description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\protocol.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\services.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\drivers\etc\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\networks.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\protocol.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\drivers\etc\services	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe\" e"	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

description	ioc	Process
File opened (read-only)	\??\O:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\T:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\A:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\F:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\K:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\D:	svchost.exe
File opened (read-only)	\??\E:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\S:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\W:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\L:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\Q:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\R:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\V:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\Z:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\B:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\H:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\N:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\D:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\U:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\X:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\G:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\I:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\M:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\P:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\Y:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\J:	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan Static Task	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\WCM\WiFiTask.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\BitLocker\BitLocker Encrypt All Drives	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\CryptoPolicyTask	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Chkdsk\SyspartRepair.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\DiskFootprint\Diagnostics.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Maps\MapsUpdateTask.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Storage Tiers Management\Storage Tiers Optimization.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\AppxDeploymentClient\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Data Integrity Scan\Data Integrity Scan	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\International\Synchronize Language Settings.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Servicing\StartComponentCleanup	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Storage Tiers Management\Storage Tiers Optimization	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Device Setup\Metadata Refresh	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\SharedPC\Account Cleanup.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\User Profile Service\HiveUploadTask.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\ResPriHMImageList	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStartTypeChange.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Feedback\Siuf\DmClient.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\MdmDiagnosticsCleanup.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\MicrosoftEdgeUpdateTaskMachineCore.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Input\MouseSyncDataAvailable.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\DeviceDirectoryClient\RegisterUserDevice.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Shell\ThemesSyncedImageDownload.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Subscription\LicenseAcquisition.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Workplace Join\Recovery-Check.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\File Classification Infrastructure\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Printing\PrinterCleanupTask.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\Servicing\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\SpacePort\SpaceAgentTask.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Shell\IndexerAutomaticMaintenance	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\Logon.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\SharedPC\Account Cleanup.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\Cellular	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\XblGameSave\XblGameSaveTask.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\Defrag\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\Device Information\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\NlaSvc\WiFiTask	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\PushToInstall\Registration.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\EDP\EDP App Launch Task.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\System32\Tasks\Microsoft\Windows\Offline Files\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\ApplicationData\appuriverifierinstall.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Printing\EduPrintProv.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Speech\SpeechModelDownloadTask.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskLogon.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Sysprep Generalize Drivers.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\WDI\ResolutionHost.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Flighting\FeatureConfig\UsageDataReporting.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\DiskCleanup\SilentCleanup.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Offline Files\Background Synchronization.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\InstallService\ScanForUpdatesAsUser	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\EDP\EDP Auth Task.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000008\FA000000008.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000011\FA000000011	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\WA104381125.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_w1\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\Download\SharedFileCache\cf8b66940764d332699ee8369982e232c89721c55c20efa87a147a5cd4f9dbc3.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\SharedFileCache\2183d63f79cdf8bd6a04e8b4c7617c9f5fac7f9dd46f62f9f19603eda868db39.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\Boot\DVD\EFI\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\SharedFileCache\2183d63f79cdf8bd6a04e8b4c7617c9f5fac7f9dd46f62f9f19603eda868db39	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0000-1000-0000000FF1CE}.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\Boot\PCAT\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Boot\DVD\EFI\BCD	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File created	C:\Windows\Panther\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File created	C:\Windows\Installer\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE}.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\SharedFileCache\2183d63f79cdf8bd6a04e8b4c7617c9f5fac7f9dd46f62f9f19603eda868db39.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_ff33445f-a36e-4a95-8e5f-bca99faf3ebd	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_ff33445f-a36e-4a95-8e5f-bca99faf3ebd.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Panther\setupinfo.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Boot\PCAT\bootnxt	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Safety\network\local\blackHoleCache.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\SharedFileCache\cf8b66940764d332699ee8369982e232c89721c55c20efa87a147a5cd4f9dbc3.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\Boot\DVD\PCAT\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Panther\setupinfo.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Boot\PCAT\bootmgr	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp.override	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\Connected Devices Platform certificates.sst	svchost.exe
File opened for modification	C:\Windows\Installer\SourceHash{1A6A4310-5AB3-3D30-8FF4-7A03003E97EC}.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Installer\SourceHash{90160000-007E-0000-1000-0000000FF1CE}	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\5e94912bcbbb20fb7f9a53550473a366\cbshandler\state	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Panther\setupinfo	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\5e94912bcbbb20fb7f9a53550473a366\cbshandler\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SystemCertificates\My\AppContainerUserCertRead	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Safety\network\local\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Safety\network\local\sinkholeCache.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\SharedFileCache\cf8b66940764d332699ee8369982e232c89721c55c20efa87a147a5cd4f9dbc3	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Credentials\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_ff33445f-a36e-4a95-8e5f-bca99faf3ebd.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Safety\network\local\sinkholeCache	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Safety\network\local\sinkholeCache.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\SourceHash{1A6A4310-5AB3-3D30-8FF4-7A03003E97EC}.inprocess	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\!!!HOW_TO_DECRYPT!!!.mht	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776.gpay	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

pid	Process
4140	vssadmin.exe
4916	vssadmin.exe
888	vssadmin.exe
2088	vssadmin.exe
4776	vssadmin.exe
4040	vssadmin.exe
4732	vssadmin.exe
1200	vssadmin.exe
3092	vssadmin.exe
3568	vssadmin.exe
3980	vssadmin.exe
4716	vssadmin.exe
3792	vssadmin.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall	svchost.exe

pid	Process
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe
5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe

description	pid	Process
Token: SeSystemEnvironmentPrivilege	3248	svchost.exe
Token: SeBackupPrivilege	4720	vssvc.exe
Token: SeRestorePrivilege	4720	vssvc.exe
Token: SeAuditPrivilege	4720	vssvc.exe
Token: SeRestorePrivilege	1104	bcdedit.exe
Token: SeIncreaseQuotaPrivilege	4584	wmic.exe
Token: SeSecurityPrivilege	4584	wmic.exe
Token: SeTakeOwnershipPrivilege	4584	wmic.exe
Token: SeLoadDriverPrivilege	4584	wmic.exe
Token: SeSystemProfilePrivilege	4584	wmic.exe
Token: SeSystemtimePrivilege	4584	wmic.exe
Token: SeProfSingleProcessPrivilege	4584	wmic.exe
Token: SeIncBasePriorityPrivilege	4584	wmic.exe
Token: SeCreatePagefilePrivilege	4584	wmic.exe
Token: SeBackupPrivilege	4584	wmic.exe
Token: SeRestorePrivilege	4584	wmic.exe
Token: SeShutdownPrivilege	4584	wmic.exe
Token: SeDebugPrivilege	4584	wmic.exe
Token: SeSystemEnvironmentPrivilege	4584	wmic.exe
Token: SeRemoteShutdownPrivilege	4584	wmic.exe
Token: SeUndockPrivilege	4584	wmic.exe
Token: SeManageVolumePrivilege	4584	wmic.exe
Token: 33	4584	wmic.exe
Token: 34	4584	wmic.exe
Token: 35	4584	wmic.exe
Token: 36	4584	wmic.exe

description	pid	Process	procid_target
PID 5104 wrote to memory of 4140	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	79
PID 5104 wrote to memory of 4140	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	79
PID 5104 wrote to memory of 4732	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	83
PID 5104 wrote to memory of 4732	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	83
PID 5104 wrote to memory of 4916	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	85
PID 5104 wrote to memory of 4916	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	85
PID 5104 wrote to memory of 888	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	87
PID 5104 wrote to memory of 888	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	87
PID 5104 wrote to memory of 1200	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	89
PID 5104 wrote to memory of 1200	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	89
PID 5104 wrote to memory of 2088	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	91
PID 5104 wrote to memory of 2088	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	91
PID 5104 wrote to memory of 4776	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	93
PID 5104 wrote to memory of 4776	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	93
PID 5104 wrote to memory of 3092	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	95
PID 5104 wrote to memory of 3092	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	95
PID 5104 wrote to memory of 3568	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	97
PID 5104 wrote to memory of 3568	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	97
PID 5104 wrote to memory of 3980	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	99
PID 5104 wrote to memory of 3980	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	99
PID 5104 wrote to memory of 4716	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	101
PID 5104 wrote to memory of 4716	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	101
PID 5104 wrote to memory of 4040	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	103
PID 5104 wrote to memory of 4040	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	103
PID 5104 wrote to memory of 3792	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	105
PID 5104 wrote to memory of 3792	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	105
PID 5104 wrote to memory of 1104	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	107
PID 5104 wrote to memory of 1104	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	107
PID 5104 wrote to memory of 1260	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	109
PID 5104 wrote to memory of 1260	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	109
PID 5104 wrote to memory of 3060	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	111
PID 5104 wrote to memory of 3060	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	111
PID 5104 wrote to memory of 3224	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	113
PID 5104 wrote to memory of 3224	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	113
PID 5104 wrote to memory of 4584	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	115
PID 5104 wrote to memory of 4584	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	115
PID 5104 wrote to memory of 1100	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	119
PID 5104 wrote to memory of 1100	5104	0abb4a302819cdca6c9f56893ca2b52856b55a0aa68a3cb8bdcd55dcc1fad9ad.bin.exe	119
PID 4748 wrote to memory of 1172	4748	svchost.exe	125
PID 4748 wrote to memory of 1172	4748	svchost.exe	125

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads