Analysis Overview
SHA256
caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87
Threat Level: Known bad
The file caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87 was found to be: Known bad.
Malicious Activity Summary
SystemBC
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Detect rhadamanthys stealer shellcode
Phobos
SmokeLoader
Renames multiple (472) files with added filename extension
Modifies boot configuration data using bcdedit
Deletes shadow copies
Downloads MZ/PE file
Modifies Windows Firewall
Deletes backup catalog
UPX packed file
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Looks up external IP address via web service
Adds Run key to start application
Accesses Microsoft Outlook profiles
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
Program crash
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
Kills process with taskkill
outlook_win_path
Runs net.exe
outlook_office_path
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Enumerates processes with tasklist
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
GoLang User-Agent
Gathers system information
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-13 20:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-13 20:23
Reported
2023-07-13 20:26
Platform
win10v2004-20230703-en
Max time kernel
110s
Max time network
155s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phobos
Rhadamanthys
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2256 created 2572 | N/A | C:\Users\Admin\AppData\Local\Temp\caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe | C:\Windows\Explorer.EXE |
SystemBC
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Renames multiple (472) files with added filename extension
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\o{qOsfR.exe | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\84`.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\xUZbuun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\84`.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8846.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\certreq.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\o{qOsfR = "C:\\Users\\Admin\\AppData\\Local\\o{qOsfR.exe" | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\o{qOsfR = "C:\\Users\\Admin\\AppData\\Local\\o{qOsfR.exe" | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-1043950675-1972537973-2972532878-1000\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1043950675-1972537973-2972532878-1000\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4464 set thread context of 3704 | N/A | C:\Users\Admin\AppData\Local\Microsoft\84`.exe | C:\Users\Admin\AppData\Local\Microsoft\84`.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup.jar | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\tt.pak.DATA.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-api_ja.jar.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Client\vcruntime140.dll.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24.png | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_bg.dll | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageSmallTile.scale-125.png | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_nb_135x40.svg | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-white_scale-125.png | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\MapDarkTheme.png | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_3.m4a | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-string-l1-1-0.dll | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\msolap.dll.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File created | C:\Program Files\Microsoft Office\ThinAppXManifest.xml.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-125.png | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_TileLargeSquare.scale-200.png | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-125_contrast-white.png | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\AttachmentPlaceholder-Light.png | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\BadgeLogo.scale-100_contrast-black.png | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsSmallTile.contrast-white_scale-200.png | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sign-in.png | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\CompleteCheckmark.png | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Exchange.scale-100.png | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\ui-strings.js | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\el.pak.DATA | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.1.7_1.7.25531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\ui-strings.js.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\PackageManagementDscUtilities.psm1 | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\ui-strings.js.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-256_contrast-black.png | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sr-Cyrl-BA.pak.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sybase.xsl.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_K_COL.HXK.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\MedTile.scale-100.png | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\selector.js.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp9.scale-125.png | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupLargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\ui-strings.js.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File created | C:\Program Files\7-Zip\Lang\pl.txt.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-20_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ar.pak | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\demux\librawaud_plugin.dll.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WideTile.scale-200_contrast-white.png | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fi-fi\ui-strings.js | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG.id[49C07676-3483].[[email protected]].8base | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\contacts_permission_ios.gif | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Microsoft\84`.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Microsoft\84`.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Microsoft\84`.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\certreq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\certreq.exe | N/A |
Enumerates processes with tasklist
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Kills process with taskkill
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\Explorer.EXE | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\8846.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\8846.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\8846.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe
"C:\Users\Admin\AppData\Local\Temp\caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87.exe"
C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2256 -ip 2256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 816
C:\Users\Admin\AppData\Local\Microsoft\84`.exe
"C:\Users\Admin\AppData\Local\Microsoft\84`.exe"
C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe
"C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe"
C:\Users\Admin\AppData\Local\Microsoft\84`.exe
"C:\Users\Admin\AppData\Local\Microsoft\84`.exe"
C:\Users\Admin\AppData\Local\Microsoft\xUZbuun.exe
"C:\Users\Admin\AppData\Local\Microsoft\xUZbuun.exe"
C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe
"C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2212 -ip 2212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 460
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Users\Admin\AppData\Local\Temp\8846.exe
C:\Users\Admin\AppData\Local\Temp\8846.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
C:\Windows\SYSTEM32\cmd.exe
cmd /c
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM edge.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
C:\Windows\system32\runas.exe
runas /user:Administrator C:\Users\Admin\AppData\Local\Temp\8846.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq httpdebuggerui.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM httpdebuggerui.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq wireshark.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM wireshark.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq fiddler.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM fiddler.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq regedit.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM regedit.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq taskmgr.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM taskmgr.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vboxservice.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM vboxservice.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq df5serv.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM df5serv.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq processhacker.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM processhacker.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vboxtray.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM vboxtray.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmtoolsd.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM vmtoolsd.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmwaretray.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM vmwaretray.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq ida64.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM ida64.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq ollydbg.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM ollydbg.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq pestudio.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM pestudio.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmwareuser.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM vmwareuser.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vgauthservice.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM vgauthservice.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmacthlp.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM vmacthlp.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq x96dbg.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM x96dbg.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmsrvc.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM vmsrvc.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq x32dbg.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM x32dbg.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmusrvc.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM vmusrvc.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq prl_cc.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM prl_cc.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq prl_tools.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM prl_tools.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq xenservice.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM xenservice.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq qemu-ga.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM qemu-ga.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq joeboxcontrol.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM joeboxcontrol.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq ksdumperclient.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM ksdumperclient.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq ksdumper.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM ksdumper.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq joeboxserver.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM joeboxserver.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq Wireshark.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM Wireshark.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq idaq.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM idaq.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq idaq64.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM idaq64.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq ida64.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM ida64.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq OLLYDBG.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM OLLYDBG.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq WinDbg.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM WinDbg.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq Procmon.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM Procmon.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmware.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM vmware.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmware-tray.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM vmware-tray.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmware-vmx.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM vmware-vmx.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmware-authd.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM vmware-authd.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq VirtualBox.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM VirtualBox.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq VBoxSVC.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM VBoxSVC.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq VBoxNetDHCP.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM VBoxNetDHCP.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq VBoxNetNAT.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM VBoxNetNAT.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq VBoxHeadless.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM VBoxHeadless.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq qemu-system-x86_64.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM qemu-system-x86_64.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq qemu-system-arm.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM qemu-system-arm.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq python.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM python.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq pythonw.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM pythonw.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq python3.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM python3.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq python3w.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM python3w.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq Taskmgr.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM Taskmgr.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq msconfig.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM msconfig.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq regedit.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM regedit.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq x64dbg.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM x64dbg.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq x32dbg.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM x32dbg.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq radare2.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM radare2.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq r2.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM r2.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq Ghidra.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM Ghidra.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq ImmunityDebugger.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM ImmunityDebugger.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq ImmunityDebugger.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM ImmunityDebugger.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq Fiddler.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\system32\taskkill.exe
taskkill /F /IM Fiddler.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq tcpview.exe"
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\taskkill.exe
taskkill /F /IM tcpview.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq Sysmon.exe"
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\taskkill.exe
taskkill /F /IM Sysmon.exe
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq ProcessHacker.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM ProcessHacker.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq ApateDNS.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM ApateDNS.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq Cuckoo.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM Cuckoo.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq CFF Explorer.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM "CFF Explorer.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq Wireshark.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM Wireshark.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq Regshot.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM Regshot.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq procexp.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM procexp.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq procexp64.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM procexp64.exe
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq dumpcap.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM dumpcap.exe
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
PowerShell -Command Add-Type -AssemblyName "System.Windows.Forms;$clip=[Windows.Forms.Clipboard]::GetImage();if ($clip -ne $null) { $clip.Save('C:\Users\Admin\AppData\Local\Temp\2985226527') };"
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\System32\Wbem\wmic.exe
wmic desktopmonitor get "screenheight, screenwidth"
C:\Windows\system32\cmd.exe
cmd /C net session
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get uuid
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM Telegram.exe
C:\Windows\system32\cmd.exe
cmd /C "C:\Users\Admin\AppData\Local\Temp\My Phone.exe"
C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM brave.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM bitcoin-qt.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM litecoin-qt.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM dash-qt.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM geth.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM electrum.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM exodus.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM atomic.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM monero-wallet-gui.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM monerod.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM coinomi.exe
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
C:\Windows\system32\curl.exe
curl -s ipinfo.io/country
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | servblog25.xyz | udp |
| DE | 45.131.66.61:80 | servblog25.xyz | tcp |
| US | 8.8.8.8:53 | 61.66.131.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| DE | 45.131.66.61:80 | servblog25.xyz | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| DE | 45.131.66.61:80 | servblog25.xyz | tcp |
| US | 8.8.8.8:53 | serverxlogs21.xyz | udp |
| DE | 45.131.66.120:80 | serverxlogs21.xyz | tcp |
| US | 8.8.8.8:53 | netflixxonline.processing-updates.site | udp |
| CA | 172.105.107.189:443 | netflixxonline.processing-updates.site | tcp |
| US | 8.8.8.8:53 | 120.66.131.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.107.105.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.121.68:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | 68.121.18.2.in-addr.arpa | udp |
| DE | 45.131.66.120:80 | serverxlogs21.xyz | tcp |
| US | 8.8.8.8:53 | 254.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | serverxlogs21.xyz | udp |
| DE | 45.131.66.120:80 | serverxlogs21.xyz | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| DE | 167.86.123.82:8080 | 167.86.123.82 | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
Files
memory/2256-134-0x0000000002D60000-0x0000000002E60000-memory.dmp
memory/2256-135-0x0000000004950000-0x00000000049C1000-memory.dmp
memory/2256-136-0x0000000000400000-0x0000000002B7C000-memory.dmp
memory/2256-137-0x0000000002D40000-0x0000000002D47000-memory.dmp
memory/2256-138-0x0000000004D30000-0x0000000005130000-memory.dmp
memory/2256-139-0x0000000004D30000-0x0000000005130000-memory.dmp
memory/2256-140-0x0000000004D30000-0x0000000005130000-memory.dmp
memory/2256-141-0x0000000004D30000-0x0000000005130000-memory.dmp
memory/2256-142-0x0000000002D60000-0x0000000002E60000-memory.dmp
memory/4956-143-0x000001D07C080000-0x000001D07C083000-memory.dmp
memory/2256-145-0x00000000059F0000-0x0000000005A26000-memory.dmp
memory/2256-144-0x0000000000400000-0x0000000002B7C000-memory.dmp
memory/2256-148-0x0000000004950000-0x00000000049C1000-memory.dmp
memory/2256-152-0x00000000059F0000-0x0000000005A26000-memory.dmp
memory/2256-153-0x0000000004D30000-0x0000000005130000-memory.dmp
memory/2256-155-0x0000000000400000-0x0000000002B7C000-memory.dmp
memory/2256-156-0x0000000004D30000-0x0000000005130000-memory.dmp
memory/4956-157-0x000001D07C080000-0x000001D07C083000-memory.dmp
memory/4956-158-0x000001D07E140000-0x000001D07E147000-memory.dmp
memory/4956-159-0x00007FF450500000-0x00007FF45062D000-memory.dmp
memory/4956-160-0x00007FF450500000-0x00007FF45062D000-memory.dmp
memory/4956-161-0x00007FF450500000-0x00007FF45062D000-memory.dmp
memory/4956-162-0x00007FF450500000-0x00007FF45062D000-memory.dmp
memory/4956-163-0x00007FF450500000-0x00007FF45062D000-memory.dmp
memory/4956-165-0x00007FF450500000-0x00007FF45062D000-memory.dmp
memory/4956-167-0x00007FF450500000-0x00007FF45062D000-memory.dmp
memory/4956-168-0x00007FF450500000-0x00007FF45062D000-memory.dmp
memory/4956-169-0x00007FF450500000-0x00007FF45062D000-memory.dmp
memory/4956-170-0x00007FFF496F0000-0x00007FFF498E5000-memory.dmp
memory/4956-171-0x00007FF450500000-0x00007FF45062D000-memory.dmp
memory/4956-172-0x00007FF450500000-0x00007FF45062D000-memory.dmp
memory/4956-173-0x00007FF450500000-0x00007FF45062D000-memory.dmp
memory/4956-174-0x00007FF450500000-0x00007FF45062D000-memory.dmp
memory/4956-175-0x00007FF450500000-0x00007FF45062D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\84`.exe
| MD5 | f56ab31379d92b546875eff976ec9148 |
| SHA1 | 79ba7f22410a64adf18e36005cfa98179f128053 |
| SHA256 | d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0 |
| SHA512 | 650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258 |
C:\Users\Admin\AppData\Local\Microsoft\84`.exe
| MD5 | f56ab31379d92b546875eff976ec9148 |
| SHA1 | 79ba7f22410a64adf18e36005cfa98179f128053 |
| SHA256 | d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0 |
| SHA512 | 650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258 |
C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe
| MD5 | e2c05722293b07319cfd5bb1fef74f44 |
| SHA1 | d3f4f66861f8bf6aae657e475bcb8222c77a2770 |
| SHA256 | f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4 |
| SHA512 | 92c0a3d6bf1708c82f17c8236c3e23ba66f0c3788fcf5c66553353765f3ba657c1a69a092493a71c4dbeac01e235da2c91f93ce19718f1728ffc1c29e3e64037 |
C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe
| MD5 | e2c05722293b07319cfd5bb1fef74f44 |
| SHA1 | d3f4f66861f8bf6aae657e475bcb8222c77a2770 |
| SHA256 | f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4 |
| SHA512 | 92c0a3d6bf1708c82f17c8236c3e23ba66f0c3788fcf5c66553353765f3ba657c1a69a092493a71c4dbeac01e235da2c91f93ce19718f1728ffc1c29e3e64037 |
memory/4464-185-0x0000000002B90000-0x0000000002C90000-memory.dmp
memory/4464-186-0x0000000002CD0000-0x0000000002CD9000-memory.dmp
memory/4956-184-0x00007FFF496F0000-0x00007FFF498E5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\xUZbuun.exe
| MD5 | e411054bf19f624a88719981c5eb22d6 |
| SHA1 | 943df640e6c34757e60dbcb98129f3550bec7f38 |
| SHA256 | 046b6de02d3af494896a540bd5189faf6f2f9f75d00c59657071ff0aa5ed94a0 |
| SHA512 | 39d647fa6158ae5453a6a448881e5f86ab9d1ea54047997eb358e40a1dd2d44a7b5665e7ff206013512e071cc4ce616accdad661bd2d1aafad8f8d224577700a |
C:\Users\Admin\AppData\Local\Microsoft\xUZbuun.exe
| MD5 | e411054bf19f624a88719981c5eb22d6 |
| SHA1 | 943df640e6c34757e60dbcb98129f3550bec7f38 |
| SHA256 | 046b6de02d3af494896a540bd5189faf6f2f9f75d00c59657071ff0aa5ed94a0 |
| SHA512 | 39d647fa6158ae5453a6a448881e5f86ab9d1ea54047997eb358e40a1dd2d44a7b5665e7ff206013512e071cc4ce616accdad661bd2d1aafad8f8d224577700a |
memory/3704-192-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\84`.exe
| MD5 | f56ab31379d92b546875eff976ec9148 |
| SHA1 | 79ba7f22410a64adf18e36005cfa98179f128053 |
| SHA256 | d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0 |
| SHA512 | 650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258 |
memory/1048-194-0x0000000002D70000-0x0000000002D7F000-memory.dmp
memory/1048-193-0x0000000002DA0000-0x0000000002EA0000-memory.dmp
memory/3704-187-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1048-195-0x0000000000400000-0x0000000002B46000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\o{qOsfR.exe
| MD5 | e2c05722293b07319cfd5bb1fef74f44 |
| SHA1 | d3f4f66861f8bf6aae657e475bcb8222c77a2770 |
| SHA256 | f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4 |
| SHA512 | 92c0a3d6bf1708c82f17c8236c3e23ba66f0c3788fcf5c66553353765f3ba657c1a69a092493a71c4dbeac01e235da2c91f93ce19718f1728ffc1c29e3e64037 |
memory/2268-198-0x0000000002D60000-0x0000000002E60000-memory.dmp
memory/2268-199-0x0000000002C60000-0x0000000002C65000-memory.dmp
memory/2268-201-0x0000000000400000-0x0000000002B45000-memory.dmp
memory/2212-206-0x0000000000400000-0x0000000002B46000-memory.dmp
memory/3704-205-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4956-212-0x000001D07E140000-0x000001D07E145000-memory.dmp
memory/2212-214-0x0000000002C20000-0x0000000002D20000-memory.dmp
memory/4956-213-0x00007FFF496F0000-0x00007FFF498E5000-memory.dmp
memory/2572-202-0x00000000031B0000-0x00000000031C6000-memory.dmp
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[49C07676-3483].[[email protected]].8base
| MD5 | f3705eecbe7fafb7f0d58b22c412c6d0 |
| SHA1 | 923033e7eb9351b4741ccec117afc5837549fbee |
| SHA256 | 29bfaf87ca688a65ff64ce007e240736771c42f1f900a806280f8fb61b2ae1bf |
| SHA512 | 358c01e0eb34a7d7e0054f2ea547d316ddcbc6b766a2e39f024648d3793ae465b164f022f50f5806b578b3c70f0e45e254ec5641fe5243708adbb436b151f365 |
memory/2572-431-0x00000000088C0000-0x00000000088D0000-memory.dmp
memory/2572-448-0x0000000008920000-0x0000000008930000-memory.dmp
memory/2572-444-0x00000000088C0000-0x00000000088D0000-memory.dmp
memory/2572-453-0x00000000088C0000-0x00000000088D0000-memory.dmp
memory/2572-472-0x00000000088C0000-0x00000000088D0000-memory.dmp
memory/2572-479-0x00000000088C0000-0x00000000088D0000-memory.dmp
memory/2572-485-0x00000000088C0000-0x00000000088D0000-memory.dmp
memory/2572-497-0x00000000088C0000-0x00000000088D0000-memory.dmp
memory/2572-499-0x00000000088C0000-0x00000000088D0000-memory.dmp
memory/2572-500-0x00000000088C0000-0x00000000088D0000-memory.dmp
memory/2572-507-0x00000000088C0000-0x00000000088D0000-memory.dmp
memory/2572-511-0x00000000088C0000-0x00000000088D0000-memory.dmp
memory/2572-514-0x00000000088C0000-0x00000000088D0000-memory.dmp
memory/2572-517-0x00000000088C0000-0x00000000088D0000-memory.dmp
memory/2572-525-0x00000000088C0000-0x00000000088D0000-memory.dmp
memory/2572-528-0x00000000088C0000-0x00000000088D0000-memory.dmp
memory/1048-568-0x0000000000400000-0x0000000002B46000-memory.dmp
memory/2572-551-0x00000000088C0000-0x00000000088D0000-memory.dmp
memory/2572-570-0x00000000088C0000-0x00000000088D0000-memory.dmp
memory/1048-615-0x0000000000400000-0x0000000002B46000-memory.dmp
memory/2572-681-0x00000000088C0000-0x00000000088D0000-memory.dmp
memory/2572-682-0x0000000003280000-0x0000000003289000-memory.dmp
memory/1048-683-0x0000000002DA0000-0x0000000002EA0000-memory.dmp
memory/2268-905-0x0000000002D60000-0x0000000002E60000-memory.dmp
memory/1048-1137-0x0000000000400000-0x0000000002B46000-memory.dmp
memory/1048-3747-0x0000000000400000-0x0000000002B46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8846.exe
| MD5 | e66da0976a0b61e5324342c041f96c76 |
| SHA1 | 497b6095951eb9693f80adc80be25584bbd7af57 |
| SHA256 | bcb9371d864f76703f0e634b239edda2a8c3c5573588dfd5a5d0e186506be3a6 |
| SHA512 | a4052c344ec66770f30890917667263f2eaa24459a7a53b5dfccf469b19ef95a72e449904ec7890b2729cd83704b5b9a690a38b50f4d1b22e4b6bfc7465cf0bc |
memory/1788-4077-0x00007FF704BC0000-0x00007FF705451000-memory.dmp
memory/3320-4291-0x0000000000740000-0x00000000007B5000-memory.dmp
memory/3320-4290-0x00000000006D0000-0x000000000073B000-memory.dmp
memory/296-4323-0x0000000000CF0000-0x0000000000CFC000-memory.dmp
memory/3320-4313-0x00000000006D0000-0x000000000073B000-memory.dmp
memory/296-4326-0x0000000000D00000-0x0000000000D07000-memory.dmp
memory/296-4328-0x0000000000CF0000-0x0000000000CFC000-memory.dmp
memory/3744-4331-0x0000000000AC0000-0x0000000000AC9000-memory.dmp
memory/3744-4332-0x0000000000AD0000-0x0000000000AD4000-memory.dmp
memory/3744-4333-0x0000000000AC0000-0x0000000000AC9000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\suuk1m1w.default-release\cookies.sqlite.id[49C07676-3483].[[email protected]].8base
| MD5 | 467ae65d56d5e8e480528e1fc428966d |
| SHA1 | 2b445265a97d6019ea15fd14e846e24ca76c5b44 |
| SHA256 | c921b2817364cc6d3eaa13eebddf9f07ad7550655bbb141d38fcc7953316e0e9 |
| SHA512 | f440cbe70b66bf1aa3f6c77071e5f2908d23d8b673550d00f8dca86b742f52df212f2bf491a808ebf2fbed0b49ddcde9afffe8d65bebaf987f28d474ccc1d794 |
memory/4912-4347-0x0000000000A90000-0x0000000000A9B000-memory.dmp
memory/4912-4350-0x0000000000AA0000-0x0000000000AAA000-memory.dmp
memory/4912-4353-0x0000000000A90000-0x0000000000A9B000-memory.dmp
memory/2836-4452-0x0000000000380000-0x000000000038B000-memory.dmp
memory/1788-4456-0x00007FF704BC0000-0x00007FF705451000-memory.dmp
memory/2836-4457-0x0000000000390000-0x0000000000397000-memory.dmp
memory/3320-4469-0x00000000006D0000-0x000000000073B000-memory.dmp
memory/2836-4471-0x0000000000380000-0x000000000038B000-memory.dmp
memory/4620-4599-0x00000000005A0000-0x00000000005AF000-memory.dmp
memory/4620-4603-0x00000000005B0000-0x00000000005B9000-memory.dmp
memory/4620-4614-0x00000000005A0000-0x00000000005AF000-memory.dmp
memory/212-4918-0x0000000001290000-0x0000000001299000-memory.dmp
memory/212-4920-0x00000000012A0000-0x00000000012A5000-memory.dmp
memory/212-4921-0x0000000001290000-0x0000000001299000-memory.dmp
memory/3744-5121-0x0000000000AD0000-0x0000000000AD4000-memory.dmp
memory/3848-5122-0x00000000006A0000-0x00000000006A6000-memory.dmp
memory/3848-5123-0x0000000000690000-0x000000000069C000-memory.dmp
memory/1456-5127-0x0000000000620000-0x0000000000624000-memory.dmp
memory/1456-5128-0x0000000000610000-0x0000000000619000-memory.dmp
memory/2836-5138-0x0000000000390000-0x0000000000397000-memory.dmp
memory/2880-5146-0x0000000000EE0000-0x0000000000EE5000-memory.dmp
memory/2880-5147-0x0000000000ED0000-0x0000000000ED9000-memory.dmp
memory/4620-5459-0x00000000005B0000-0x00000000005B9000-memory.dmp
memory/4936-5470-0x0000000001270000-0x0000000001291000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000028.db.id[49C07676-3483].[[email protected]].8base
| MD5 | ab288733bdf9894fb104639b8986cf56 |
| SHA1 | 6ccdfa31cec8244e589d3dd9dd06b2b858bb1bdd |
| SHA256 | 53c0a44aa59bef25963310d534baf383d36f8595bc9ea75974a69fc0dd158ff8 |
| SHA512 | 1313a2f0f122737f48e86abe83259100ee8e222db0dfe085fa15c0a07e1e68261f9673503fe73bea201d918fe2538395a9be4438d2adad8dc2a2cb4715367bca |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll
| MD5 | 02557c141c9e153c2b7987b79a3a2dd7 |
| SHA1 | a054761382ee68608b6a3b62b68138dc205f576b |
| SHA256 | 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4 |
| SHA512 | a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3 |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\SysWOW64\WalletProxy.dll
| MD5 | d09724c29a8f321f2f9c552de6ef6afa |
| SHA1 | d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3 |
| SHA256 | 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c |
| SHA512 | cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\System32\Windows.ApplicationModel.Wallet.dll
| MD5 | 02557c141c9e153c2b7987b79a3a2dd7 |
| SHA1 | a054761382ee68608b6a3b62b68138dc205f576b |
| SHA256 | 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4 |
| SHA512 | a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3 |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll
| MD5 | 1097d1e58872f3cf58f78730a697ce4b |
| SHA1 | 96db4e4763a957b28dd80ec1e43eb27367869b86 |
| SHA256 | 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef |
| SHA512 | b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351 |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\System32\WalletProxy.dll
| MD5 | d09724c29a8f321f2f9c552de6ef6afa |
| SHA1 | d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3 |
| SHA256 | 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c |
| SHA512 | cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml
| MD5 | 94f90fcd2b8f7f1df69224f845d9e9b7 |
| SHA1 | a09e3072cc581cf89adaf1aa20aa89b3af7bf987 |
| SHA256 | a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0 |
| SHA512 | 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3 |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml
| MD5 | 108f130067a9df1719c590316a5245f7 |
| SHA1 | 79bb9a86e7a50c85214cd7e21719f0cb4155f58a |
| SHA256 | c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874 |
| SHA512 | d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301 |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml
| MD5 | 94f90fcd2b8f7f1df69224f845d9e9b7 |
| SHA1 | a09e3072cc581cf89adaf1aa20aa89b3af7bf987 |
| SHA256 | a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0 |
| SHA512 | 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
| MD5 | d4ae187b4574036c2d76b6df8a8c1a30 |
| SHA1 | b06f409fa14bab33cbaf4a37811b8740b624d9e5 |
| SHA256 | a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7 |
| SHA512 | 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
| MD5 | 47019698e3fc31a456c70ef75101d231 |
| SHA1 | be181f735f5871afcdceac3265fb0b6297926d26 |
| SHA256 | 0c7e47ad91809bc2de99a687e6d0a46852a275c66fb8047568c04772d1e3a7e5 |
| SHA512 | 1c4302cd5176cf64064a39723723be9839e6a55575a2d4cfe2cd0b78edbee07daa3f8ba8fdb20134322db6d220e0827d0f900b99ea9ea53545012b0cf0088937 |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe
| MD5 | cfe72ed40a076ae4f4157940ce0c5d44 |
| SHA1 | 8010f7c746a7ba4864785f798f46ec05caae7ece |
| SHA256 | 6868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32 |
| SHA512 | f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0 |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll
| MD5 | f1dc5b8a79c63a340d928dfd24dd2f60 |
| SHA1 | 4062882b01ace1ed1c9bdd9ea3869b20292d1052 |
| SHA256 | f49c7f86771a1267a92eb029bb24a9707169fa4c7ac2ad51bbe75337514de0bc |
| SHA512 | 70fb239a1ed78cff36504d3dd096a7d7ff84cdce22fd25288eb5f8d5a6141c934bfad169a107bae251ed7cb99d84b78ee245426c6a1189b23a275ee3e9e51bff |
C:\Users\Admin\AppData\Roaming\ibejtah
| MD5 | f56ab31379d92b546875eff976ec9148 |
| SHA1 | 79ba7f22410a64adf18e36005cfa98179f128053 |
| SHA256 | d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0 |
| SHA512 | 650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258 |
C:\Users\Admin\AppData\Roaming\jgfuvhs
| MD5 | 846afdb0a212e48cdd195fcee22ca463 |
| SHA1 | 1401b23aa789cd88be8bbbb11bc2477d96b4523b |
| SHA256 | 0be0858b6f4d3254968a447d6f42464cf64100f6ef9c7e1ee5e272f6d5ee7c9f |
| SHA512 | be16e1e637c1e1124f451f2674f90ffdb5aa870cd412141ea476fd6c0cf9cf32b2a4d10f6e37bf3df45e8753f2a0b5ae95a30ba6d9a04194e661838fda0d16b6 |
C:\Users\Admin\AppData\Local\Temp\8846.exe
| MD5 | e66da0976a0b61e5324342c041f96c76 |
| SHA1 | 497b6095951eb9693f80adc80be25584bbd7af57 |
| SHA256 | bcb9371d864f76703f0e634b239edda2a8c3c5573588dfd5a5d0e186506be3a6 |
| SHA512 | a4052c344ec66770f30890917667263f2eaa24459a7a53b5dfccf469b19ef95a72e449904ec7890b2729cd83704b5b9a690a38b50f4d1b22e4b6bfc7465cf0bc |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\System32\WalletBackgroundServiceProxy.dll
| MD5 | 1097d1e58872f3cf58f78730a697ce4b |
| SHA1 | 96db4e4763a957b28dd80ec1e43eb27367869b86 |
| SHA256 | 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef |
| SHA512 | b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351 |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml
| MD5 | 108f130067a9df1719c590316a5245f7 |
| SHA1 | 79bb9a86e7a50c85214cd7e21719f0cb4155f58a |
| SHA256 | c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874 |
| SHA512 | d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301 |
C:\info.hta
| MD5 | bf3a812498cabcdbf88171de1d70b27c |
| SHA1 | 1b708024b8ffc58ff2c23181f7d4bbf3d8a842bd |
| SHA256 | 9e55177c004c9ba125fa7d3574853a878c13c8837c77d583159e2259a955b992 |
| SHA512 | 1a9caa81e47f23c49f144ccc92aeaa28c1ca359a10d46e59129b4b8a7b8c52de0a1a1bef75ece57556b2ca05a6c168c1f24b385acb9c2e1f5aeda8bd61030031 |
C:\Users\Admin\Desktop\info.hta
| MD5 | bf3a812498cabcdbf88171de1d70b27c |
| SHA1 | 1b708024b8ffc58ff2c23181f7d4bbf3d8a842bd |
| SHA256 | 9e55177c004c9ba125fa7d3574853a878c13c8837c77d583159e2259a955b992 |
| SHA512 | 1a9caa81e47f23c49f144ccc92aeaa28c1ca359a10d46e59129b4b8a7b8c52de0a1a1bef75ece57556b2ca05a6c168c1f24b385acb9c2e1f5aeda8bd61030031 |
C:\users\public\desktop\info.hta
| MD5 | bf3a812498cabcdbf88171de1d70b27c |
| SHA1 | 1b708024b8ffc58ff2c23181f7d4bbf3d8a842bd |
| SHA256 | 9e55177c004c9ba125fa7d3574853a878c13c8837c77d583159e2259a955b992 |
| SHA512 | 1a9caa81e47f23c49f144ccc92aeaa28c1ca359a10d46e59129b4b8a7b8c52de0a1a1bef75ece57556b2ca05a6c168c1f24b385acb9c2e1f5aeda8bd61030031 |
C:\info.hta
| MD5 | bf3a812498cabcdbf88171de1d70b27c |
| SHA1 | 1b708024b8ffc58ff2c23181f7d4bbf3d8a842bd |
| SHA256 | 9e55177c004c9ba125fa7d3574853a878c13c8837c77d583159e2259a955b992 |
| SHA512 | 1a9caa81e47f23c49f144ccc92aeaa28c1ca359a10d46e59129b4b8a7b8c52de0a1a1bef75ece57556b2ca05a6c168c1f24b385acb9c2e1f5aeda8bd61030031 |
F:\info.hta
| MD5 | bf3a812498cabcdbf88171de1d70b27c |
| SHA1 | 1b708024b8ffc58ff2c23181f7d4bbf3d8a842bd |
| SHA256 | 9e55177c004c9ba125fa7d3574853a878c13c8837c77d583159e2259a955b992 |
| SHA512 | 1a9caa81e47f23c49f144ccc92aeaa28c1ca359a10d46e59129b4b8a7b8c52de0a1a1bef75ece57556b2ca05a6c168c1f24b385acb9c2e1f5aeda8bd61030031 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.id[49C07676-3483].[[email protected]].8base
| MD5 | a57e4611a831393e6cc9623bef488570 |
| SHA1 | a81f4a82fc2e642d6251fbd5dfc34f2746389a1d |
| SHA256 | cdb4ae09876db4ae869303d1cbb39f8dcc2483eecd7a124bdf92ea0c86902637 |
| SHA512 | bbe869f983a69feb148477f28782d7291864835d892bda4d146cfe5259486ab176997c5cc71acf4b1edc0ebb25c5ea2cfef7a7bf2efe2169ce6a0fdf6937754d |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0wnkc3a2.dfu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg
| MD5 | 2257fa8cef64a74c33655bd5f74ef5e5 |
| SHA1 | b9f8baf96166f99cb1983563e632e6e69984ad5c |
| SHA256 | ead48b70e048de6ccca219a229ca90b49a9d1b9c14bf3a7c5eaad544294fcfd3 |
| SHA512 | 7792be9b935a46a923e97bb76b76957070e116dcc4cb6fcd8b883c2d6f142285ebc9fd26cdf29bd19c8bdff412487f586abaa1724332b613e71afa45d7f3e4f9 |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll.id[49C07676-3483].[[email protected]].8base
| MD5 | f1dc5b8a79c63a340d928dfd24dd2f60 |
| SHA1 | 4062882b01ace1ed1c9bdd9ea3869b20292d1052 |
| SHA256 | f49c7f86771a1267a92eb029bb24a9707169fa4c7ac2ad51bbe75337514de0bc |
| SHA512 | 70fb239a1ed78cff36504d3dd096a7d7ff84cdce22fd25288eb5f8d5a6141c934bfad169a107bae251ed7cb99d84b78ee245426c6a1189b23a275ee3e9e51bff |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\System32\Windows.ApplicationModel.Wallet.dll.id[49C07676-3483].[[email protected]].8base
| MD5 | 95eb6d58355a32549c76533bbb96d956 |
| SHA1 | 2bd23e5a031070c7fac780ef300d2beed1460d74 |
| SHA256 | 65345783d30ec4b0ed52713812b2597bb2baeb1803e068e2df2f1cb75e3172b8 |
| SHA512 | e5379ea2f65305f69d8560a09ab529d170a9d961f1eb8d4a0502ab9dbbb1a986bf8c8b23c3a55387bb5c6e0bbfd8bd7f54700978f95ba6beb8781bc8835756c5 |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\System32\WalletProxy.dll.id[49C07676-3483].[[email protected]].8base
| MD5 | bb9abbdce679124c74b3afad8c23e596 |
| SHA1 | 2d5fcd25ff078f313022dae5e407846a145023cd |
| SHA256 | daf9265a4fb85c3a3b56ac4d5c60f925b043d3b938445eba731f4cd2941da143 |
| SHA512 | 4513928eea53ac2d0b51312c2c0ef693bff0f80127021a26f7daca1b111b51ce880e544517b13d6a9ea82234eafc7455d77f78bb70beb96e4c7ef0cbf2b49318 |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\System32\WalletBackgroundServiceProxy.dll.id[49C07676-3483].[[email protected]].8base
| MD5 | c638c40fe97bb6b546f2538a44f35b98 |
| SHA1 | 420dd2125c97caa443bb432ae6935f4c40f92684 |
| SHA256 | c7e7b8047fa308d8592551487b6d13191016118a531c1ea80bf63cac0a62c1d4 |
| SHA512 | 97475c16bbf038815bd27c280632d844200a08825fdc70b3bc553c7ae01b197db9b35e85b7cd0b52612bf609c976bc6d7a7d446ba007a3df9234933883829052 |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml.id[49C07676-3483].[[email protected]].8base
| MD5 | d6fb6b88df7912d68b50d01038dd7789 |
| SHA1 | 2392ea0f6099ff2eaef136841f605f688c832173 |
| SHA256 | d58670c23850324abd693eefbb869803809d316109b4bb128a9e9c1f62675b5a |
| SHA512 | 91ace3c3df091ff9a681de04e1ff073d39c14bb60ab3caba5d30e2ce5fd9f0929e8d7dedd22cfbf5a8e256835f9bcac88dbdba475bc9f065a8279347e40f729f |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml.id[49C07676-3483].[[email protected]].8base
| MD5 | 7b3305f96651f27c74e8002ec0b44839 |
| SHA1 | 0cdd02c96468bd23579653affde7bb981aeb6d91 |
| SHA256 | 9e2e1bab13b122ee5d7acf4c076dc5557a20bbbb6cff7b64ee08c0ea9b096c08 |
| SHA512 | 0a8f60d3a7aeddcf89669c5832457c363af2f908efe0694b4a3d6550e5698b595de284b1bdedadaf00192bc48503c2cc8359b24fb8276e8c95aa8fd56f40bb18 |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml.id[49C07676-3483].[[email protected]].8base
| MD5 | 542c6328f637df6a0f2e106a36a90c84 |
| SHA1 | 3d8564a387f1520756cfb4f141bc6fb221166c72 |
| SHA256 | 16add558ff94f8f48db32cfc769acab336d760d69fc7160d983307bf826cc0e2 |
| SHA512 | c0ebef212a30f0b4e1609eaef2deb11babfd7aa7ceb99a5b6120a7a9878127b601f59183d0a63557c181b8f3aad6cb8a8b5ac5e614491b4735d7581c11771a20 |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml.id[49C07676-3483].[[email protected]].8base
| MD5 | a015d06580dfc6de7153bcb761cfd4fc |
| SHA1 | 2edbc0ecf42d46a1416402eb844777d24a81806c |
| SHA256 | dbfc298aa68a6af43c04e2315f7f6448277e811399c7bf036f9a367285538b1e |
| SHA512 | dd6a5f34841a0edff47f52f6e75cbfcfb82a579d596912a3e772c15231701f8a035fe49e3109a4ee9dee70eac6504ba6c244c899dd8f62812f67fe84a84ae600 |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe.id[49C07676-3483].[[email protected]].8base
| MD5 | c58a7650b719596881841fe2efe9b453 |
| SHA1 | c8c58aeba6612a63f14264d3c8390ea0474191bd |
| SHA256 | bf781faf3605aa0f4ea8d0c50832d16c99c444dd197112e2663c4b309d2f9cd8 |
| SHA512 | c30566715ba8f4a2d73190967b7b0e6b07c711f69f7b12a467208ab72a3d3d5c7d6e91019a0052f79bbae36e49c5302f4513ec4c886e793e81af174ca81bc549 |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll.id[49C07676-3483].[[email protected]].8base
| MD5 | 6fa4f10e853cf89b061c9268c8133576 |
| SHA1 | 0466e9d8d09fc0abaf2e27da97dfa0237cb87dba |
| SHA256 | dd43f704f19efe024b46f26d08390aa8604b9b6f57301524f7a4f4670cd09fff |
| SHA512 | b4c7d82e7ffdfd701fffd1e47c1a14d3b51226983560f90dde709c040bffb2fabc164a158e9cf69a4a0604e8108937f56d691d61bc1442b2d3d7e62c1a78ef46 |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\SysWOW64\WalletProxy.dll.id[49C07676-3483].[[email protected]].8base
| MD5 | 4cf7bea86a26583101e449800788dc37 |
| SHA1 | 7996eba7e26ef80d697b0508611eb0ba8894abfc |
| SHA256 | af1b82395d73b965742d73e5de25cc2a27ca9a1aef1b6f36abdf2ee964a1b1c7 |
| SHA512 | 86b1a06cebd1fea0a2293ab3369767177eb0d256a0d281ba82df63fcaf855a5f15e1b78e2094d474d668dd32bac2999e2e7352fc4bb1286dff97c972c7c49f62 |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll.id[49C07676-3483].[[email protected]].8base
| MD5 | 708eb29f4777a503c45825d329023a74 |
| SHA1 | 95d17a423e5ca11fed0b3e2d4f063a1a0c6c94dc |
| SHA256 | 173ef8765682723f8a795e3dfc46ebb10f3d12486a7d756aa4d5237f505430d1 |
| SHA512 | 6c34d3ded38767903385a9aed69462538e776479a1b150cbd7c64c59aad774508b2b47298cc397ba4bef0659f5ebde20e48b82f2e2913b07c30dd883d98ba14c |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\WinSxS\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_69993b7d6814452d\WalletProxy.dll
| MD5 | d09724c29a8f321f2f9c552de6ef6afa |
| SHA1 | d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3 |
| SHA256 | 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c |
| SHA512 | cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\WinSxS\wow64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_046b779f2003c415\WalletBackgroundServiceProxy.dll
| MD5 | 1097d1e58872f3cf58f78730a697ce4b |
| SHA1 | 96db4e4763a957b28dd80ec1e43eb27367869b86 |
| SHA256 | 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef |
| SHA512 | b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351 |
C:\Users\Admin\AppData\Local\Temp\B1D6\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_b3a887dd4a9553e8\Windows.ApplicationModel.Wallet.dll
| MD5 | 02557c141c9e153c2b7987b79a3a2dd7 |
| SHA1 | a054761382ee68608b6a3b62b68138dc205f576b |
| SHA256 | 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4 |
| SHA512 | a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3 |