Windows Analysis Report
Iir6rxs8r6.exe

Overview

General Information

Sample name: Iir6rxs8r6.exe
renamed because original name is a hash value
Original sample name: 3518195c256aa940c607f8534c91b5a9cd453c7417810de3cd4d262e2906d24f.exe
Analysis ID: 1524355
MD5: 2b825ea77e240d2ab6b6695a602cb07c
SHA1: ae6eb3cce06f666934e03dd46269526e56aff3b1
SHA256: 3518195c256aa940c607f8534c91b5a9cd453c7417810de3cd4d262e2906d24f
Tags: exeRhysidauser-JAMESWT_MHT
Infos:

Detection

Rhysida
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Rhysida Ransomware
AI detected suspicious sample
Changes the wallpaper picture
Found API chain indicative of debugger detection
Self deletion via cmd or bat file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Ping/Del Command Combination
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Adds / modifies Windows certificates
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a Chrome extension
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potentially Suspicious Desktop Background Change Via Registry
Stores files to the Windows start menu directory
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses reg.exe to modify the Windows registry
Yara detected Keylogger Generic

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Iir6rxs8r6.exe ReversingLabs: Detection: 81%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0043E021 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptAcquireContextA, 0_2_0043E021
Source: Iir6rxs8r6.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\* source: Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb.rhysida&O source: Iir6rxs8r6.exe, 00000000.00000002.3233096131.0000000004A50000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbu source: Iir6rxs8r6.exe, 00000000.00000002.3229153631.0000000003D42000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb%m.h source: Iir6rxs8r6.exe, 00000000.00000002.3225224394.0000000003796000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb6 source: Iir6rxs8r6.exe, 00000000.00000002.3225603623.0000000003810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*2tP source: Iir6rxs8r6.exe, 00000000.00000003.1828765583.000000000010A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: emp/Symbols/winload_prod.pdb/01AB9056EA9380F@ source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2wekyb3d8bbwe\LocalCacher Data\Default\Extensions\nmmhkkq source: Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb.rhysidar, source: Iir6rxs8r6.exe, 00000000.00000002.3226682985.0000000003934000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb? source: Iir6rxs8r6.exe, 00000000.00000002.3229153631.0000000003D42000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbq,+ source: Iir6rxs8r6.exe, 00000000.00000002.3227633984.0000000003B31000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb.rhysidaT source: Iir6rxs8r6.exe, 00000000.00000002.3230224009.0000000003EE6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb source: Iir6rxs8r6.exe, 00000000.00000002.3231065025.0000000004044000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229299015.0000000003DCA000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227092348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3230644769.0000000003F98000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227242449.0000000003A6A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3224379439.00000000036BD000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3235038394.0000000004C5B000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3226196423.000000000388D000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3233775780.0000000004B07000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3230224009.0000000003EE6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3234342821.0000000004BA7000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3225224394.0000000003796000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229117500.0000000003D30000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3232582558.00000000041D5000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229557865.0000000003E29000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3226649501.0000000003922000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227994671.0000000003BE2000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3228706934.0000000003C77000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3233254008.0000000004A74000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229153631.0000000003D42000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3225053931.000000000375A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3231485189.0000000004106000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3225182842.0000000003784000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227633984.0000000003B31000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3225603623.0000000003810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: Iir6rxs8r6.exe, 00000000.00000003.1828765583.000000000010A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1829153779.000000000010D000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\CriticalBreachDetected.pdfntdesk\AppDa@ source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: a\Application Data\Temp\Symbols\ntkrnlmp.pdb\CriticalBreachDetected.pdf31cation Dn source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: DaC:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\kies\pData\\Apps_{9a386491-5394-47a0-a408-e4e3a9d60139}\e6IT source: Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2s/fro source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb.rhysidaa source: Iir6rxs8r6.exe, 00000000.00000002.3226196423.000000000388D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb source: Iir6rxs8r6.exe, 00000000.00000002.3225603623.0000000003810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb.rhysidaI source: Iir6rxs8r6.exe, 00000000.00000002.3229017243.0000000003D10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb.rhysidaY source: Iir6rxs8r6.exe, 00000000.00000002.3231485189.0000000004106000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ation Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAS source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ad_prod.pdbe\AC\INetCookies\ESEFta\Appli source: Iir6rxs8r6.exe, 00000000.00000003.1866632282.00000000000FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb6<k source: Iir6rxs8r6.exe, 00000000.00000002.3226649501.0000000003922000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbM, source: Iir6rxs8r6.exe, 00000000.00000002.3227633984.0000000003B31000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb.rhysidalVA source: Iir6rxs8r6.exe, 00000000.00000002.3234928870.0000000004C37000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: DaC:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\RX_INSTALL\_locales\zh_CN\alState\tory\ookies\a78ba80c-bc89-4102-a032-406d11845944}\f5r source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/ntkrnlmp.pdb.rhysidadf/Application Data/Application Da source: Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ation Data\Temp\Symbols\ntkrnlmp.pdb\68A17FA7 source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb.rhysidag source: Iir6rxs8r6.exe, 00000000.00000002.3228706934.0000000003C77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb.rhysidai,3 source: Iir6rxs8r6.exe, 00000000.00000002.3227633984.0000000003B31000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb.rhysida source: Iir6rxs8r6.exe, 00000000.00000002.3227092348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227203205.0000000003A48000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227595840.0000000003B1F000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3226366114.00000000038BD000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229709791.0000000003E6F000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3234379156.0000000004BC1000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3234928870.0000000004C37000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3231528985.0000000004118000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3233718568.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3228638643.0000000003C4D000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3233096131.0000000004A50000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3232386217.00000000041B3000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3230688687.0000000003FAA000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3226682985.0000000003934000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3230936905.000000000400D000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3228050105.0000000003BF4000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229017243.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3230257972.0000000003EF8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: Iir6rxs8r6.exe, 00000000.00000003.1828765583.000000000010A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb++ source: Iir6rxs8r6.exe, 00000000.00000002.3229557865.0000000003E29000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbs source: Iir6rxs8r6.exe, 00000000.00000002.3226196423.000000000388D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb.rhysidah source: Iir6rxs8r6.exe, 00000000.00000002.3227092348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n Data/Temp/Symbols/winload_prod.pdb/01AB905 source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbB source: Iir6rxs8r6.exe, 00000000.00000002.3230224009.0000000003EE6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb source: Iir6rxs8r6.exe, 00000000.00000002.3231065025.0000000004044000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229299015.0000000003DCA000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227092348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3230644769.0000000003F98000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227242449.0000000003A6A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3224379439.00000000036BD000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3235038394.0000000004C5B000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3226196423.000000000388D000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3233775780.0000000004B07000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3230224009.0000000003EE6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3234342821.0000000004BA7000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3225224394.0000000003796000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229117500.0000000003D30000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3232582558.00000000041D5000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229557865.0000000003E29000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3226649501.0000000003922000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227994671.0000000003BE2000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3228706934.0000000003C77000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3233254008.0000000004A74000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229153631.0000000003D42000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3225053931.000000000375A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3231485189.0000000004106000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3225182842.0000000003784000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227633984.0000000003B31000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3225603623.0000000003810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Symbols\winload_prod.pdb\01AB9056EA9380F7164b source: Iir6rxs8r6.exe, 00000000.00000003.1828765583.000000000010A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2AC2n source: Iir6rxs8r6.exe, 00000000.00000003.1828765583.000000000010A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A58 source: Iir6rxs8r6.exe, 00000000.00000003.1828765583.000000000010A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb} source: Iir6rxs8r6.exe, 00000000.00000002.3230644769.0000000003F98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbG source: Iir6rxs8r6.exe, 00000000.00000002.3234342821.0000000004BA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Symbols\winload_prod.pdb\01AB9056EA9380F7164^ source: Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ols/ntkrnlmp.pdbs32 source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbN source: Iir6rxs8r6.exe, 00000000.00000002.3227092348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ols/ntkrnlmp.pdbhDe source: Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Symbols\winload_prod.pdb\01AB9056EA9380F7164 source: Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb.rhysida[j source: Iir6rxs8r6.exe, 00000000.00000002.3233254008.0000000004A74000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831O source: Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb.rhysida$ source: Iir6rxs8r6.exe, 00000000.00000002.3232582558.00000000041D5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb;] source: Iir6rxs8r6.exe, 00000000.00000002.3231065025.0000000004044000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb3ta source: Iir6rxs8r6.exe, 00000000.00000003.1895165991.0000000000108000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb[ source: Iir6rxs8r6.exe, 00000000.00000002.3234342821.0000000004BA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb^ source: Iir6rxs8r6.exe, 00000000.00000002.3225182842.0000000003784000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: DaC:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\pData\te\er\DOMStore\1/CriticalBreachDetected.pdftrass source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ation Data\Temp\Symbols\ntkrnlmp.pdb\68A17FA source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbd source: Iir6rxs8r6.exe, 00000000.00000002.3225603623.0000000003810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbf source: Iir6rxs8r6.exe, 00000000.00000002.3224379439.00000000036BD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb.rhysida4 source: Iir6rxs8r6.exe, 00000000.00000002.3227092348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb%ss source: Iir6rxs8r6.exe, 00000000.00000002.3225053931.000000000375A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\w source: Iir6rxs8r6.exe, 00000000.00000003.1828765583.000000000010A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\CriticalBreachDetected.pdfocal\Applica source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb.rhysida source: Iir6rxs8r6.exe, 00000000.00000002.3231065025.0000000004044000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227092348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3230644769.0000000003F98000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227242449.0000000003A6A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3235038394.0000000004C5B000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3226196423.000000000388D000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3233775780.0000000004B07000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3230224009.0000000003EE6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3234342821.0000000004BA7000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229117500.0000000003D30000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3232582558.00000000041D5000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229557865.0000000003E29000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3226649501.0000000003922000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227994671.0000000003BE2000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3228706934.0000000003C77000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3233254008.0000000004A74000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3231485189.0000000004106000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227633984.0000000003B31000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbl source: Iir6rxs8r6.exe, 00000000.00000002.3225182842.0000000003784000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*a/ source: Iir6rxs8r6.exe, 00000000.00000003.1895165991.0000000000108000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ad_prod.pdb.rhysida source: Iir6rxs8r6.exe, 00000000.00000003.1828765583.000000000010A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File opened: C:\Users\All Users\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5}\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File opened: C:\Users\All Users\.curlrc.rhysida Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File opened: C:\Users\All Users\Application Data\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File opened: C:\Users\All Users\Application Data\Adobe\ARM\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File opened: C:\Users\All Users\Application Data\Adobe\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File opened: C:\Users\All Users\Application Data\Adobe\ARM\Acrobat_23.006.20320\CriticalBreachDetected.pdf Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 4x nop then jmp 00430550h 0_2_0041DFD0
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 4x nop then lea r8, qword ptr [0000000000460600h] 0_2_00428AE0
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 4x nop then lea r8, qword ptr [0000000000461040h] 0_2_0042BA90
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 4x nop then lea r8, qword ptr [0000000000461660h] 0_2_0042CC50

Networking
barindex
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.51.56.185 23.51.56.185
Source: Joe Sandbox View IP Address: 52.5.13.197 52.5.13.197
Source: Joe Sandbox View IP Address: 96.17.64.189 96.17.64.189
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: geo2.adobe.comConnection: keep-aliveAccept: application/jsonAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, br
Source: global traffic HTTP traffic detected: OPTIONS /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=US&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-aliveAccept: */*Access-Control-Request-Method: GETAccess-Control-Request-Headers: x-adobe-uuid,x-adobe-uuid-type,x-api-keyOrigin: https://rna-resource.acrobat.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Mode: corsSec-Fetch-Site: cross-siteSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, br
Source: global traffic HTTP traffic detected: GET /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=US&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Accept: application/json, text/javascript, */*; q=0.01x-adobe-uuid: c583ad55-e27a-405e-ae1a-c48b4361aa9dx-adobe-uuid-type: visitorIdx-api-key: AdobeReader9sec-ch-ua-platform: "Windows"Origin: https://rna-resource.acrobat.comAccept-Language: en-US,en;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, br
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.56.185
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.56.185
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.56.185
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.56.185
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.56.185
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.56.185
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.56.185
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.56.185
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.56.185
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 96.17.64.189
Source: unknown TCP traffic detected without corresponding DNS query: 96.17.64.189
Source: unknown TCP traffic detected without corresponding DNS query: 96.17.64.189
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 96.17.64.189
Source: unknown TCP traffic detected without corresponding DNS query: 96.17.64.189
Source: unknown TCP traffic detected without corresponding DNS query: 96.17.64.189
Source: unknown TCP traffic detected without corresponding DNS query: 96.17.64.189
Source: unknown TCP traffic detected without corresponding DNS query: 96.17.64.189
Source: unknown TCP traffic detected without corresponding DNS query: 96.17.64.189
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown TCP traffic detected without corresponding DNS query: 52.5.13.197
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\Default\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\CriticalBreachDetected.pdf Jump to behavior
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: geo2.adobe.comConnection: keep-aliveAccept: application/jsonAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, br
Source: global traffic HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, br
Source: global traffic HTTP traffic detected: GET /psdk/v2/content?surfaceId=ACROBAT_READER_MASTER_SURFACEID&surfaceId=DC_READER_LAUNCH_CARD&surfaceId=DC_Reader_RHP_Banner&surfaceId=DC_Reader_RHP_Retention&surfaceId=Edit_InApp_Aug2020&surfaceId=DC_FirstMile_Right_Sec_Surface&surfaceId=DC_Reader_Upsell_Cards&surfaceId=DC_FirstMile_Home_View_Surface&surfaceId=DC_Reader_RHP_Intent_Banner&surfaceId=DC_Reader_Disc_LHP_Banner&surfaceId=DC_Reader_Edit_LHP_Banner&surfaceId=DC_Reader_Convert_LHP_Banner&surfaceId=DC_Reader_Sign_LHP_Banner&surfaceId=DC_Reader_More_LHP_Banner&surfaceId=DC_Reader_Disc_LHP_Retention&surfaceId=DC_Reader_Home_LHP_Trial_Banner&adcProductLanguage=en-us&adcVersion=23.6.20320&adcProductType=SingleClientMini&adcOSType=WIN&adcCountryCode=US&adcXAPIClientID=api_reader_desktop_win_23.6.20320&encodingScheme=BASE_64 HTTP/1.1Host: p13n.adobe.ioConnection: keep-alivesec-ch-ua: "Chromium";v="105"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Accept: application/json, text/javascript, */*; q=0.01x-adobe-uuid: c583ad55-e27a-405e-ae1a-c48b4361aa9dx-adobe-uuid-type: visitorIdx-api-key: AdobeReader9sec-ch-ua-platform: "Windows"Origin: https://rna-resource.acrobat.comAccept-Language: en-US,en;q=0.9Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://rna-resource.acrobat.com/Accept-Encoding: gzip, deflate, br
Source: global traffic DNS traffic detected: DNS query: x1.i.lencr.org
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Yara detected Keylogger Generic
Source: Yara match File source: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-5F2FFB7A31DBA078D8F948F77F0FE9B82BEB1559.bin.7C.rhysida, type: DROPPED
Source: Yara match File source: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-5F2FFB7A31DBA078D8F948F77F0FE9B82BEB1559.bin.79.rhysida, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected Rhysida Ransomware
Source: Yara match File source: Iir6rxs8r6.exe, type: SAMPLE
Source: Yara match File source: Process Memory Space: Iir6rxs8r6.exe PID: 4852, type: MEMORYSTR
Changes the wallpaper picture
Source: C:\Windows\System32\reg.exe Key value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop Wallpaper C:\Users\Public\bg.jpg
Writes many files with high entropy
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\$WinREAgent\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\$WinREAgent\Scratch\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Adobe\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Adobe\ARM\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Adobe\ARM\Acrobat_23.006.20320\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5}\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Powershell\MSFT_MpPreference.cdxml.rhysida entropy: 7.99870958536 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Powershell\MSFT_MpSignature.cdxml.rhysida entropy: 7.99094743776 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ru-RU\ProtectionManagement.dll.mui.rhysida entropy: 7.99684266032 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Cyrl-BA\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Cyrl-RS\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Latn-RS\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Cyrl-RS\mpuxagent.dll.mui.rhysida entropy: 7.99537873932 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Cyrl-BA\mpuxagent.dll.mui.rhysida entropy: 7.99555688285 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Latn-RS\mpuxagent.dll.mui.rhysida entropy: 7.99465219564 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sr-Latn-RS\MpAsDesc.dll.mui.rhysida entropy: 7.99734848924 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\en-GB\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\en-US\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\en-GB\mpasdesc.dll.mui.rhysida entropy: 7.99644351166 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\en-US\MpAsDesc.dll.mui.rhysida entropy: 7.99717511438 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-CN\ProtectionManagement.dll.mui.rhysida entropy: 7.99562104273 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-TW\ProtectionManagement.dll.mui.rhysida entropy: 7.99565181982 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\az-Latn-AZ\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\bs-Latn-BA\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\az-Latn-AZ\mpuxagent.dll.mui.rhysida entropy: 7.99532591327 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\bs-Latn-BA\mpuxagent.dll.mui.rhysida entropy: 7.99503765239 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ca-ES-valencia\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\Catalogs\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ca-ES-valencia\mpuxagent.dll.mui.rhysida entropy: 7.99445642129 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\Drivers\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\de-DE\ProtectionManagement.dll.mui.rhysida entropy: 7.99700587417 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\en-US\ProtectionManagement.dll.mui.rhysida entropy: 7.99677588084 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\es-ES\ProtectionManagement.dll.mui.rhysida entropy: 7.99757704981 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\fr-FR\ProtectionManagement.dll.mui.rhysida entropy: 7.99725827095 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\it-IT\ProtectionManagement.dll.mui.rhysida entropy: 7.99724408727 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ja-JP\ProtectionManagement.dll.mui.rhysida entropy: 7.99679699777 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ko-KR\ProtectionManagement.dll.mui.rhysida entropy: 7.99602606196 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\Microsoft-Windows-Windows Defender.man.rhysida entropy: 7.99881596473 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\sl-SI\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\Microsoft-Antimalware-Service.man.rhysida entropy: 7.99482899154 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ru-RU\MpEvMsg.dll.mui.rhysida entropy: 7.99665448395 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ru-RU\mpuxagent.dll.mui.rhysida entropy: 7.99478772255 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\sq-AL\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\Powershell\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\sk-SK\MpAsDesc.dll.mui.rhysida entropy: 7.99727762898 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\sl-SI\mpuxagent.dll.mui.rhysida entropy: 7.99440876817 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\sl-SI\MpAsDesc.dll.mui.rhysida entropy: 7.99752223717 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\sv-SE\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\pl-PL\mpuxagent.dll.mui.rhysida entropy: 7.99431875528 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ta-IN\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\Powershell\MSFT_MpPreference.cdxml.rhysida entropy: 7.99878036717 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\sq-AL\mpuxagent.dll.mui.rhysida entropy: 7.99577800027 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\sv-SE\MpEvMsg.dll.mui.rhysida entropy: 7.9971654064 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\sv-SE\mpuxagent.dll.mui.rhysida entropy: 7.99513016149 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\pt-BR\ProtectionManagement.dll.mui.rhysida entropy: 7.99722731586 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\te-IN\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ta-IN\mpuxagent.dll.mui.rhysida entropy: 7.99509851898 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\Powershell\MSFT_MpSignature.cdxml.rhysida entropy: 7.99050270072 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\th-TH\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ru-RU\ProtectionManagement.dll.mui.rhysida entropy: 7.99726126292 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\te-IN\mpuxagent.dll.mui.rhysida entropy: 7.99485614652 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\tr-TR\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\sr-Cyrl-BA\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sv-SE\MpAsDesc.dll.mui.rhysida entropy: 7.99730249902 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\sr-Cyrl-RS\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\sr-Cyrl-BA\mpuxagent.dll.mui.rhysida entropy: 7.99468535874 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\th-TH\mpuxagent.dll.mui.rhysida entropy: 7.993831331 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\sr-Latn-RS\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\tt-RU\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\sr-Cyrl-RS\mpuxagent.dll.mui.rhysida entropy: 7.99440215623 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\tr-TR\MpEvMsg.dll.mui.rhysida entropy: 7.99616172123 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\sr-Latn-RS\mpuxagent.dll.mui.rhysida entropy: 7.99473185535 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\tr-TR\mpuxagent.dll.mui.rhysida entropy: 7.99501872919 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\sr-Latn-RS\MpAsDesc.dll.mui.rhysida entropy: 7.99645616426 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ug-CN\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\en-GB\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\th-TH\MpAsDesc.dll.mui.rhysida entropy: 7.99680350853 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\en-US\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\uk-UA\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\en-US\MpAsDesc.dll.mui.rhysida entropy: 7.99664814174 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\tt-RU\mpuxagent.dll.mui.rhysida entropy: 7.99433708517 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\en-GB\mpasdesc.dll.mui.rhysida entropy: 7.99643220993 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ur-PK\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\uk-UA\mpuxagent.dll.mui.rhysida entropy: 7.99501898144 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\zh-CN\ProtectionManagement.dll.mui.rhysida entropy: 7.99609282274 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\zh-TW\ProtectionManagement.dll.mui.rhysida entropy: 7.99567621266 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\uk-UA\MpAsDesc.dll.mui.rhysida entropy: 7.99728016331 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\vi-VN\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\19\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ur-PK\mpuxagent.dll.mui.rhysida entropy: 7.99405191119 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\X86\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\vi-VN\mpuxagent.dll.mui.rhysida entropy: 7.99432185958 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\zh-CN\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sk-SK\mpuxagent.dll.mui.rhysida entropy: 7.99459724664 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\zh-TW\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\zh-CN\MpEvMsg.dll.mui.rhysida entropy: 7.99497592926 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\zh-CN\mpuxagent.dll.mui.rhysida entropy: 7.99077670268 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\zh-TW\MpAsDesc.dll.mui.rhysida entropy: 7.99424480577 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\zh-TW\mpuxagent.dll.mui.rhysida entropy: 7.99078171595 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ru-RU\MpEvMsg.dll.mui.rhysida entropy: 7.99711872708 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\Entries\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sl-SI\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ru-RU\MpAsDesc.dll.mui.rhysida entropy: 7.99737838327 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\01\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ru-RU\mpuxagent.dll.mui.rhysida entropy: 7.99555748222 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\MpAsDesc.dll.mui.rhysida entropy: 7.99746986488 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData\E3\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sq-AL\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-PT\mpuxagent.dll.mui.rhysida entropy: 7.9938980416 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sl-SI\mpuxagent.dll.mui.rhysida entropy: 7.99519514759 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\Resources\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sl-SI\MpAsDesc.dll.mui.rhysida entropy: 7.99737574302 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pt-BR\MpEvMsg.dll.mui.rhysida entropy: 7.99690228611 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sv-SE\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Quarantine\Resources\E3\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sk-SK\MpAsDesc.dll.mui.rhysida entropy: 7.99728719052 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pl-PL\mpuxagent.dll.mui.rhysida entropy: 7.99484411477 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\04\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\pl-PL\MpAsDesc.dll.mui.rhysida entropy: 7.99743784275 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\BackupStore\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ta-IN\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\nl-NL\mpuxagent.dll.mui.rhysida entropy: 7.99556701346 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sv-SE\MpEvMsg.dll.mui.rhysida entropy: 7.99738049085 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ne-NP\mpuxagent.dll.mui.rhysida entropy: 7.99450933913 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sq-AL\mpuxagent.dll.mui.rhysida entropy: 7.99506887833 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\06\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\sv-SE\mpuxagent.dll.mui.rhysida entropy: 7.99396997847 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mt-MT\mpuxagent.dll.mui.rhysida entropy: 7.99468899702 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\te-IN\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ta-IN\mpuxagent.dll.mui.rhysida entropy: 7.99540875184 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\mr-IN\mpuxagent.dll.mui.rhysida entropy: 7.99598794999 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\th-TH\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\tr-TR\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\th-TH\MpAsDesc.dll.mui.rhysida entropy: 7.99715122033 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\th-TH\mpuxagent.dll.mui.rhysida entropy: 7.99434133206 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cy-GB\mpuxagent.dll.mui.rhysida entropy: 7.994551777 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpasbase.vdm.rhysida entropy: 7.9977589521 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\tt-RU\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\tr-TR\mpuxagent.dll.mui.rhysida entropy: 7.99429081447 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\tr-TR\MpEvMsg.dll.mui.rhysida entropy: 7.99677743888 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\zh-TW\MpEvMsg.dll.mui.rhysida entropy: 7.99513794124 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES\MpAsDesc.dll.mui.rhysida entropy: 7.99730360919 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ug-CN\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\uk-UA\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\tt-RU\mpuxagent.dll.mui.rhysida entropy: 7.99521447666 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ur-PK\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\uk-UA\MpAsDesc.dll.mui.rhysida entropy: 7.9972554754 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\uk-UA\mpuxagent.dll.mui.rhysida entropy: 7.9958627018 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\zh-CN\MpAsDesc.dll.mui.rhysida entropy: 7.99486531326 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bg-BG\MpAsDesc.dll.mui.rhysida entropy: 7.997020429 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\vi-VN\MpAsDesc.dll.mui.rhysida entropy: 7.99743382076 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\vi-VN\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\X86\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ur-PK\mpuxagent.dll.mui.rhysida entropy: 7.994758511 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Temp\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-CN\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ug-CN\mpuxagent.dll.mui.rhysida entropy: 7.99459039385 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-TW\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\tr-TR\MpAsDesc.dll.mui.rhysida entropy: 7.99716326248 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\af-ZA\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\te-IN\mpuxagent.dll.mui.rhysida entropy: 7.9946730321 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ar-SA\MpAsDesc.dll.mui.rhysida entropy: 7.99708325407 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-GB\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-CN\mpuxagent.dll.mui.rhysida entropy: 7.99135719788 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\sv-SE\MpAsDesc.dll.mui.rhysida entropy: 7.99706496808 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\am-ET\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\sk-SK\mpuxagent.dll.mui.rhysida entropy: 7.99485191424 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\ShortcutBackups\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\vi-VN\mpuxagent.dll.mui.rhysida entropy: 7.99452236261 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ru-RU\MpAsDesc.dll.mui.rhysida entropy: 7.99720696498 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\af-ZA\mpuxagent.dll.mui.rhysida entropy: 7.99529441216 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\pt-PT\mpuxagent.dll.mui.rhysida entropy: 7.99429024291 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man.rhysida entropy: 7.9983131622 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ar-SA\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-GB\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-TW\mpuxagent.dll.mui.rhysida entropy: 7.99117847865 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\pt-BR\MpEvMsg.dll.mui.rhysida entropy: 7.99669960775 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man.rhysida entropy: 7.99954566432 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\am-ET\mpuxagent.dll.mui.rhysida entropy: 7.99323735827 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\pl-PL\MpAsDesc.dll.mui.rhysida entropy: 7.99771293633 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\as-IN\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.bk.rhysida entropy: 7.998880008 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-CN\MpEvMsg.dll.mui.rhysida entropy: 7.99544503366 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.rhysida entropy: 7.99887922229 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\nl-NL\mpuxagent.dll.mui.rhysida entropy: 7.99466361632 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ne-NP\mpuxagent.dll.mui.rhysida entropy: 7.99490553125 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\zh-TW\MpAsDesc.dll.mui.rhysida entropy: 7.9946883099 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mt-MT\mpuxagent.dll.mui.rhysida entropy: 7.99435525018 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\bg-BG\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\mr-IN\mpuxagent.dll.mui.rhysida entropy: 7.99533746423 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ScenarioShutdownLogger\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ar-SA\mpuxagent.dll.mui.rhysida entropy: 7.99434619628 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\Diagtrack-Listener.etl.rhysida entropy: 7.99928348011 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\as-IN\mpuxagent.dll.mui.rhysida entropy: 7.99422772899 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ml-IN\mpuxagent.dll.mui.rhysida entropy: 7.99600050847 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_alternativeTrace\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\bn-IN\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_aot\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\bg-BG\mpuxagent.dll.mui.rhysida entropy: 7.99425936546 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\lt-LT\mpuxagent.dll.mui.rhysida entropy: 7.99432032333 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_diag\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpasbase.lkg.rhysida entropy: 7.99764892319 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\kok-IN\mpuxagent.dll.mui.rhysida entropy: 7.99495889796 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Diagnosis\Temp\DiagTrackTraceSlot_miniTrace\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ca-ES\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Diagnosis\TimeTravelDebuggingStorage\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\bn-IN\mpuxagent.dll.mui.rhysida entropy: 7.99525211731 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Provisioning\AssetCache\CellularUx\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\cs-CZ\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ca-ES\mpuxagent.dll.mui.rhysida entropy: 7.99405699263 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\cy-GB\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\cs-CZ\MpEvMsg.dll.mui.rhysida entropy: 7.99645831329 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\cs-CZ\MpAsDesc.dll.mui.rhysida entropy: 7.99673217749 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\da-DK\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\NisBackup\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\de-DE\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\da-DK\MpAsDesc.dll.mui.rhysida entropy: 7.9971852033 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpavdlta.vdm.rhysida entropy: 7.99796669836 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\da-DK\MpEvMsg.dll.mui.rhysida entropy: 7.99668638396 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\DLPCache\FileEvidence\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\el-GR\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpavbase.lkg.rhysida entropy: 7.99810375548 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\de-DE\MpEvMsg.dll.mui.rhysida entropy: 7.99614454977 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpavdlta.lkg.rhysida entropy: 7.99983582376 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\en-GB\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\de-DE\mpuxagent.dll.mui.rhysida entropy: 7.99523139836 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\DLPCache\NetworkFilesMappingStubs\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\en-US\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpasdlta.vdm.rhysida entropy: 7.99967556132 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\el-GR\mpuxagent.dll.mui.rhysida entropy: 7.99593315627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\el-GR\MpEvMsg.dll.mui.rhysida entropy: 7.99693950864 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\Support\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\es-ES\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpasdlta.lkg.rhysida entropy: 7.99988440106 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\en-US\MpEvMsg.dll.mui.rhysida entropy: 7.9967667225 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\es-MX\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\af-ZA\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\es-ES\MpAsDesc.dll.mui.rhysida entropy: 7.99751903879 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\am-ET\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\et-EE\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ar-SA\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\as-IN\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\es-ES\MpEvMsg.dll.mui.rhysida entropy: 7.99721669818 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\eu-ES\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\am-ET\mpuxagent.dll.mui.rhysida entropy: 7.99290969193 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\es-MX\mpuxagent.dll.mui.rhysida entropy: 7.9949975385 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\af-ZA\mpuxagent.dll.mui.rhysida entropy: 7.9944707034 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\et-EE\MpAsDesc.dll.mui.rhysida entropy: 7.99674771436 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bg-BG\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\fa-IR\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bn-IN\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\en-US\MpAsDesc.dll.mui.rhysida entropy: 7.99725395488 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\as-IN\mpuxagent.dll.mui.rhysida entropy: 7.99457565266 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\fi-FI\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\fil-PH\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bn-IN\mpuxagent.dll.mui.rhysida entropy: 7.99491768815 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\fa-IR\mpuxagent.dll.mui.rhysida entropy: 7.99480203397 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\fi-FI\MpAsDesc.dll.mui.rhysida entropy: 7.99726881725 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cy-GB\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES\mpuxagent.dll.mui.rhysida entropy: 7.99470410302 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\fi-FI\mpuxagent.dll.mui.rhysida entropy: 7.99526985268 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\fr-CA\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Catalogs\IGD.CAT.rhysida entropy: 7.99506462908 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\fil-PH\mpuxagent.dll.mui.rhysida entropy: 7.99516021232 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\da-DK\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\fr-FR\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\MpEvMsg.dll.mui.rhysida entropy: 7.996652098 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\eu-ES\mpuxagent.dll.mui.rhysida entropy: 7.99544467925 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\fr-CA\MpAsDesc.dll.mui.rhysida entropy: 7.99798870432 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\mpuxagent.dll.mui.rhysida entropy: 7.99446430048 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\fr-FR\MpAsDesc.dll.mui.rhysida entropy: 7.99774075555 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\cs-CZ\MpAsDesc.dll.mui.rhysida entropy: 7.99703393689 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ga-IE\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\el-GR\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\fr-FR\MpEvMsg.dll.mui.rhysida entropy: 7.99701822304 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-GB\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\fr-FR\mpuxagent.dll.mui.rhysida entropy: 7.99458418649 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-US\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-ES\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-MX\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\et-EE\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\eu-ES\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\da-DK\mpuxagent.dll.mui.rhysida entropy: 7.9950404542 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\mpuxagent.dll.mui.rhysida entropy: 7.99519455615 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\el-GR\MpEvMsg.dll.mui.rhysida entropy: 7.99764765448 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fa-IR\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fi-FI\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\et-EE\mpuxagent.dll.mui.rhysida entropy: 7.99492019419 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\et-EE\MpAsDesc.dll.mui.rhysida entropy: 7.99697640606 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fa-IR\mpuxagent.dll.mui.rhysida entropy: 7.99434877241 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fil-PH\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-ES\mpuxagent.dll.mui.rhysida entropy: 7.99513532017 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-CA\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-MX\mpuxagent.dll.mui.rhysida entropy: 7.99451233948 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fi-FI\MpEvMsg.dll.mui.rhysida entropy: 7.99637865836 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fi-FI\MpAsDesc.dll.mui.rhysida entropy: 7.99672749293 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-FR\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ga-IE\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gd-GB\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fil-PH\mpuxagent.dll.mui.rhysida entropy: 7.99533880575 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-CA\mpuxagent.dll.mui.rhysida entropy: 7.99537385077 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-FR\mpuxagent.dll.mui.rhysida entropy: 7.99483394625 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gl-ES\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ga-IE\mpuxagent.dll.mui.rhysida entropy: 7.99436513712 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-FR\MpEvMsg.dll.mui.rhysida entropy: 7.99716970129 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gu-IN\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-CA\MpAsDesc.dll.mui.rhysida entropy: 7.99767607139 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-US\mpuxagent.dll.mui.rhysida entropy: 7.99489677481 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\he-IL\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gl-ES\mpuxagent.dll.mui.rhysida entropy: 7.99491681901 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hi-IN\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\he-IL\MpAsDesc.dll.mui.rhysida entropy: 7.99638449758 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hr-HR\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-ES\MpAsDesc.dll.mui.rhysida entropy: 7.99727066256 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\gu-IN\mpuxagent.dll.mui.rhysida entropy: 7.99514310274 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hu-HU\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-GB\MpAsDesc.dll.mui.rhysida entropy: 7.99737840991 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hi-IN\mpuxagent.dll.mui.rhysida entropy: 7.99551229807 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\id-ID\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\07\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\08\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\15\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\17\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\20\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\21\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-5F2FFB7A31DBA078D8F948F77F0FE9B82BEB1559.bin.E6.rhysida entropy: 7.99719406725 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-5F2FFB7A31DBA078D8F948F77F0FE9B82BEB1559.bin.A0.rhysida entropy: 7.9998722731 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-5F2FFB7A31DBA078D8F948F77F0FE9B82BEB1559.bin.6C.rhysida entropy: 7.99627514801 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-5F2FFB7A31DBA078D8F948F77F0FE9B82BEB1559.bin.01.rhysida entropy: 7.9998471054 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\packages\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A3CECAC7-AFEC-4136-AD26-4F02273A588C\en-us.16\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A3CECAC7-AFEC-4136-AD26-4F02273A588C\x-none.16\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A3CECAC7-AFEC-4136-AD26-4F02273A588C\en-us.16\stream.x86.en-us.dat.cat.rhysida entropy: 7.99778181088 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A3CECAC7-AFEC-4136-AD26-4F02273A588C\en-us.16\stream.x86.en-us.db.rhysida entropy: 7.99957255795 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\kn-IN\mpuxagent.dll.mui.rhysida entropy: 7.99371304586 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A3CECAC7-AFEC-4136-AD26-4F02273A588C\en-us.16\stream.x86.en-us.man.dat.rhysida entropy: 7.99979234419 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A3CECAC7-AFEC-4136-AD26-4F02273A588C\x-none.16\stream.x86.x-none.db.rhysida entropy: 7.99555479699 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ja-JP\mpuxagent.dll.mui.rhysida entropy: 7.99269250286 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\it-IT\MpEvMsg.dll.mui.rhysida entropy: 7.99694043062 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml.rhysida entropy: 7.99843672143 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\id-ID\MpAsDesc.dll.mui.rhysida entropy: 7.99719527424 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Packages\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.en-us.xml.rhysida entropy: 7.99295748743 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\hr-HR\mpuxagent.dll.mui.rhysida entropy: 7.99497708679 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.outlookmui.msi.16.en-us.xml.rhysida entropy: 7.99842984622 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\he-IL\MpAsDesc.dll.mui.rhysida entropy: 7.99701215971 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.rhysida entropy: 7.99266919769 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml.rhysida entropy: 7.9982801707 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.officemui.msi.16.en-us.xml.rhysida entropy: 7.99861569001 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ga-IE\mpuxagent.dll.mui.rhysida entropy: 7.99488033037 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.powerpointmui.msi.16.en-us.xml.rhysida entropy: 7.99350438134 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\fr-CA\mpuxagent.dll.mui.rhysida entropy: 7.99518316431 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml.rhysida entropy: 7.99976936999 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\fi-FI\MpEvMsg.dll.mui.rhysida entropy: 7.99653938461 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Lync.Lync.x-none.msi.16.x-none.xml.rhysida entropy: 7.99825350101 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Outlook.Outlook.x-none.msi.16.x-none.xml.rhysida entropy: 7.99821015813 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\et-EE\mpuxagent.dll.mui.rhysida entropy: 7.99325571153 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\es-ES\mpuxagent.dll.mui.rhysida entropy: 7.99496247448 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A3CECAC7-AFEC-4136-AD26-4F02273A588C\x-none.16\MasterDescriptor.x-none.xml.rhysida entropy: 7.99548551978 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Proof.Culture.msi.16.es-es.xml.rhysida entropy: 7.99240703452 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\en-US\mpuxagent.dll.mui.rhysida entropy: 7.99373825449 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\en-GB\MpAsDesc.dll.mui.rhysida entropy: 7.99696991494 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\da-DK\mpuxagent.dll.mui.rhysida entropy: 7.99452442802 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\cs-CZ\mpuxagent.dll.mui.rhysida entropy: 7.99431635806 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.onenotemui.msi.16.en-us.xml.rhysida entropy: 7.99139121076 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\Catalogs\IGD.CAT.rhysida entropy: 7.99615962081 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office64ww.msi.16.x-none.xml.rhysida entropy: 7.99942806098 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A3CECAC7-AFEC-4136-AD26-4F02273A588C\en-us.16\MasterDescriptor.en-us.xml.rhysida entropy: 7.99390288283 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml.rhysida entropy: 7.9987489749 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml.rhysida entropy: 7.99524360855 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.accessmui.msi.16.en-us.xml.rhysida entropy: 7.99663756122 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.Access.Access.x-none.msi.16.x-none.xml.rhysida entropy: 7.99705546808 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A3CECAC7-AFEC-4136-AD26-4F02273A588C\x-none.16\stream.x86.x-none.dat.cat.rhysida entropy: 7.99969875527 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_4_9_46_43.etl.rhysida entropy: 7.99900751057 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_DeviceProvisioning_2023_10_3_8_56_48.etl.rhysida entropy: 7.9993662658 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\gd-GB\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\A3CECAC7-AFEC-4136-AD26-4F02273A588C\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0F4F15B9-002F-484A-961E-DB92D12569B3}\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\es-MX\MpAsDesc.dll.mui.rhysida entropy: 7.9975182446 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0F4F15B9-002F-484A-961E-DB92D12569B3}\mpavdlta.vdm.rhysida entropy: 7.99878567564 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\gl-ES\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0F4F15B9-002F-484A-961E-DB92D12569B3}\mpasdlta.vdm.rhysida entropy: 7.99976462955 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\gu-IN\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0F4F15B9-002F-484A-961E-DB92D12569B3}\mpavbase.vdm.rhysida entropy: 7.99805142403 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\gd-GB\mpuxagent.dll.mui.rhysida entropy: 7.99586908002 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{0F4F15B9-002F-484A-961E-DB92D12569B3}\mpasbase.vdm.rhysida entropy: 7.99775966159 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\gl-ES\mpuxagent.dll.mui.rhysida entropy: 7.99545514258 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.lyncmui.msi.16.en-us.xml.rhysida entropy: 7.99196811304 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\he-IL\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.wordmui.msi.16.en-us.xml.rhysida entropy: 7.99781175221 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\gu-IN\mpuxagent.dll.mui.rhysida entropy: 7.99593920737 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\en-GB\mpuxagent.dll.mui.rhysida entropy: 7.9944479888 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\hi-IN\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\he-IL\mpuxagent.dll.mui.rhysida entropy: 7.99214170757 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\hr-HR\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\hi-IN\mpuxagent.dll.mui.rhysida entropy: 7.99432082717 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\el-GR\MpAsDesc.dll.mui.rhysida entropy: 7.99790015646 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\hu-HU\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\hr-HR\MpAsDesc.dll.mui.rhysida entropy: 7.99750611602 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-GB\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\id-ID\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\hu-HU\MpAsDesc.dll.mui.rhysida entropy: 7.99766247958 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\hu-HU\MpEvMsg.dll.mui.rhysida entropy: 7.99644588016 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\hu-HU\mpuxagent.dll.mui.rhysida entropy: 7.99489589804 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\is-IS\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-GB\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\it-IT\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\is-IS\mpuxagent.dll.mui.rhysida entropy: 7.99488417083 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\id-ID\mpuxagent.dll.mui.rhysida entropy: 7.99437163803 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ja-JP\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_59_39.etl.rhysida entropy: 7.99972445054 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\it-IT\mpuxagent.dll.mui.rhysida entropy: 7.99499442145 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\DiagnosticLogCSP\Collectors\DiagnosticLogCSP_Collector_Autopilot_2023_10_3_9_57_25.etl.rhysida entropy: 7.99975205593 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\it-IT\MpAsDesc.dll.mui.rhysida entropy: 7.99768063153 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ka-GE\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ja-JP\MpAsDesc.dll.mui.rhysida entropy: 7.99599256484 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\de-DE\MpAsDesc.dll.mui.rhysida entropy: 7.99752854245 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\kk-KZ\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\az-Latn-AZ\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ja-JP\MpEvMsg.dll.mui.rhysida entropy: 7.99585798694 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\az-Latn-AZ\mpuxagent.dll.mui.rhysida entropy: 7.99443476423 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\km-KH\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bs-Latn-BA\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\kn-IN\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES-valencia\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ka-GE\mpuxagent.dll.mui.rhysida entropy: 7.99405328584 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\bs-Latn-BA\mpuxagent.dll.mui.rhysida entropy: 7.99438186606 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\km-KH\mpuxagent.dll.mui.rhysida entropy: 7.99455566899 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Catalogs\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\kk-KZ\mpuxagent.dll.mui.rhysida entropy: 7.99499458627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ca-ES-valencia\mpuxagent.dll.mui.rhysida entropy: 7.99458238861 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ko-KR\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\cy-GB\mpuxagent.dll.mui.rhysida entropy: 7.99491858064 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\kok-IN\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\Drivers\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ko-KR\mpuxagent.dll.mui.rhysida entropy: 7.992865638 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\de-DE\ProtectionManagement.dll.mui.rhysida entropy: 7.99736498029 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ko-KR\MpEvMsg.dll.mui.rhysida entropy: 7.99474453405 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\en-US\ProtectionManagement.dll.mui.rhysida entropy: 7.99742365958 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hr-HR\MpAsDesc.dll.mui.rhysida entropy: 7.99756413133 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ko-KR\MpAsDesc.dll.mui.rhysida entropy: 7.9957728583 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\es-ES\ProtectionManagement.dll.mui.rhysida entropy: 7.99743774414 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hr-HR\mpuxagent.dll.mui.rhysida entropy: 7.99397756094 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\lb-LU\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\fr-FR\ProtectionManagement.dll.mui.rhysida entropy: 7.99733333149 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\hu-HU\MpEvMsg.dll.mui.rhysida entropy: 7.99708783612 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\ca-ES\MpAsDesc.dll.mui.rhysida entropy: 7.99749242023 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\ja-JP\ProtectionManagement.dll.mui.rhysida entropy: 7.9959214806 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\is-IS\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23090.2008-0\lo-LA\CriticalBreachDetected.pdf entropy: 7.99107928627 Jump to dropped file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\it-IT\ProtectionManagement.dll.mui.rhysida entropy: 7.99750560067 Jump to dropped file
Too many similar processes found
Source: cmd.exe Process created: 42
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_004258B0 0_2_004258B0
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0043E470 0_2_0043E470
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0043D470 0_2_0043D470
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0042D340 0_2_0042D340
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0044A870 0_2_0044A870
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0041B020 0_2_0041B020
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_004298E0 0_2_004298E0
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_004240E0 0_2_004240E0
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0043D0E0 0_2_0043D0E0
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0043F0B0 0_2_0043F0B0
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0041C160 0_2_0041C160
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0043D970 0_2_0043D970
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_00436970 0_2_00436970
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0042F930 0_2_0042F930
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_004381C0 0_2_004381C0
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_004319D0 0_2_004319D0
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_004369E0 0_2_004369E0
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0044A1B0 0_2_0044A1B0
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_00442A40 0_2_00442A40
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0042D320 0_2_0042D320
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_00442200 0_2_00442200
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0042C2F0 0_2_0042C2F0
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_00433AF0 0_2_00433AF0
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0041AC50 0_2_0041AC50
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0042FC00 0_2_0042FC00
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0043EC30 0_2_0043EC30
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_004744DC 0_2_004744DC
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_004314B0 0_2_004314B0
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_00448D40 0_2_00448D40
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0040E5F2 0_2_0040E5F2
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_004245F0 0_2_004245F0
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_00438650 0_2_00438650
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0041CE30 0_2_0041CE30
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_00431ED0 0_2_00431ED0
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0042D6F0 0_2_0042D6F0
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_00441E90 0_2_00441E90
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_00435EB0 0_2_00435EB0
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_00424F70 0_2_00424F70
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_004314B0 0_2_004314B0
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_004267B0 0_2_004267B0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: String function: 004499B0 appears 46 times
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: String function: 0041F3F0 appears 252 times
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f
Source: classification engine Classification label: mal100.rans.troj.evad.winEXE@94/1050@1/4
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3740:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1152:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5444:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4464:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3868:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1100:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:396:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1140:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2768:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1276:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_03
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Temp\CriticalBreachDetected.pdf Jump to behavior
Source: Iir6rxs8r6.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe user32.dll,UpdatePerUserSystemParameters
Source: Iir6rxs8r6.exe ReversingLabs: Detection: 81%
Source: unknown Process created: C:\Users\user\Desktop\Iir6rxs8r6.exe "C:\Users\user\Desktop\Iir6rxs8r6.exe"
Source: unknown Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CriticalBreachDetected.pdf"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1616,i,3413580249765337229,1280072705313980885,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c rundll32.exe user32.dll,UpdatePerUserSystemParameters
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe user32.dll,UpdatePerUserSystemParameters
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c start powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c start powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c start ping 127.0.0.1 -n 2 > nul && del /f /q "C:\Users\user\Desktop\C:\Users\user\Desktop\Iir6rxs8r6.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c start ping 127.0.0.1 -n 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\System32\PING.EXE Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn Rhsd /f
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c rundll32.exe user32.dll,UpdatePerUserSystemParameters Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c start powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;" Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c start ping 127.0.0.1 -n 2 > nul && del /f /q "C:\Users\user\Desktop\C:\Users\user\Desktop\Iir6rxs8r6.exe" Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1616,i,3413580249765337229,1280072705313980885,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe user32.dll,UpdatePerUserSystemParameters
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c start powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn Rhsd /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c start ping 127.0.0.1 -n 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: Iir6rxs8r6.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\* source: Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb.rhysida&O source: Iir6rxs8r6.exe, 00000000.00000002.3233096131.0000000004A50000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbu source: Iir6rxs8r6.exe, 00000000.00000002.3229153631.0000000003D42000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb%m.h source: Iir6rxs8r6.exe, 00000000.00000002.3225224394.0000000003796000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb6 source: Iir6rxs8r6.exe, 00000000.00000002.3225603623.0000000003810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*2tP source: Iir6rxs8r6.exe, 00000000.00000003.1828765583.000000000010A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: emp/Symbols/winload_prod.pdb/01AB9056EA9380F@ source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2wekyb3d8bbwe\LocalCacher Data\Default\Extensions\nmmhkkq source: Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb.rhysidar, source: Iir6rxs8r6.exe, 00000000.00000002.3226682985.0000000003934000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb? source: Iir6rxs8r6.exe, 00000000.00000002.3229153631.0000000003D42000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbq,+ source: Iir6rxs8r6.exe, 00000000.00000002.3227633984.0000000003B31000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb.rhysidaT source: Iir6rxs8r6.exe, 00000000.00000002.3230224009.0000000003EE6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb source: Iir6rxs8r6.exe, 00000000.00000002.3231065025.0000000004044000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229299015.0000000003DCA000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227092348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3230644769.0000000003F98000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227242449.0000000003A6A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3224379439.00000000036BD000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3235038394.0000000004C5B000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3226196423.000000000388D000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3233775780.0000000004B07000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3230224009.0000000003EE6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3234342821.0000000004BA7000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3225224394.0000000003796000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229117500.0000000003D30000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3232582558.00000000041D5000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229557865.0000000003E29000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3226649501.0000000003922000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227994671.0000000003BE2000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3228706934.0000000003C77000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3233254008.0000000004A74000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229153631.0000000003D42000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3225053931.000000000375A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3231485189.0000000004106000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3225182842.0000000003784000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227633984.0000000003B31000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3225603623.0000000003810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb source: Iir6rxs8r6.exe, 00000000.00000003.1828765583.000000000010A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1829153779.000000000010D000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\CriticalBreachDetected.pdfntdesk\AppDa@ source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: a\Application Data\Temp\Symbols\ntkrnlmp.pdb\CriticalBreachDetected.pdf31cation Dn source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: DaC:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\kies\pData\\Apps_{9a386491-5394-47a0-a408-e4e3a9d60139}\e6IT source: Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2s/fro source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb.rhysidaa source: Iir6rxs8r6.exe, 00000000.00000002.3226196423.000000000388D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb source: Iir6rxs8r6.exe, 00000000.00000002.3225603623.0000000003810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb.rhysidaI source: Iir6rxs8r6.exe, 00000000.00000002.3229017243.0000000003D10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb.rhysidaY source: Iir6rxs8r6.exe, 00000000.00000002.3231485189.0000000004106000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ation Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAS source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ad_prod.pdbe\AC\INetCookies\ESEFta\Appli source: Iir6rxs8r6.exe, 00000000.00000003.1866632282.00000000000FC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb6<k source: Iir6rxs8r6.exe, 00000000.00000002.3226649501.0000000003922000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbM, source: Iir6rxs8r6.exe, 00000000.00000002.3227633984.0000000003B31000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb.rhysidalVA source: Iir6rxs8r6.exe, 00000000.00000002.3234928870.0000000004C37000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: DaC:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\RX_INSTALL\_locales\zh_CN\alState\tory\ookies\a78ba80c-bc89-4102-a032-406d11845944}\f5r source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/ntkrnlmp.pdb/68A17FAF3012B7846079AEECDBE0A5831/ntkrnlmp.pdb.rhysidadf/Application Data/Application Da source: Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ation Data\Temp\Symbols\ntkrnlmp.pdb\68A17FA7 source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb.rhysidag source: Iir6rxs8r6.exe, 00000000.00000002.3228706934.0000000003C77000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb.rhysidai,3 source: Iir6rxs8r6.exe, 00000000.00000002.3227633984.0000000003B31000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb.rhysida source: Iir6rxs8r6.exe, 00000000.00000002.3227092348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227203205.0000000003A48000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227595840.0000000003B1F000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3226366114.00000000038BD000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229709791.0000000003E6F000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3234379156.0000000004BC1000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3234928870.0000000004C37000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3231528985.0000000004118000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3233718568.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3228638643.0000000003C4D000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3233096131.0000000004A50000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3232386217.00000000041B3000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3230688687.0000000003FAA000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3226682985.0000000003934000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3230936905.000000000400D000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3228050105.0000000003BF4000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229017243.0000000003D10000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3230257972.0000000003EF8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: Iir6rxs8r6.exe, 00000000.00000003.1828765583.000000000010A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb++ source: Iir6rxs8r6.exe, 00000000.00000002.3229557865.0000000003E29000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdbs source: Iir6rxs8r6.exe, 00000000.00000002.3226196423.000000000388D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb.rhysidah source: Iir6rxs8r6.exe, 00000000.00000002.3227092348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n Data/Temp/Symbols/winload_prod.pdb/01AB905 source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbB source: Iir6rxs8r6.exe, 00000000.00000002.3230224009.0000000003EE6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb source: Iir6rxs8r6.exe, 00000000.00000002.3231065025.0000000004044000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229299015.0000000003DCA000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227092348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3230644769.0000000003F98000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227242449.0000000003A6A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3224379439.00000000036BD000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3235038394.0000000004C5B000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3226196423.000000000388D000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3233775780.0000000004B07000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3230224009.0000000003EE6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3234342821.0000000004BA7000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3225224394.0000000003796000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229117500.0000000003D30000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3232582558.00000000041D5000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229557865.0000000003E29000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3226649501.0000000003922000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227994671.0000000003BE2000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3228706934.0000000003C77000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3233254008.0000000004A74000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229153631.0000000003D42000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3225053931.000000000375A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3231485189.0000000004106000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3225182842.0000000003784000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227633984.0000000003B31000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3225603623.0000000003810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Symbols\winload_prod.pdb\01AB9056EA9380F7164b source: Iir6rxs8r6.exe, 00000000.00000003.1828765583.000000000010A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:/Users/user/AppData/Local/Application Data/Application Data/Application Data/Application Data/Application Data/Application Data/Temp/Symbols/winload_prod.pdb/01AB9056EA9380F71644C4339E3FA1AC2AC2n source: Iir6rxs8r6.exe, 00000000.00000003.1828765583.000000000010A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A58 source: Iir6rxs8r6.exe, 00000000.00000003.1828765583.000000000010A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb} source: Iir6rxs8r6.exe, 00000000.00000002.3230644769.0000000003F98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\* source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbG source: Iir6rxs8r6.exe, 00000000.00000002.3234342821.0000000004BA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Symbols\winload_prod.pdb\01AB9056EA9380F7164^ source: Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ols/ntkrnlmp.pdbs32 source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbN source: Iir6rxs8r6.exe, 00000000.00000002.3227092348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ols/ntkrnlmp.pdbhDe source: Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Symbols\winload_prod.pdb\01AB9056EA9380F7164 source: Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb.rhysida[j source: Iir6rxs8r6.exe, 00000000.00000002.3233254008.0000000004A74000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831O source: Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb.rhysida$ source: Iir6rxs8r6.exe, 00000000.00000002.3232582558.00000000041D5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb;] source: Iir6rxs8r6.exe, 00000000.00000002.3231065025.0000000004044000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb3ta source: Iir6rxs8r6.exe, 00000000.00000003.1895165991.0000000000108000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb[ source: Iir6rxs8r6.exe, 00000000.00000002.3234342821.0000000004BA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb^ source: Iir6rxs8r6.exe, 00000000.00000002.3225182842.0000000003784000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: DaC:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\pData\te\er\DOMStore\1/CriticalBreachDetected.pdftrass source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: Iir6rxs8r6.exe, 00000000.00000003.1829035358.00000000000F6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ation Data\Temp\Symbols\ntkrnlmp.pdb\68A17FA source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbd source: Iir6rxs8r6.exe, 00000000.00000002.3225603623.0000000003810000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbf source: Iir6rxs8r6.exe, 00000000.00000002.3224379439.00000000036BD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb.rhysida4 source: Iir6rxs8r6.exe, 00000000.00000002.3227092348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdb%ss source: Iir6rxs8r6.exe, 00000000.00000002.3225053931.000000000375A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\w source: Iir6rxs8r6.exe, 00000000.00000003.1828765583.000000000010A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\CriticalBreachDetected.pdfocal\Applica source: Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ntkrnlmp.pdb.rhysida source: Iir6rxs8r6.exe, 00000000.00000002.3231065025.0000000004044000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227092348.00000000039E3000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3230644769.0000000003F98000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227242449.0000000003A6A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3235038394.0000000004C5B000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3226196423.000000000388D000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3233775780.0000000004B07000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3230224009.0000000003EE6000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3234342821.0000000004BA7000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229117500.0000000003D30000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3232582558.00000000041D5000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3229557865.0000000003E29000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3226649501.0000000003922000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227994671.0000000003BE2000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3228706934.0000000003C77000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3233254008.0000000004A74000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3231485189.0000000004106000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3227633984.0000000003B31000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: winload_prod.pdbl source: Iir6rxs8r6.exe, 00000000.00000002.3225182842.0000000003784000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*a/ source: Iir6rxs8r6.exe, 00000000.00000003.1895165991.0000000000108000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ad_prod.pdb.rhysida source: Iir6rxs8r6.exe, 00000000.00000003.1828765583.000000000010A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.1828732693.00000000000F3000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"
PE file contains sections with non-standard names
Source: Iir6rxs8r6.exe Static PE information: section name: .xdata

Persistence and Installation Behavior
barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Installs a Chrome extension
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\Temp\CriticalBreachDetected.pdf Jump to behavior

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn Rhsd /f
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\7-Zip\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office Tools\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Windows PowerShell\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\Default\Start Menu\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\Default\Start Menu\Programs\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\Default\Start Menu\Programs\Accessibility\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\Default\Start Menu\Programs\Accessories\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\Default\Start Menu\Programs\Maintenance\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\Default\Start Menu\Programs\System Tools\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File created: C:\Users\Default\Start Menu\Programs\Windows PowerShell\CriticalBreachDetected.pdf Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Self deletion via cmd or bat file
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\system32\cmd.exe /c cmd.exe /c start ping 127.0.0.1 -n 2 > nul && del /f /q "C:\Users\user\Desktop\C:\Users\user\Desktop\Iir6rxs8r6.exe"
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\system32\cmd.exe /c cmd.exe /c start ping 127.0.0.1 -n 2 > nul && del /f /q "C:\Users\user\Desktop\C:\Users\user\Desktop\Iir6rxs8r6.exe" Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\schtasks.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Window / User API: threadDelayed 5397 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4165
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4814
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe TID: 3640 Thread sleep count: 5397 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe TID: 3640 Thread sleep time: -53970s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2840 Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5484 Thread sleep time: -2767011611056431s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_00419001 GetSystemInfo,malloc,malloc,Sleep,Sleep,free,free,system,system, 0_2_00419001
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File opened: C:\Users\All Users\Application Data\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5}\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File opened: C:\Users\All Users\.curlrc.rhysida Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File opened: C:\Users\All Users\Application Data\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File opened: C:\Users\All Users\Application Data\Adobe\ARM\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File opened: C:\Users\All Users\Application Data\Adobe\CriticalBreachDetected.pdf Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe File opened: C:\Users\All Users\Application Data\Adobe\ARM\Acrobat_23.006.20320\CriticalBreachDetected.pdf Jump to behavior
Source: Iir6rxs8r6.exe, 00000000.00000002.3244141435.000000000577B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft-hyper-v-migration-replacement.man
Source: Iir6rxs8r6.exe, 00000000.00000002.3244141435.000000000577B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft-hyper-v-client-migration-replacement.man
Source: Iir6rxs8r6.exe, 00000000.00000002.3244141435.000000000577B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft-hyper-v-drivers-migration-replacement.man
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information queried: ProcessInformation

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_004457D0 IsDebuggerPresent,RaiseException, 0_2_004457D0
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_004011B0 Sleep,Sleep,SetUnhandledExceptionFilter,GetStartupInfoA, 0_2_004011B0
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_00447A20 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00447A20
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0047461C SetUnhandledExceptionFilter, 0_2_0047461C
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_0044AFE9 SetUnhandledExceptionFilter, 0_2_0044AFE9
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c rundll32.exe user32.dll,UpdatePerUserSystemParameters Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c start powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;" Jump to behavior
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cmd.exe /c start ping 127.0.0.1 -n 2 > nul && del /f /q "C:\Users\user\Desktop\C:\Users\user\Desktop\Iir6rxs8r6.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKCU\Contol Panel\Desktop" /v Wallpaper /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg delete "HKCU\Conttol Panel\Desktop" /v WallpaperStyle /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallPaper /t REG_SZ /d 1 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v Wallpaper /t REG_SZ /d "C:\Users\Public\bg.jpg" /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d 2 /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe user32.dll,UpdatePerUserSystemParameters
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c start powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\system32\schtasks.exe" /delete /tn Rhsd /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /c start ping 127.0.0.1 -n 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\Desktop\Iir6rxs8r6.exe Code function: 0_2_00447940 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00447940
AV process strings found (often used to terminate AV products)
Source: Iir6rxs8r6.exe, 00000000.00000002.3223883876.0000000003661000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3223405192.00000000034D2000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3223735743.000000000361A000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3223690658.0000000003602000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000003.3182151191.000000000323E000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3222959511.000000000323E000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3223610820.00000000035D8000.00000004.00000020.00020000.00000000.sdmp, Iir6rxs8r6.exe, 00000000.00000002.3223983334.0000000003673000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe
Adds / modifies Windows certificates
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524355 Sample: Iir6rxs8r6.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 100 79 x1.i.lencr.org 2->79 81 bg.microsoft.map.fastly.net 2->81 103 Multi AV Scanner detection for submitted file 2->103 105 Yara detected Rhysida Ransomware 2->105 107 AI detected suspicious sample 2->107 109 2 other signatures 2->109 10 Iir6rxs8r6.exe 1001 2->10         started        14 Acrobat.exe 87 2->14         started        signatures3 process4 file5 71 C:\ProgramData\...\mpuxagent.dll.mui.rhysida, COM 10->71 dropped 73 C:\ProgramData\...\MpEvMsg.dll.mui.rhysida, DOS 10->73 dropped 75 C:\ProgramData\...\mpavbase.vdm.rhysida, DOS 10->75 dropped 77 498 other files (497 malicious) 10->77 dropped 111 Self deletion via cmd or bat file 10->111 113 Found API chain indicative of debugger detection 10->113 115 Writes many files with high entropy 10->115 16 cmd.exe 10->16         started        19 cmd.exe 10->19         started        21 cmd.exe 10->21         started        25 8 other processes 10->25 23 AcroCEF.exe 14->23         started        signatures6 process7 signatures8 91 Suspicious powershell command line found 16->91 93 Uses ping.exe to sleep 16->93 95 Uses cmd line tools excessively to alter registry or file data 16->95 97 Uses ping.exe to check the status of other devices and networks 16->97 27 cmd.exe 16->27         started        30 conhost.exe 16->30         started        32 cmd.exe 19->32         started        34 conhost.exe 19->34         started        36 cmd.exe 21->36         started        38 conhost.exe 21->38         started        40 AcroCEF.exe 23->40         started        43 cmd.exe 25->43         started        45 15 other processes 25->45 process9 dnsIp10 47 reg.exe 27->47         started        117 Suspicious powershell command line found 32->117 49 powershell.exe 32->49         started        119 Uses cmd line tools excessively to alter registry or file data 36->119 52 reg.exe 36->52         started        85 23.51.56.185, 443, 49714 TMNET-AS-APTMNetInternetServiceProviderMY United States 40->85 87 52.5.13.197, 443, 49719, 49721 AMAZON-AESUS United States 40->87 89 96.17.64.189, 443, 49720 AKAMAI-ASUS United States 40->89 121 Uses ping.exe to sleep 43->121 54 PING.EXE 43->54         started        57 reg.exe 45->57         started        59 reg.exe 45->59         started        61 reg.exe 45->61         started        63 3 other processes 45->63 signatures11 process12 dnsIp13 99 Uses schtasks.exe or at.exe to add and modify task schedules 49->99 65 conhost.exe 49->65         started        67 schtasks.exe 49->67         started        101 Changes the wallpaper picture 52->101 83 127.0.0.1 unknown unknown 54->83 69 conhost.exe 54->69         started        signatures14 process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.51.56.185
 unknown United States
4788 TMNET-AS-APTMNetInternetServiceProviderMY false
52.5.13.197
 unknown United States
14618 AMAZON-AESUS false
96.17.64.189
 unknown United States
16625 AKAMAI-ASUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
x1.i.lencr.org unknown unknown