\fr-FR\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.json C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\highDpiImageSwap.js C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\month.png C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\WallpaperStyle = "0" C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4AE715C1-A24B-11EF-82CE-E62D5E492327} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437724841" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 802835115836db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4AE6EEB1-A24B-11EF-82CE-E62D5E492327} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f000000000200000000001066000000010000200000004ed098a4f307457754e5b451d9bfd3a48aaf61f9528fe0eb4e3b3a59e7810c86000000000e80000000020000200000008efbad15f050c229d82c2be91c5e8831c251072c6fd934fde1341298fa0c4cf7900000006308eee959cdbbc4e7b87001571857db2afdfb8440e89a214a4c664f47f66f6300b920d517dea3bc157fed09440da911b49af64ac1a230b28a4e1fa774d12e57eb1357f5de3bb0194a341254c242b3b621a9af04533f30ecec681be54bec5a68fb8077cdc1736b63f33cc13f2b6a29154e6e20ebabb16335aa96a6b1dbb5433f740326cbcf7d9f36132e78943e3874fa40000000699cf8dbc5ea3ed07b20ddd656d9d4fe71c7235bda5ab0e0bbdee7ff0fb1d1f86e2fa69c4c92b626ab35d18fcaf72be2aba89c1f26f0a862b342dfabc5289028 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
PID 2948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
PID 2948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
PID 2948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
PID 2948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
PID 2948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
PID 2948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
PID 2948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
PID 2948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
PID 2948 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
PID 2340 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe C:\Users\Admin\AppData\Roaming\qrsjojt.exe
PID 2340 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe C:\Users\Admin\AppData\Roaming\qrsjojt.exe
PID 2340 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe C:\Users\Admin\AppData\Roaming\qrsjojt.exe
PID 2340 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe C:\Users\Admin\AppData\Roaming\qrsjojt.exe
PID 2340 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Users\Admin\AppData\Roaming\qrsjojt.exe
PID 1936 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Users\Admin\AppData\Roaming\qrsjojt.exe
PID 1936 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Users\Admin\AppData\Roaming\qrsjojt.exe
PID 1936 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Users\Admin\AppData\Roaming\qrsjojt.exe
PID 1936 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Users\Admin\AppData\Roaming\qrsjojt.exe
PID 1936 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Users\Admin\AppData\Roaming\qrsjojt.exe
PID 1936 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Users\Admin\AppData\Roaming\qrsjojt.exe
PID 1936 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Users\Admin\AppData\Roaming\qrsjojt.exe
PID 1936 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Users\Admin\AppData\Roaming\qrsjojt.exe
PID 1936 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Users\Admin\AppData\Roaming\qrsjojt.exe
PID 2444 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Windows\System32\vssadmin.exe
PID 2444 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Windows\System32\vssadmin.exe
PID 2444 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Windows\System32\vssadmin.exe
PID 2444 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Windows\System32\vssadmin.exe
PID 2444 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2444 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2444 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2444 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2444 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2444 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2444 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2444 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\qrsjojt.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2176 wrote to memory of 1632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 1632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 1632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 1632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3060 wrote to memory of 2492 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3060 wrote to memory of 2492 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3060 wrote to memory of 2492 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3060 wrote to memory of 2492 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 3008 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 3008 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 3008 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 3008 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 320 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 320 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 320 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 320 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 2380 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 2380 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 2380 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 2380 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 2436 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 2436 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 2436 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2176 wrote to memory of 2436 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe

"C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe"

C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe

C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe

C:\Users\Admin\AppData\Roaming\qrsjojt.exe

C:\Users\Admin\AppData\Roaming\qrsjojt.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\51B4EF~1.EXE >> NUL

C:\Users\Admin\AppData\Roaming\qrsjojt.exe

C:\Users\Admin\AppData\Roaming\qrsjojt.exe

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://3kxwjihmkgibht2s.wh47f2as19.com/?enc=1B2RDmn3WiZzFzzVsdLFGReKjkkFRnt467

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3060 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:472081 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:275469 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:2962450 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:2831374 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:2831389 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:2700307 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:1717289 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:668719 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:3945510 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:603202 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:1586227 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 epmhyca5ol6plmx3.wh47f2as19.com udp
US 8.8.8.8:53 7tno4hib47vlep5o.7hwr34n18.com udp
US 8.8.8.8:53 epmhyca5ol6plmx3.tor2web.blutmagie.de udp
US 8.8.8.8:53 epmhyca5ol6plmx3.tor2web.fi udp
US 8.8.8.8:53 3kxwjihmkgibht2s.wh47f2as19.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2340-0-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2340-6-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2340-15-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2340-16-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2948-13-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2340-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2340-8-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2340-4-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2340-12-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2340-3-0x0000000000400000-0x0000000000472000-memory.dmp

\Users\Admin\AppData\Roaming\qrsjojt.exe

MD5 6e080aa085293bb9fbdcc9015337d309
SHA1 51b4ef5dc9d26b7a26e214cee90598631e2eaa67
SHA256 9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122
SHA512 4e173fb5287c7ea8ff116099ec1a0599b37f743f8b798368319b5960af38e742124223dfd209457665b701e9efc6e76071fa2513322b232ac50ddad21fcebe77

memory/2444-43-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2340-40-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1936-38-0x0000000000400000-0x0000000000447000-memory.dmp

memory/2444-45-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2444-48-0x0000000000400000-0x0000000000472000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RESTORE_FILES.txt

MD5 aec5f353e6bf1286760bde75fce6acab
SHA1 8e26bc1186c62cb087d334df33443a36277b35c8
SHA256 f2a67661ea703a50d6aa22ee97840c0010021eae421cd0091d84c1b07c278974
SHA512 a5fbee00aa59c30ddc0292d01915992fccc67459e44d2a6b24ca4a44caa750009419b671bae3be3dc711f13196275ed1ccd268e1add1e6950ecb92a23f7d5c9d

memory/2444-68-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2444-1047-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2444-2231-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2444-2238-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4AE715C1-A24B-11EF-82CE-E62D5E492327}.dat

MD5 381f3fa30a9b11c8859aa4e88a17effb
SHA1 65186354cd8faa6312230f235a40cafff6b08592
SHA256 90d24fd503d9c966148727de28669efbc69bec850abed60551b2d9e5467552ce
SHA512 885250d3152f9462b62a30e9bf06479595ec483b905f5c4a351f049696a3d65dcaa353458c1c28c683e6a82fa77f7829bfb794d4340a52aa22c271ca0a96fc91

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4AE6EEB1-A24B-11EF-82CE-E62D5E492327}.dat

MD5 4c43ef2a5eb90a18f5ae59d013325853
SHA1 660ca8b2c0f6405eeebab496f8e48701b0bb3380
SHA256 3960ae96665058698cb51d4cc64bd0634d03d1b57866ca13db6685a8d0524f56
SHA512 3133784b34331d4e14f2227566a9224f32ea62a597d7021d3ff804989816a4c91b051a9d0ee4b527fbc7c40924b169b2454b119e91301e6a5eb2cc462a591cdd

C:\Users\Admin\AppData\Roaming\log.html

MD5 f0e5a3ad02582f9f372efe4313b57565
SHA1 d9800018148ca08dcec13fef369bc2b319787bb5
SHA256 bcd58e99af523e9c708a90e652954fe51d3b0d46bd80adab86087938b6cf06d1
SHA512 370bc7bdcbceeb46c30e4a63e1ab852bbbc787d69e41a502adf37378d63a63b225c997bd99845dfaa36db55fd762fcae0b514e532a5dc2879a8d6615c0165daa

C:\Users\Admin\AppData\Local\Temp\CabE257.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarE305.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c0c87c1b26f83448eab258e18201207
SHA1 59df6fa055148220ff547f91d390540411c97a25
SHA256 90a9259c97577e1667267b69a2f2cc6f07e282c26fdb0ad406f3a7d11365c62c
SHA512 e4e99e59e2af25f5a990f50d56ae301c40004a48802150b9734afb9712f46224691273f1927e53b8b63164edf73f426d7380270102130dcaab74faa6dadf6b83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47c236b7c690ae88357a5719751709ed
SHA1 48cf0ac57205775c8666d3c1ecf793a0106ed709
SHA256 f1fb6f9639c5600a13e9ae01c60655f620cfe4084db3ef18bca834915532fc64
SHA512 3b80161f7a0ede100de48bd31be9b1e2737368b7f3a09c707fdf2676ad1d2cd15a7244b401a6245257306118a2ed42295f57b0db457cb26b2dbb1e179b7b75fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a6ac50918b42f039d5ff8f11b341e0eb
SHA1 c62331694bb33f90058074d16bbd76ba29f86de0
SHA256 eba01181248d4385a6c6684133177d2e3baa46380a65c789f13b9f040b30cd0b
SHA512 8db30a8d696ff829517059a8f559369db4efe93adcf2e90bf61e88243496964289e44c0ffd469f7f4df73b895de49a53434299f7bcd6945e26ca35fcda5a319a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c0e6b66dc9d3fdeb9ff8134610b9a8a1
SHA1 a3d2c1d027ecb647e90fe2b01768424ac90fa4c6
SHA256 b7daa8c2c910c47a59289a8f67bec805240c00c6150be0929e8ef83ee6786dae
SHA512 c74f128d21d3025f924af0c0a888351e19744a475c2e34c28e38ce0b676fbd7c3b95670b940e65bc36a3c2fa717578d55fe097a73ccb12cdcb6f4461d8fe4258

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e6913139894f33beedf59530c5d2a3a
SHA1 58590d421b03f22b58963afa7d33c0fcb8ec4e8b
SHA256 68ed69552fdb6932cf2ca75df94052aec90cc5679db72bb15fe0c546b85b6f24
SHA512 2e3c4094d89e18e0d8612bc94a0c9939cee7eef70e4e09da243fb17b6f78eacd419297e8adebff6f105dd344db4ab49aa7b721a70a8512630013285a35aa777d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a171881409e8960d30ae3290b36e778f
SHA1 e3ae77337a14f58819616dd51ce2a5949c728eda
SHA256 8c8fed962d424080a4b08c69000c202e6790bc058742e448a4cc5461a5b024ee
SHA512 231b11e2fdcdcbdde003b20d6931d73bb3196811cb62b4274dfd2f0a6560ec284055453c5d399ffe3f1d2786b6f660caf078752bf5907c390f8245155157b33a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c514a2974d9c4732bc3561d72948e50
SHA1 c8f63a61c96fc2678bf0db2618b611eedcfc756d
SHA256 0f8100ad6dc41cbffeb07a4ccbd94708facf780fb6b6906b7bc4bf9cbfa546a3
SHA512 329d9c468ddfe2ada1d567ac49d695f03f7329859b545519963a531055aa2d4031224d8bef7820a1fc09083f1e51caec7fe8e2425be52582b9ec8fbb35b3ccd6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62caeb802b0047fca18482dcf19d12a8
SHA1 987278e855471532c0d9124f417d0450753f3325
SHA256 933a5fea474ce587afd57edbb617dddf03b1b7d1d58cb7b4486386c79d6282e9
SHA512 9c29ce53b394b31672c63641aebad418d3e603448720ba16d0dd8451461123ddc24093b4a5613575c786c416a1788c88e05016535985ff9f68e35e52cfb4caf3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82c4ba6440f41e134d77fab8ea813f0a
SHA1 17d0b6feef40014cc17594f2a53eb2ebefee8ea8
SHA256 d236fc05bdc0421b179c48a0fdbd966f5c5cd85a35fa08bebf193b7a2ff4c91a
SHA512 ae1f569a0b376f5493f3fef051ef6fbed4ce070a09d3795a2089d928c48600394b85c9f612fac46854432f057e142e10c4f6d00f4a14264c20c3651bcb11e8b4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\dnserror[1]

MD5 73c70b34b5f8f158d38a94b9d7766515
SHA1 e9eaa065bd6585a1b176e13615fd7e6ef96230a9
SHA256 3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4
SHA512 927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\errorPageStrings[1]

MD5 e3e4a98353f119b80b323302f26b78fa
SHA1 20ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA256 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512 d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\NewErrorPageTemplate[1]

MD5 cdf81e591d9cbfb47a7f97a2bcdb70b9
SHA1 8f12010dfaacdecad77b70a3e781c707cf328496
SHA256 204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd
SHA512 977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\httpErrorPagesScripts[1]

MD5 3f57b781cb3ef114dd0b665151571b7b
SHA1 ce6a63f996df3a1cccb81720e21204b825e0238c
SHA256 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA512 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

MD5 2ec25b12b5873fb93e944449612a76d4
SHA1 74d604a697764610402f2f9dbf788e6731a82a78
SHA256 c112313f3b95f0c4f2029e328cdc559330622328e4b8b13a4bce28464e5d71a5
SHA512 862c1e4d38395b99672380693ce9893574ecac81539ac280540ec60811644d65159d647efd43a33317c2cadd1ef7c85fa099bb2b98c1d0a6708b1089d5b73798

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0756dcd826a650336c4c35c5b1078270
SHA1 fb8fed82949d5c3f3e08deec253abaad89f7d51d
SHA256 50d4d46ee0e765ae5cb0344bf36f7709f24711103ca6b3c707451220161029db
SHA512 d43ee58ec0f04d73d50238b62c320de719dcb43b4f99868ef2e48eecc2656e842cab85b68b96d269aeb8c530f7fde4e41f5c86da570fee943b539480bb63b8da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c41eb9ea4cfb589ab4f26a0bd8cb199
SHA1 b55a5b184e4234d14f1f4372e3f5730e4b4434bd
SHA256 7d4e94b7cca221f0330bf66d84312c8878682aee9721988c0c1b5a01389cfc60
SHA512 ee3f0121bb4a8bccd616301806c738f5edb05326ec97191d0f5755f496ed57471b95219fd3db78061b49c07633f7c467bb2369894a6cd83a44b05a44fbea33a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ccf2ebac74e24a0d8f52d61f91366d8d
SHA1 44ab4361f613c59aaaa45fb9886a0aa781bc1a6c
SHA256 aea2adfe626241407de348f0e20e28fbe51e9e8f94db42515984b82c21995d1c
SHA512 5e0efa8c645dc336cc4cc0282744980420d46369c23b4112573082fde596c76221049dbc151eeeaba3ffee9d3537a0fec91e96e3e713a6e66f36d2dd31572763

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a497f009d8533928d3ae3ba65f5d350
SHA1 42db5b91f687b6be269c5225859787bf9da9dd02
SHA256 b5cbeb76da3c2992a3d1e22615420b703289b329908fcbae094f2575a5d038bf
SHA512 453ecaeddb6291a3de4242093bd68040df2d2dfc6455d07463c46a1674f9863e54f93328979d49ebed5cbf2f3ca4f7546269bba440670412d9e2ee873a5a27bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 413ca4498a03a62df49d7c242fe86679
SHA1 e231f278326fa4c2335f6535fd3c0feb595b11ea
SHA256 2dfd189104bfa6fc2f1f5896d4a7c04726f794e986f04f9c9ea318ee9aba1a19
SHA512 fe6d828b4efe0287bb58fbadefacc46f06c5ad2bcd463f4d99180698a645d0ff61631d3cee4246764192066a26c538ab0b2a9d03af383d8e291028e8a935d33e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3dfb70ad4f2c1e5c4521ccab45983df6
SHA1 8b7e5bae3ca301c37246ce6d4d4e1cb0773dd8bb
SHA256 85c5df91b63524b736dd48c89c54541adb54af48b42a7e9e2b2c9efef093accb
SHA512 8577f35ff6de8d2c01e30c30ef872b1959d4f338fa874d840343847fa3bf13590e6f9eebd6b6187dc3cd93718710a1f60a357349ce4331f1ec0b9fc0f5bf4f74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2963259c6d428200b16d6a8124fa20f4
SHA1 4dcfeeb99fb1cfde63de96d3ad188a1c559584bd
SHA256 6bd21dfbc346b9c1dc077f60d4ebfe2537e8d32b3e6e60c04774a554a91fb031
SHA512 5c7563dc69b0dbfbe29e5dc329782722d42eb238eb5b1f533bb7922348fba185d3bbab4c56cbfef3c5cb67a66449135f252b5c67cb05f717693f1c55f7194010

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51b6430a8b900cdae842b693c56c0fbe
SHA1 9b273feddf1d2bb420c255344afd5c37c438ed53
SHA256 a79efc7c93530abdb98d881b020853c984060c1cc57045fa152300f638de3c48
SHA512 c5655b38786554e760e7a4ea6f830c25a42ee0a7017553d6221c58d65ea76732b798934d2e4e334625da1ae9f645b3f68c9190e9360592a5aeae46fe35c81c37

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c2e6530c9a4e7b0f6ddeb72d974c173
SHA1 2f5f6067898f794dcda0baee28105ac36b4ad57c
SHA256 90eab36fc4d227ee4d09917e666b78fdf58c5bcbebe1f6e8f2d991ac977e49d8
SHA512 68634fa3ccd51d7c914c083747999298f873a5c816ba97b5202462966251c692181fc003863288227811315e1f08afb1f0a8d7d4f57c5f18127e8e20d3509541

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93f0806af719f1045f63962a8b27ea71
SHA1 18249a84ff36685bf5a76ffb9582cf7239c93597
SHA256 e01cd4ad324a2c869209bb8868e03072a981c870f4c3a84df0877585c893925b
SHA512 1e7e0956b88fabb090f2059e91b4f3b2ee3f7fa04c00050c99fce32524c645675a520696bd0a352c266bb1a5731df35d179e12dc58e0ece6bae3e23f6d5f505b

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-14 05:42

Reported

2024-11-14 05:44

Platform

win11-20241007-en

Max time kernel

91s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe

"C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe"

C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe

C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe

Network

Files

memory/5008-0-0x0000000000400000-0x0000000000447000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-14 05:42

Reported

2024-11-14 05:44

Platform

win7-20240903-en

Max time kernel

111s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (359) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Users\\Admin\\AppData\\Roaming\\vtpvaio.exe" C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\HELP_RESTORE_FILES.bmp" C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\slideshow_glass_frame.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_cloudy.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\main_background.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\Java\jre7\lib\management\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\Internet Explorer\it-IT\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\cpu.css C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_foggy.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\settings.js C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_snow.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\VSTO\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\mux\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_s.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hu\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\wa\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\calendar.css C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\localizedSettings.css C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am_ET\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\slideShow.css C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\settings.css C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\whiteband.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\WallpaperStyle = "0" C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c03c22115836db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4AEBD0B1-A24B-11EF-A087-5EE01BAFE073} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000005c4a7c21eb06f2cba6d202bf09ba244629d4e6ee983b9be9c27149045ab48ebf000000000e8000000002000020000000d02cc8d281bfa366ffdddd89e94f3e9d6ae2148420fa5ba0b5675cc3544a646520000000289ab29cee570ba7c5d86c222a672075fe45f9aa3bbb1937a78675da9af74b3b40000000b22a69e8ff1e62f2971376c948a9a00199c66facc48a0665d4dec939338cb378487ad48d11ab697a94a367491fa2778f89586b3cce8a39ec5d68d7ecf5b16928 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
PID 1732 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
PID 1732 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
PID 1732 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
PID 1732 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
PID 1732 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
PID 1732 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
PID 1732 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
PID 1732 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
PID 1732 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
PID 2540 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe C:\Users\Admin\AppData\Roaming\vtpvaio.exe
PID 2540 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe C:\Users\Admin\AppData\Roaming\vtpvaio.exe
PID 2540 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe C:\Users\Admin\AppData\Roaming\vtpvaio.exe
PID 2540 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe C:\Users\Admin\AppData\Roaming\vtpvaio.exe
PID 2540 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Users\Admin\AppData\Roaming\vtpvaio.exe
PID 2332 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Users\Admin\AppData\Roaming\vtpvaio.exe
PID 2332 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Users\Admin\AppData\Roaming\vtpvaio.exe
PID 2332 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Users\Admin\AppData\Roaming\vtpvaio.exe
PID 2332 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Users\Admin\AppData\Roaming\vtpvaio.exe
PID 2332 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Users\Admin\AppData\Roaming\vtpvaio.exe
PID 2332 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Users\Admin\AppData\Roaming\vtpvaio.exe
PID 2332 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Users\Admin\AppData\Roaming\vtpvaio.exe
PID 2332 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Users\Admin\AppData\Roaming\vtpvaio.exe
PID 2332 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Users\Admin\AppData\Roaming\vtpvaio.exe
PID 2492 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Windows\System32\vssadmin.exe
PID 2492 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Windows\System32\vssadmin.exe
PID 2492 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Windows\System32\vssadmin.exe
PID 2492 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Windows\System32\vssadmin.exe
PID 2492 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2492 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2492 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2492 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2492 wrote to memory of 204 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2492 wrote to memory of 204 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2492 wrote to memory of 204 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2492 wrote to memory of 204 N/A C:\Users\Admin\AppData\Roaming\vtpvaio.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1880 wrote to memory of 2380 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1880 wrote to memory of 2380 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1880 wrote to memory of 2380 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1880 wrote to memory of 2380 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 204 wrote to memory of 1320 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 204 wrote to memory of 1320 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 204 wrote to memory of 1320 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 204 wrote to memory of 1320 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 204 wrote to memory of 1336 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 204 wrote to memory of 1336 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 204 wrote to memory of 1336 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 204 wrote to memory of 1336 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 204 wrote to memory of 1332 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 204 wrote to memory of 1332 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 204 wrote to memory of 1332 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 204 wrote to memory of 1332 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 204 wrote to memory of 2516 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 204 wrote to memory of 2516 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 204 wrote to memory of 2516 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 204 wrote to memory of 2516 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 204 wrote to memory of 1980 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 204 wrote to memory of 1980 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 204 wrote to memory of 1980 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 204 wrote to memory of 1980 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe

"C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe"

C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe

C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe

C:\Users\Admin\AppData\Roaming\vtpvaio.exe

C:\Users\Admin\AppData\Roaming\vtpvaio.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E906FA~1.EXE >> NUL

C:\Users\Admin\AppData\Roaming\vtpvaio.exe

C:\Users\Admin\AppData\Roaming\vtpvaio.exe

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://3kxwjihmkgibht2s.wh47f2as19.com/?enc=1GHhpfZuUVY1VcG3nWAFyuuodC4NNprDPZ

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\log.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1880 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:209933 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:406534 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:1061910 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:1258514 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:1258524 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:1192984 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:1651745 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:1520690 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:1586220 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:3159095 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:3093552 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 epmhyca5ol6plmx3.wh47f2as19.com udp
US 8.8.8.8:53 7tno4hib47vlep5o.7hwr34n18.com udp
US 8.8.8.8:53 epmhyca5ol6plmx3.tor2web.blutmagie.de udp
US 8.8.8.8:53 epmhyca5ol6plmx3.tor2web.fi udp
US 8.8.8.8:53 3kxwjihmkgibht2s.wh47f2as19.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2540-0-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2540-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2540-15-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2540-16-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2540-12-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2540-9-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2540-6-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2540-4-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2540-2-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1732-13-0x0000000000400000-0x0000000000448000-memory.dmp

\Users\Admin\AppData\Roaming\vtpvaio.exe

MD5 6d3d62a4cff19b4f2cc7ce9027c33be8
SHA1 e906fa3d51e86a61741b3499145a114e9bfb7c56
SHA256 afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18
SHA512 973643639cb02491b86d5b264ee8118a67d8a83453307aea95de2f4c6aa55819d37730c41dc3338116ebe86f9a4f2bba7d9537ea744ae08b9755f05c15153fad

memory/2492-42-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2492-43-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2332-40-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2540-38-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2492-45-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2492-47-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2492-55-0x0000000000400000-0x0000000000472000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RESTORE_FILES.txt

MD5 ea0e265370176a2125161480c14be201
SHA1 79f7aec6c393a191cdeac916b16ef9a774b1c61c
SHA256 892209dd40815239c9d4dc5fd19eb3d2848ee406bac9b87d000a16bd71e7a435
SHA512 0d294b6a4830d6f6f042c4f5ad3ee3fb3b9a1b2ca93412add673778d8e4c379973bbe765cd94016df287beff345af8add091d9c865b035b56a659dc7ff7e64ba

memory/2492-934-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2492-2201-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2492-2208-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4AEBD0B1-A24B-11EF-A087-5EE01BAFE073}.dat

MD5 bd912ba5c213cdc9775bf38fa8b1f376
SHA1 1a707da2fb4cd2a185a126caa4ca71b006a985a3
SHA256 83231e763fd50d70fb0f325a0a7793828d77dde2f659310e9d976d3b4a33b771
SHA512 b31738886303913bf4f89bcabf4d0d8bdaf31c990f467f126fcbb50915601a0316880f00079332cfcbdaed6423c808030f61434a54fd5fab1841e6b20d50a882

C:\Users\Admin\AppData\Roaming\log.html

MD5 5b7ea1cf53dadb9f8b2829c94869f511
SHA1 618560f953e44738f4c36f5115b2fb8f031d27ba
SHA256 338c1aee60c5b1ab62dd4bd81f545e2b83505cb4e8ef302620396d958b7bf9f0
SHA512 d47cdbe154ccebd33550cfd0c40e6e4ed9aec9cfb24d895cdd7f9cc820fd98df580917d3af1dcd1d8e92123e2024a0499ea34416bad2a148e1d8ddc5e2d82a15

C:\Users\Admin\AppData\Local\Temp\CabD7FA.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD8C8.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6233c222bfc366fee9b8bce54cc50f1e
SHA1 c0e66b1fa93180b0a3712e603d93e28a4112e895
SHA256 16d0ae88fb66046945a286f4c2717cace2828834e80a68c6413a6397ed2904c0
SHA512 13da666d141c421b23de47fad7d9c89c7a67d968ae7ffefab920a3ef80dde4cb47b7143dadfd49cb767e92037f51daa086e23dd988f1611777d4c7d47f96f8f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83313a8b770de362455482f5993c252b
SHA1 8578218ee4401a985c57ceefb379212050ffdf36
SHA256 8da97d2935d8aa0d37ad8f7081989a16f7a33439f164ef3c65ea8a4e2570e1a6
SHA512 ef2dab4ba9f62d6c3e0cbf3bb7145c7a465580f66ade6996a6812d789a1e1aff7654707585036da0dcf47f27064cb1f898816a2f6f5b85c92509df59a22c7ab7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f25269dbe7792dd48f35097ccb953e8
SHA1 77d3f716240023c9ff1eb2a9fdbbe4ec8538dce8
SHA256 adee7e936318a8b8e83d8518198fc339c5bf068b25ae11d18cd68b4bb3d7050e
SHA512 15c1b97e7b3b68f4f7e521b826eca027948a9fa05aa4bd9e1929af77ae25886cd8d9be452be1c40a30c154ca42f5eb2ee35e1c0ba35eb9568be3d2adc0d85dcd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 236d8619c23f328772d647365b53904e
SHA1 7278c738849c14b788bfee71cf4904fce1c0168a
SHA256 2106e815ca3b1d9e3ce48e75775d7983c10708566fd5ba5364e230b94545d798
SHA512 cfc38dcb135d58dbec3f03eb15766b194f474dccb1e21248cd00a599025240cb4e366024104c3c6c0d81c79562360cc9af9493d3adbb2bc50165432f5b72b87c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20c0b7ab310b014b06c4ff44c5128a3a
SHA1 c839e907749d1881c5028cecf2cc61c7830115ea
SHA256 b9803e5fa68c6515bf9fca9ff5b23f704043af90645ac76e029efabc8af55eea
SHA512 3ac705a69c7493e135604ef1cc050c7f6a3e6ae34be8c83be979301e6b5da984f0f870063d9f00fc5cedbdb3cbc08b8f16ae82015b8fe75706823101be03f9f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 505c2435a20de56eae4824f736e00432
SHA1 357174b0b893dfb79d45ee39c1bbdfeb4601c7f9
SHA256 9fcf43ba5df03dde25820b7a529f56c39cb018a40613481f34b7ac69e866e87e
SHA512 46d170eb97042627294299a09350667a0c4175c3bb58afb5284f5f74849c8bdf125cb3675f9e047306e30349404c3651361c6a130f7ec54d413015634a162044

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 918e627b7e1c21a6f64cd36f378982a4
SHA1 cfdeb9c5c2ccdb8e416e0c658a7a92f72092209d
SHA256 217f57dda5dca2b86de596ad75f068c2596ca007e811923401e2bda7289f332f
SHA512 aa807c66d436c404a41870bcc5888f601f0e51f8869ffea55bd3c590d937ed738af43eef3a754833131b1b486de283b13e5ab612b75ebf40e072c8fcbddb8d6d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5062016d9389e1c1b8a9828764d0f92
SHA1 326ec606cc86c39e6bba7855909f08c391c7e556
SHA256 aabbcb4a4368583078e89790e99c060448a401137c48bc575c065e2a5bd25ba3
SHA512 c6f99515cc7021fdfa211a1439d83086afba4158649a39cc8cb829a7f5c77cffb3e9bc655386c2462b3557296ee1f7ec611dc3c11e239ad7c274a5e485e4ebe6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8c4ed6a472220e75ff582387bbf31e1
SHA1 f9a03fe73cf4e70aa307e6b6d297c5c941c11d7a
SHA256 933f5c3947883ae24bded09187fe3845669718b266a463f99f7da27c622123e6
SHA512 da7b3e3d1b146f5761dd79835370be16d18191173db0d0d11589b5df4983d40cc1de38bb953672aaf4998bc99d799cef1f8f01aee86c7f8b389540b42970c239

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\dnserror[1]

MD5 73c70b34b5f8f158d38a94b9d7766515
SHA1 e9eaa065bd6585a1b176e13615fd7e6ef96230a9
SHA256 3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4
SHA512 927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOYL2MRI\errorPageStrings[1]

MD5 e3e4a98353f119b80b323302f26b78fa
SHA1 20ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA256 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512 d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\NewErrorPageTemplate[1]

MD5 cdf81e591d9cbfb47a7f97a2bcdb70b9
SHA1 8f12010dfaacdecad77b70a3e781c707cf328496
SHA256 204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd
SHA512 977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\httpErrorPagesScripts[2]

MD5 3f57b781cb3ef114dd0b665151571b7b
SHA1 ce6a63f996df3a1cccb81720e21204b825e0238c
SHA256 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA512 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

MD5 4681df363fb8d5877272629c5ff09770
SHA1 44ae77eace4951702d9397327ce36563d64a87e6
SHA256 d4e30794915438ab9173684f1f3975f81ea94e1eaaffd79feb14a5f5d5e0d8c2
SHA512 ca43295924acbb7591165f33ea41eb0a32d6f7b3801d9955ecaa00fad7951ef473545c8ee77aa89c6df44d82a36493e284943aa386f675db7615bbe9a595cc15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ef53f646ad9eeff7e60df1a8fe38e61
SHA1 d7275cd4d5caf240463b6a648eb6441e80e5f882
SHA256 4ef7c77dd5c0e7d31df67a51f2d6b698683f9440b3e41339f6290fe3acf0789c
SHA512 e19814e789fdce084c616ce204806aa18cc694fc4bd035ad90798dfaa4f0de0c82d0c9b4aeb1443727771312de56371360dffee01d137a6b227d716c1004f197

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d2c464047875714ed6066e3f43e78c08
SHA1 4c14b8cf181c454816638f09836c3a48a2e99c40
SHA256 31b7b6f07bd4823115978d377a12893bbd90d440a14ac32681320c48cb9a48b5
SHA512 94effa4a1ea6c632f39fd3547a8a41b1dce4ec6ee7dbac4c1feadb10b0c068f9c88c38c9ff7b1d06f33937492d63c71fb0beefcf45744700bd2fcfb825fdd231

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 737192460782a76fc04a6bb4401fe6a1
SHA1 0bfe9d15707f7424cdb5988a45cf802f94e8e346
SHA256 b9eccb10bd5758f729a38691a45e8b7c9b002418239270c73120565a213e2549
SHA512 f603e8f9da9f192f794e33a569952cda99225341bf3b1276c7451f5665d765f38a008cc26ac0f37623ee36431491a91a00c9407e376e8a6c9afd7a2dc39a3baf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2fc923e0a932f4b6b57a1633138c6bc
SHA1 70f8fdf906682fbb16a48f792f4f7ffffc10c6de
SHA256 8e269ee0b327e1ca49fcfe064367f3271ef9786755252a89244fa56bb8db3a2c
SHA512 52d0e5b362df165e8ce365dbe76771a577515f15198c776865449f7dd8846c85666f35824f2f2f98ed590e4a8e0b4b1e19dc7b3000f9bbe537fbf65d34565abf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 630c1b6df533148ab7f945c05d59f574
SHA1 86a79618c6b268fa459c7345783794eabb5c8ac0
SHA256 b4cafca9459bc16a09363bada59cd63ac9bea31c79d7e033d76d2f423986f253
SHA512 a80636f104bcbb0cdce3ea6f282958a87001515eaad02c57ec7b1a0080ddfa2eeffaee8ccf17fd2a69760d849d5705ed9c5a0234effa8efa03c599eea01a3a54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4da49de4c52e7aa88566521ded586596
SHA1 b88dce76d33081af05cfe15d5644fc66589e45ec
SHA256 eb2a6f61883225e0f484d496da3ceed862cc0f8bc41f2d4b8ad2e88ae2274846
SHA512 ebac2d44e1035315e14f4c502bfbb1ac398a24ef845e293ff70d003fd9b3e817d0676f2aed3f75572025fee41f7dc01160a6dce1199f0b51edfb311bd3656759

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f10a3878739772ccfd8a4c97efa1815
SHA1 9e3b0f7bcb3615f8b8eb915f5520ac861f615c85
SHA256 5fde88699edbc271a5f203c83ab1bca3d7d77b053c05104937a27980dfc27946
SHA512 64e6a21324856b9930de2970666fdf3ac7db8d30d8de027cc5fce47b7c4965a498636c37b1b9d2defccdda561577089e165bf20abd1ca2550d58240383f25d3c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 455badbf99168ffc1f417068b34a881b
SHA1 cb60c5c1ba9da48d0210ea210e3676e6eb656fa9
SHA256 8e3f5f7c532353cbf359c4df4075ecbcaa1b8294b2ab5b116763856fa13e77f0
SHA512 778ea44c4b88fc69e0c18388f54b4a407007fdd67589ae6895afd3b4378e475a05f1bc01ac57aeb11f06cc1766ed47f51fc97687627cbc4b1ea10f2d32754904

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 123b22e59e9ac59b52d3632cd047d2c6
SHA1 e0f3fa71342787058792dd7c9160e2635d0bfa9c
SHA256 ca76e3abfbcb2c87da18de22bc81ccf045d267f0b79a1c28f28612e4a9a276fa
SHA512 255196fe143c7a7e13a57122f2bdc09913237e9e0d4c7d1d00d36ff0efa007ccc86b4d7525edf4d80f27ff3c5aadef8360969ada20835af6179ca8e425702fbb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5bda05f21aac6a505c7f9cbd76545a65
SHA1 34faf083ae7d55a05081a4f2b839e21ddf1bef48
SHA256 15c2412285326ccc7be5887725e5ddfde53d94e453028a368395032ef4afecb4
SHA512 f28165df403dcda9b520e5029b7ac3928d6dced10e1a24796072e92dc71bb01da23089f06fb07a86abe12edc4fd6c7d738169c095fd472051fb7445195c3d8f2

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-14 05:42

Reported

2024-11-14 05:44

Platform

win10ltsc2021-20241023-en

Max time kernel

100s

Max time network

111s

Command Line

"C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe

"C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe"

C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe

C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ExpandInitialize.wmf"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 172.165.69.228:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 228.69.165.172.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/5096-0-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-14 05:42

Reported

2024-11-14 05:44

Platform

win11-20241007-en

Max time kernel

116s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\unregmp2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe

"C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe"

C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe

C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/1964-0-0x0000000000400000-0x0000000000448000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 71ee2f4eb9e67942a01f9a0cebd7630a
SHA1 0fff9c44929276dbb68261ba1b7f9f07c9b37477
SHA256 b81de64dd2c12817227cf02ceb0d42dbe6beb2c2094d4784bc47db239178f217
SHA512 d3c9d1833bd659f500325b2f8820959c0d6347e4e92bf9c0e17306189eb6844ae466087d5e61ebddbe134c47ac81f4b0ff5d20322647afa2e846b7a1aee6f8b6

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 0e2ab4aec194f43611ae87e9029303d5
SHA1 58e91eb77da219d8b76f54c85d887584ea819818
SHA256 766245d0ea8891180069ed422bc56abb4484365416da49c33f1dd8e6f3a9eba2
SHA512 7ba99c2da5b1e12749355d96800380daa9c32784bc67d509452d55b77320bfb52c21114a3c22443219a1cca906c0e817e97f04ea063fb0b10ac6a4b447348005

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 af6d269517872336192a7639faab8795
SHA1 0af4a4f3f49810dfe6b2bce94951e3409fcad0a4
SHA256 ce1d907a2a8bb76367c1e2439f2e82999beacdd3ca2badd5557b7cbe29cde8d5
SHA512 4d51042c621ccd198c1d6cfd1bf894a59664bffd7cdabe10a10585be91f89626005574bd82f47e3e64ac4e22c1c3691931f2a1176d03e6abe2cd3ea4f834af2b

memory/3736-33-0x0000000009980000-0x0000000009990000-memory.dmp

memory/3736-37-0x0000000009980000-0x0000000009990000-memory.dmp

memory/3736-38-0x0000000009980000-0x0000000009990000-memory.dmp

memory/3736-36-0x0000000009980000-0x0000000009990000-memory.dmp

memory/3736-35-0x0000000009980000-0x0000000009990000-memory.dmp

memory/3736-34-0x0000000009980000-0x0000000009990000-memory.dmp

memory/3736-39-0x0000000009980000-0x0000000009990000-memory.dmp

memory/3736-40-0x0000000009980000-0x0000000009990000-memory.dmp