Malware Analysis Report

2025-01-18 20:41

Sample ID 241129-cyvl8szkh1
Target ae4eb822f0b5c6114199e8174370639e_JaffaCakes118
SHA256 4289668e6b33c7b84946696081ee7867bc59346a9d10faf1ec95019e4efd54a9
Tags
modiloader xorist defense_evasion discovery persistence ransomware spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4289668e6b33c7b84946696081ee7867bc59346a9d10faf1ec95019e4efd54a9

Threat Level: Known bad

The file ae4eb822f0b5c6114199e8174370639e_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader xorist defense_evasion discovery persistence ransomware spyware stealer trojan upx

Xorist Ransomware

ModiLoader, DBatLoader

Xorist family

Detected Xorist Ransomware

Modiloader family

ModiLoader Second Stage

Renames multiple (370) files with added filename extension

Drops file in Drivers directory

Impair Defenses: Safe Mode Boot

Loads dropped DLL

Drops startup file

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

UPX packed file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-29 02:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-29 02:29

Reported

2024-11-29 02:32

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe"

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ModiLoader, DBatLoader

trojan modiloader

Modiloader family

modiloader

Xorist Ransomware

ransomware xorist

Xorist family

xorist

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Renames multiple (370) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\ja-JP\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\stntdueqfxi.zmh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\hjhootqyosh.ttm C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\xuzlbkkwgow.upu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\iakxzvkqori.bun C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\iakxzvkqori.bun C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\wqjnvultisy.oml C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\jmaameuvncg.enp C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\ja-JP\hjhootqyosh.ttm C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\vhmnizepbpc.unl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\es-ES\vhmnizepbpc.unl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\jmaameuvncg.enp C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\en-US\ksmxgccemii.pqf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\es-ES\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\es-ES\yublzjgtlma.kry C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\qsrecbvxshy.dby C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\fr-FR\hjhootqyosh.ttm C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\en-US\stntdueqfxi.zmh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\npgntztpzkw.nxh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\xuzlbkkwgow.upu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\es-ES\ksmxgccemii.pqf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\dkzcidnpqmb.rfr C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\fr-FR\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\es-ES\hjhootqyosh.ttm C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\it-IT\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\en-US\jmaameuvncg.enp C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\ksmxgccemii.pqf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\it-IT\xuzlbkkwgow.upu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\ja-JP\xuzlbkkwgow.upu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\ja-JP\jmaameuvncg.enp C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\yublzjgtlma.kry C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\fr-FR\wqjnvultisy.oml C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\it-IT\wqjnvultisy.oml C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\iakxzvkqori.bun C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\cgmvyyxvkac.llu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\cgmvyyxvkac.llu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\cgmvyyxvkac.llu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\stntdueqfxi.zmh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\fr-FR\iakxzvkqori.bun C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\ja-JP\iakxzvkqori.bun C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\jmaameuvncg.enp C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\fr-FR\yublzjgtlma.kry C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\hjhootqyosh.ttm C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\dkzcidnpqmb.rfr C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\de-DE\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\de-DE\jmaameuvncg.enp C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\yublzjgtlma.kry C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\fr-FR\qsrecbvxshy.dby C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\npgntztpzkw.nxh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\xuzlbkkwgow.upu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\es-ES\cgmvyyxvkac.llu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\chrjhobrqyn.djl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\it-IT\ksmxgccemii.pqf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\it-IT\jmaameuvncg.enp C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\yublzjgtlma.kry C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\yublzjgtlma.kry C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\de-DE\qsrecbvxshy.dby C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\en-US\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\stntdueqfxi.zmh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\hjhootqyosh.ttm C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\chrjhobrqyn.djl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\npgntztpzkw.nxh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\npgntztpzkw.nxh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chrjhobrqyn.djl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\stntdueqfxi.zmh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\qsrecbvxshy.dby C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\xuzlbkkwgow.upu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wqjnvultisy.oml C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\jmaameuvncg.enp C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\yublzjgtlma.kry C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qsrecbvxshy.dby C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\cgmvyyxvkac.llu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\wqjnvultisy.oml C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hjhootqyosh.ttm C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dkzcidnpqmb.rfr C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cxlewkyiuqx.alg C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\cxlewkyiuqx.alg C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\vhmnizepbpc.unl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jmaameuvncg.enp C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yublzjgtlma.kry C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\iakxzvkqori.bun C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\stntdueqfxi.zmh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\ksmxgccemii.pqf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\dkzcidnpqmb.rfr C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xuzlbkkwgow.upu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iakxzvkqori.bun C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vhmnizepbpc.unl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cgmvyyxvkac.llu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ksmxgccemii.pqf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinLocker.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinLocker.exe" C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1UCJwP4w5X43a8a.exe" C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\en-US\Licenses\eval\Enterprise\vhmnizepbpc.unl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\HomePremiumN\jmaameuvncg.enp C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hcw85c64.inf_amd64_neutral_96b71557b416d04a\chrjhobrqyn.djl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnep004.inf_amd64_neutral_63b22bfb6b93eaba\Amd64\npgntztpzkw.nxh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\dkzcidnpqmb.rfr C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\sysprep\it-IT\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\usbprint.inf_amd64_neutral_54948be2bc4bcdd1\chrjhobrqyn.djl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\npgntztpzkw.nxh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_neutral_4b99fffee061ff26\dkzcidnpqmb.rfr C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\Amd64\stntdueqfxi.zmh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netnvma.inf_amd64_neutral_99bb33c9a5bedaea\ksmxgccemii.pqf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\DriverStore\es-ES\dkzcidnpqmb.rfr C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\wbem\Repository\xuzlbkkwgow.upu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\jmaameuvncg.enp C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\winrm\0409\jmaameuvncg.enp C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnxx002.inf_amd64_neutral_560fdd891b24f384\yublzjgtlma.kry C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnlx00a.inf_amd64_neutral_a89d2c01c0f43dfd\Amd64\qsrecbvxshy.dby C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmmcd.inf_amd64_neutral_49212f5920298e45\dkzcidnpqmb.rfr C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomeBasic\dkzcidnpqmb.rfr C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnle003.inf_amd64_neutral_c61883abf66ddb39\xuzlbkkwgow.upu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomeBasicN\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnlx00z.inf_amd64_neutral_aea50acf04a2db1d\Amd64\jmaameuvncg.enp C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\stntdueqfxi.zmh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmiodat.inf_amd64_neutral_839e9ee1a8736613\ksmxgccemii.pqf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\catroot\ksmxgccemii.pqf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnrc00b.inf_amd64_neutral_3338d41663aad5fa\vhmnizepbpc.unl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\ksmxgccemii.pqf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnep00e.inf_amd64_neutral_edc631ff41a34218\dkzcidnpqmb.rfr C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnlx00c.inf_amd64_neutral_79ebe29715d2fa47\Amd64\vhmnizepbpc.unl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\eval\EnterpriseE\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\migration\WSMT\rras\replacementmanifests\Microsoft-Windows-RasApi-MigPlugin\jmaameuvncg.enp C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\_Default\yublzjgtlma.kry C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\Dism\it-IT\qsrecbvxshy.dby C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmdgitn.inf_amd64_neutral_09132735f1063a47\cgmvyyxvkac.llu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\UltimateE\cgmvyyxvkac.llu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\UltimateN\yublzjgtlma.kry C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmmts.inf_amd64_neutral_b7f0a8d5f67c19e8\chrjhobrqyn.djl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomePremiumE\qsrecbvxshy.dby C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\_Default\Ultimate\dkzcidnpqmb.rfr C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_neutral_4ab014d645098f5f\iakxzvkqori.bun C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\winusb.inf_amd64_neutral_6cb50ae9f480775b\yublzjgtlma.kry C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hcw72b64.inf_amd64_neutral_023772237d3a4ade\chrjhobrqyn.djl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmpn1.inf_amd64_neutral_e44cc033b67e7d04\chrjhobrqyn.djl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmoptn.inf_amd64_neutral_be2f30f68f2a5567\qsrecbvxshy.dby C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmmod.inf_amd64_neutral_5766736c47b90fff\npgntztpzkw.nxh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\cxfalcon_ibv64.inf_amd64_neutral_d065aec3fcf4ec4e\xuzlbkkwgow.upu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmntt1.inf_amd64_neutral_ecf5cff2236b273a\xuzlbkkwgow.upu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmcpv.inf_amd64_neutral_5667cca434e3a6b7\vhmnizepbpc.unl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\_Default\UltimateN\yublzjgtlma.kry C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmbw561.inf_amd64_neutral_fe42c0ff14d5562b\chrjhobrqyn.djl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\sysprep\chrjhobrqyn.djl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\stntdueqfxi.zmh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\eval\ProfessionalN\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\bthprint.inf_amd64_neutral_3c11362fa327f5a4\cgmvyyxvkac.llu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\sbp2.inf_amd64_neutral_332943647e950ada\wqjnvultisy.oml C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wialx003.inf_amd64_neutral_db618863f9347f9a\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\slmgr\0409\iakxzvkqori.bun C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\Starter\cgmvyyxvkac.llu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\de-DE\Licenses\OEM\Professional\yublzjgtlma.kry C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\eval\UltimateN\chrjhobrqyn.djl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\bthpan.inf_amd64_neutral_024281c0e4e954e2\npgntztpzkw.nxh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\OEM\ProfessionalN\ksmxgccemii.pqf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmtdkj6.inf_amd64_neutral_8087946c82068597\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wsdprint.inf_amd64_neutral_f91980f20f3112ed\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\cgmvyyxvkac.llu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\ksmxgccemii.pqf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\cxlewkyiuqx.alg C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe N/A
File created C:\Program Files\Windows NT\TableTextService\fr-FR\chrjhobrqyn.djl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\stntdueqfxi.zmh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\xuzlbkkwgow.upu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\chrjhobrqyn.djl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\qsrecbvxshy.dby C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\qsrecbvxshy.dby C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Windows Mail\ja-JP\qsrecbvxshy.dby C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\xuzlbkkwgow.upu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\iakxzvkqori.bun C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\npgntztpzkw.nxh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\dkzcidnpqmb.rfr C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\MSBuild\Microsoft\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\ksmxgccemii.pqf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\wqjnvultisy.oml C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\wqjnvultisy.oml C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Common Files\stntdueqfxi.zmh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1031\hjhootqyosh.ttm C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\yublzjgtlma.kry C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\de\npgntztpzkw.nxh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Windows NT\Accessories\ja-JP\hjhootqyosh.ttm C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\hjhootqyosh.ttm C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\iakxzvkqori.bun C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\vhmnizepbpc.unl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\vhmnizepbpc.unl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\jmaameuvncg.enp C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\xuzlbkkwgow.upu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\stntdueqfxi.zmh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\hjhootqyosh.ttm C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\yublzjgtlma.kry C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\chrjhobrqyn.djl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\d3d9\jmaameuvncg.enp C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\npgntztpzkw.nxh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\ksmxgccemii.pqf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Java\jre7\lib\jfr\dkzcidnpqmb.rfr C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\iakxzvkqori.bun C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\cgmvyyxvkac.llu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\DVD Maker\de-DE\npgntztpzkw.nxh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\hjhootqyosh.ttm C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\ksmxgccemii.pqf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\dkzcidnpqmb.rfr C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\stntdueqfxi.zmh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\vhmnizepbpc.unl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\chrjhobrqyn.djl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\ksmxgccemii.pqf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\cxlewkyiuqx.alg C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Internet Explorer\it-IT\xuzlbkkwgow.upu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\wqjnvultisy.oml C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sm\cgmvyyxvkac.llu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\cgmvyyxvkac.llu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\hjhootqyosh.ttm C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\iakxzvkqori.bun C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\amd64_microsoft-windows-d..onverters.resources_31bf3856ad364e35_6.1.7600.16385_es-es_440973a30eb61be4\stntdueqfxi.zmh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\inf\SMSvcHost 4.0.0.0\000C\ksmxgccemii.pqf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\x86_wpf-presentationnative_31bf3856ad364e35_6.1.7600.16385_none_569c61fda7d3de59\chrjhobrqyn.djl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.1.7601.17514_none_f71e39745cb0f950\iakxzvkqori.bun C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xaml\v4.0_4.0.0.0__b77a5c561934e089\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-wmi-mof.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f7f1f74e96e25c28\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fd3784c9b57cdcbf\cgmvyyxvkac.llu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Security\wqjnvultisy.oml C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_netbc664.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8c13e8b6b8aab9e5\wqjnvultisy.oml C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..erclasses.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_eadbafb3169f2cb7\yublzjgtlma.kry C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\assembly\GAC_MSIL\UIAutomationClientsideProviders.resources\3.0.0.0_it_31bf3856ad364e35\stntdueqfxi.zmh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ie-controls_31bf3856ad364e35_8.0.7601.17514_none_42c1a490dd943b8b\hjhootqyosh.ttm C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\inf\ASP.NET_4.0.30319\0011\cxlewkyiuqx.alg C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_net44amd.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_398cbec1ca988774\xuzlbkkwgow.upu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-msmpeg2vdec_31bf3856ad364e35_7.1.7601.16492_none_e0355b6859cad0e7\qsrecbvxshy.dby C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..ginworker.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_dd02d03516faae88\qsrecbvxshy.dby C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_mdmcxhv6.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_22dffe0a3e74e07e\vhmnizepbpc.unl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\Globalization\MCT\MCT-GB\Link\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-mobsync.resources_31bf3856ad364e35_6.1.7600.16385_it-it_6441470efda3f46c\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-n..erclasses.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cc0ea00bc9e87e77\cgmvyyxvkac.llu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-v..cprovider.resources_31bf3856ad364e35_6.1.7600.16385_es-es_80192e80f691eb39\wqjnvultisy.oml C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\msil_reachframework.resources_31bf3856ad364e35_6.1.7601.17514_es-es_b5d5945242b09514\wqjnvultisy.oml C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-a..ecore-acm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b0946bb9767216d2\yublzjgtlma.kry C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-cpfilters.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0f9637c2bbfc5522\npgntztpzkw.nxh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_ksfilter.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_634becf1a8a94eed\iakxzvkqori.bun C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-a..istant-ui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_3569ec57357011d4\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-r..lelevated.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_590eff4e8020df3b\stntdueqfxi.zmh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\msil_system.drawing.design.resources_b03f5f7f11d50a3a_6.1.7600.16385_es-es_59803ffb7d6caab7\hjhootqyosh.ttm C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-0000041b_31bf3856ad364e35_6.1.7600.16385_none_58f1def86ff0b7a9\ksmxgccemii.pqf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-e..atibility.resources_31bf3856ad364e35_6.1.7600.16385_it-it_129f6fadafe6b543\iakxzvkqori.bun C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_nettun.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3bc6501858404fbd\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_prnky008.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3f5831ae11c8f33\yublzjgtlma.kry C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..ceservice.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_30d22049ae844e5d\npgntztpzkw.nxh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\diagnostics\system\WindowsMediaPlayerMediaLibrary\ja-JP\dkzcidnpqmb.rfr C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_wialx005.inf_31bf3856ad364e35_6.1.7600.16385_none_063f1c91b3be1d84\iakxzvkqori.bun C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\system\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..tcpmondll.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_a9d749f96119054e\cgmvyyxvkac.llu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-t..alization.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_eaf7391d31d716b1\cgmvyyxvkac.llu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a884b382427031da\jmaameuvncg.enp C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\msil_system.data.datasetextensions_b77a5c561934e089_6.1.7601.17514_none_03c21fb89d562fb2\chrjhobrqyn.djl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-msdt.resources_31bf3856ad364e35_6.1.7600.16385_it-it_2d52e09a1dd75908\npgntztpzkw.nxh C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\x86_netfx35linq-system.web.abstractions_31bf3856ad364e35_6.1.7601.17514_none_cbda187fe98f38b8\xuzlbkkwgow.upu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Blueprints\8.0.0.0__b03f5f7f11d50a3a\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-photoviewer.resources_31bf3856ad364e35_6.1.7600.16385_it-it_07fe7ecf1a266703\vhmnizepbpc.unl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-directx-dxgi_31bf3856ad364e35_7.1.7601.16492_none_89bc8ef5c05582ea\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-iis-ftpsvc.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7508516469bb2262\jmaameuvncg.enp C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-l..essionale.resources_31bf3856ad364e35_6.1.7601.17514_en-us_6cfcb6c3e1697b1c\ksmxgccemii.pqf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ie-setup.resources_31bf3856ad364e35_8.0.7600.16385_es-es_c7a84107613d159c\xuzlbkkwgow.upu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..c-oracle-driver-rll_31bf3856ad364e35_6.1.7600.16385_none_684e30cea4b83f45\vhmnizepbpc.unl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-uxtheme.resources_31bf3856ad364e35_6.1.7600.16385_es-es_71e04df1607dd9bf\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-a..rvice-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_680be326f44297a7\qqaaovolhpp.gnf C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-w..ction-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_785c3f3e3325a107\chrjhobrqyn.djl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Applicati#\cdb429c8c7738b77dd919b4b917b2078\qsrecbvxshy.dby C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ie-iexpress.resources_31bf3856ad364e35_8.0.7600.16385_es-es_3de17ff1fd4fb8e8\vhmnizepbpc.unl C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.MediaCenter.Interop\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_prnky003.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ed11232ffe83da\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_5d0f22c9e44cb6ed\qsrecbvxshy.dby C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-help-helpcins_31bf3856ad364e35_6.1.7601.17514_none_ee4731f0b3e39e23\qsrecbvxshy.dby C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-help-errmes.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f0b55acaa264c36e\hjhootqyosh.ttm C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-directwrite_31bf3856ad364e35_7.1.7601.16492_none_21db85c4a137d8d6\dkzcidnpqmb.rfr C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..terprisen.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_906b5430848de670\xuzlbkkwgow.upu C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\assembly\GAC_MSIL\System.Xml\iakxzvkqori.bun C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\amd64_lsi_fc.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_937cef3e8cbb2336\gzrpplvhngz.uzo C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-i..kitengine.resources_31bf3856ad364e35_8.0.7600.16385_en-us_fea8364aaaf55fb1\jmaameuvncg.enp C:\Users\Admin\AppData\Local\Temp\Musor.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Udalenie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "LWUJZVQUGARVPFL" C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LWUJZVQUGARVPFL C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LWUJZVQUGARVPFL\shell\open\command C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LWUJZVQUGARVPFL\shell\open C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LWUJZVQUGARVPFL\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1UCJwP4w5X43a8a.exe" C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LWUJZVQUGARVPFL\ = "CRYPTED!" C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LWUJZVQUGARVPFL\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LWUJZVQUGARVPFL\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1UCJwP4w5X43a8a.exe,0" C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LWUJZVQUGARVPFL\shell C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2704 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Musor.exe
PID 2704 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Musor.exe
PID 2704 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Musor.exe
PID 2704 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Musor.exe
PID 2704 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Udalenie.exe
PID 2704 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Udalenie.exe
PID 2704 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Udalenie.exe
PID 2704 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Udalenie.exe
PID 2704 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe
PID 2704 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe
PID 2704 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe
PID 2704 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe
PID 2704 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\WinLocker.exe
PID 2704 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\WinLocker.exe
PID 2704 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\WinLocker.exe
PID 2704 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\WinLocker.exe
PID 2704 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Stealer.exe
PID 2704 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Stealer.exe
PID 2704 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Stealer.exe
PID 2704 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Stealer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ae4eb822f0b5c6114199e8174370639e_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Musor.exe

"C:\Users\Admin\AppData\Local\Temp\Musor.exe"

C:\Users\Admin\AppData\Local\Temp\Udalenie.exe

"C:\Users\Admin\AppData\Local\Temp\Udalenie.exe"

C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe

"C:\Users\Admin\AppData\Local\Temp\Shifrovka.exe"

C:\Users\Admin\AppData\Local\Temp\WinLocker.exe

"C:\Users\Admin\AppData\Local\Temp\WinLocker.exe"

C:\Users\Admin\AppData\Local\Temp\Stealer.exe

"C:\Users\Admin\AppData\Local\Temp\Stealer.exe"

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 server1.hostinger.ru udp

Files

C:\Users\Admin\AppData\Local\Temp\Musor.exe

MD5 e2e474a6a53209630133f0e54d200123
SHA1 724b23fefd284c89e9b5f0425e549440e4bc300d
SHA256 558dbb329803ba0e8ed5519cc340d087e7d89a5502d8d2a466eaa95f9cd6753c
SHA512 19f8211fc263361a957cd133fc28a5e5ed9f451ab25dad7ec5d559ded7afbae2642e481a17f8c93ad0188922a60ae5f5779ce0ea5ade0677dd83e64617fecc6c

\Users\Admin\AppData\Local\Temp\Shifrovka.exe

MD5 1ea86c964aa0df385062bd56a086c739
SHA1 4ecb08abf06114678d6edd3aacf6017538ab5ff8
SHA256 6d785caa26de7ab40e534876edd3365595df2086ea667ad74e511600f6205dc8
SHA512 f99b42f259e2d4a752c4ea9fc860b58cb2c8f3cc62b1f87d590bfe17e50f5052fba8f5400afb080cb6ed8bbad6b20a741a6c784187d8c36e6810f1a51d74f1d6

memory/2580-68-0x0000000000400000-0x0000000000477000-memory.dmp

memory/692-77-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Stealer.exe

MD5 ae1cdc77973b1a1f0c8e993135964ec2
SHA1 cfce4a30d53d612a9ba2771e9ac29e09b7112794
SHA256 3c9c4114d3706518351e36a16a63b2df3e9ab5d61c686d451503273b488ee26a
SHA512 efb638a58336fc6a3ff72d20bd51f4dca2c68fc9781630009f4b63afbc8023ba26494b23e4fea8cb3dff34135d1cd4b137c3c833a4f9d7e719188cbb2322d5b1

memory/2704-67-0x0000000003350000-0x00000000033C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WinLocker.exe

MD5 c8f45c5e1d7fc243b6d858ae35336126
SHA1 2791bf91cc06f2adc1d9cd5d1368cd99c85a7359
SHA256 4742f4a0a01da75e4454ef99c7af484b469366e21b187ed1c53b0bbb6e503060
SHA512 241464a3d2cfdb7985f9f44d54547813c5cbe5b96bfc233417beaffd50cba9f7f1e770a6ada866eb5af06cb3f2a8d0902479d81393e3b5e6d3704cde0aeebf11

memory/2600-66-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2704-45-0x00000000022E0000-0x00000000022F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Udalenie.exe

MD5 db22edc6ff5b65343fd6c2cf35261261
SHA1 4f7364013b614520feaa45f255fbae7419cb01f0
SHA256 80178eab1a5701c4704cecc589b50696d107c2d011c7474c14884a8349e04b19
SHA512 fe208f09bf797529a30f4295443e057e433f5ee5c2b0ec260019342f7daca720790b8cb57f65751d2659eb1f90e550e187e282bed287a664fdd1d18a1dac2aed

C:\Users\xuzlbkkwgow.upu

MD5 bb55216eaf41ecca241d403d5435615d
SHA1 f5e297c062d0ea36232c40b368cfbbedabfb68c3
SHA256 51a273a2a08aad40272393d71fc316710e68ec7695e75b0b0d2731b7067e75bf
SHA512 29f912aba2dadd4e973692c5f88e44ed4a06cccd4024056801fcc4696fce376fdff1a563af0a82191229f5581377c48efab55977031fd2c90c360d91f5fe25e1

memory/2704-34-0x00000000022E0000-0x00000000022F4000-memory.dmp

memory/692-288-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe

MD5 d40e89c4f45bbe3143d48f99867a0ef1
SHA1 4e8624f2416124cc5f2dec86b64c8d47b9598502
SHA256 f470a9e5563616e3177463d18c16de755fbb03d2f3a31527144553c0547aec9f
SHA512 42c8bb0d5fbef49ed6c4f7413d68c89140f429b3caf6aece83aa7b086e0cdf3b3d5fb06b22289fcae8cf812e3068abf7fbcdb687bd3c93e1b27d29c968d4c4f9

memory/2580-7854-0x0000000000400000-0x0000000000477000-memory.dmp

memory/2600-7853-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2600-7877-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2600-11275-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-29 02:29

Reported

2024-11-29 02:30

Platform

win10v2004-20241007-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A