Malware Analysis Report

2025-06-16 06:31

Sample ID 250515-jg1v9abk5s
Target encrypter-windows-gui-x86.zip
SHA256 acf624fd5f6c21c41c4b67b4cc55075df81ad0e5ff10cfce97a1298b1dada421
Tags
discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

acf624fd5f6c21c41c4b67b4cc55075df81ad0e5ff10cfce97a1298b1dada421

Threat Level: Known bad

The file encrypter-windows-gui-x86.zip was found to be: Known bad.

Malicious Activity Summary

discovery persistence ransomware

Renames multiple (5855) files with added filename extension

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-15 07:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-15 07:39

Reported

2025-05-15 07:48

Platform

win10v2004-20250502-en

Max time kernel

440s

Max time network

441s

Command Line

"C:\Users\Admin\AppData\Local\Temp\encrypter-windows-gui-x86.exe"

Signatures

Renames multiple (5855) files with added filename extension

ransomware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E} = "\"C:\\ProgramData\\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\\szoulvdi.exe\" /V-" C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E} = "\"C:\\ProgramData\\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\\szoulvdi.exe\" /V-" C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened (read-only) \??\F: C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened (read-only) \??\Z: C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\action_poster.jpg C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\Studio.png C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\README.TXT C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-36_contrast-black.png C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\29.jpg C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreWideTile.scale-100.png C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Star.png C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\README.TXT C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.winmd C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.contrast-black_targetsize-24.png C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\README.TXT C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageLargeTile.scale-100_contrast-black.png C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\LinkedInboxWideTile.scale-200.png C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\XLSTART\README.TXT C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\README.TXT C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-100.png C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\README.TXT C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\README.TXT C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\CASCADE.ELM C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\BadgeLogo.scale-100_contrast-black.png C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\ui-strings.js C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedWideTile.scale-100_contrast-white.png C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\MoveToFolderToastQuickAction.scale-80.png C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms.{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}.edukr C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008 C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarWideTile.scale-200.png C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ul-oob.xrm-ms.{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}.edukr C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\README.TXT C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ar-ae\README.TXT C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60_altform-unplated.png C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reminders_18.svg C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\ui-strings.js C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\en-US.PhoneNumber.model C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\PSD2Control.xaml C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-200.png C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\ui-strings.js C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\WideTile.scale-100.png C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\offlineStrings.js C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_altform-unplated_contrast-high.png C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-gb\README.TXT C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\TXP_TicketedEvent.png C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-96_altform-lightunplated.png C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\README.TXT C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\libpng.md C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-96.png C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-100.png C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ul-oob.xrm-ms C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\AppxSignature.p7x C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\README.TXT C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_nothumbnail_34.svg C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\encrypter-windows-gui-x86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
N/A N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\encrypter-windows-gui-x86.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\encrypter-windows-gui-x86.exe

"C:\Users\Admin\AppData\Local\Temp\encrypter-windows-gui-x86.exe"

C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe

"C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe" /V-

C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe

C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe /V-

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4480 -ip 4480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1524

Network

Country Destination Domain Proto
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.254:445 tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.254:445 tcp
NL 95.101.136.223:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
FR 142.251.37.35:80 c.pki.goog tcp

Files

C:\ProgramData\{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}\szoulvdi.exe

MD5 d0728e075e66bda22bb6c030502a689a
SHA1 60c3cce7d1e1921794cd00308efb73f3412384fb
SHA256 fb2fe8e18856af09231edefccc7d54b881d8f488f91ff61f4c09995c33aaafce
SHA512 773f413ef51bc2493a940011645c40d1f55d06a53e8e60032ed01ad016184d67289a9fd9d3bb8af42fbdca29f0bb927e0137ff4f5f0914ea52b58646051962ef

C:\Users\Admin\AppData\Local\Temp\default.tmp

MD5 432a8b1057c5da436991e46d3d6a853b
SHA1 32d30803e27778d1465c690a12dba766468c0dd2
SHA256 52aa6764fd7d9351012db0ad3162dde1ec960a4282638dc147547796606f14af
SHA512 3b298027b408cb5428e8ec3300ed135606a5f93702e5ba7510bc3aee50eeca040a8ec63d2304b1b4f1cfce90dae90b581307dbb22cbe4f0049e27eab06079fe6

C:\Program Files\README.TXT

MD5 f99f7c71d34b1123f0d892e3ccadc7fb
SHA1 719a28ee9139f75fabd9eff72cf6b1eee98b3d4d
SHA256 423d63cefcaac56016ba83149cb0423d6653397fad78e8a41da71ed48993e550
SHA512 9bf96ae8b0d3fb5bdcd5b38f16abb8beaa41c82d72ea937e6a795a02d43a7c5a6d06a0e9d1b65c6da6ee3942fb7ad1b85650cfbf1227374f8fd29bd9a3f8d17c

\??\Z:\BOOTNXT.{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}.edukr

MD5 3ca81c358e87ab45344063040983a66b
SHA1 8e80c1e5f8ea843579fdcb91a5e32447e0ccbb28
SHA256 148e6ac4213eb6a567bdcb93d20686dbabb68e5783fd1156ef905578a360128d
SHA512 44e00054ff2c5b1699d1aa43d3164fbee03da17cfdd7b6285ac0903fae03f5b7716c5ef006e763dea28df77979069f644c486737b49565ca71390b1ba07eee02

C:\Program Files\Java\jdk-1.8\jre\lib\ext\localedata.jar.{B0E86208-E6B0-B24A-914B-5F2CBAAA094E}.edukr

MD5 8387a958cb174e1f7b9be8a5a7673d33
SHA1 c6c144e3d42f8f941f53db8cccc724bdc33a938d
SHA256 466ba5591cdebf9fb2ee87c9a209c8531d247fdd712c55e6f2f0aef160e507e8
SHA512 fb050712efffef2ee5985f5d7e920bede8528d5efacc4f8a52bde4076b8ef223cd02396f654375795971072653c37eb4d70176c12cc8d055fa21b2161300310a