Malware Analysis Report

2024-11-16 12:15

Sample ID 230714-g8a3sscd68
Target ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c
SHA256 ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c
Tags
phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c

Threat Level: Known bad

The file ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c was found to be: Known bad.

Malicious Activity Summary

phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan

SystemBC

Phobos

Suspicious use of NtCreateUserProcessOtherParentProcess

SmokeLoader

Detect rhadamanthys stealer shellcode

Rhadamanthys

Modifies boot configuration data using bcdedit

Deletes shadow copies

Renames multiple (475) files with added filename extension

Modifies Windows Firewall

Deletes backup catalog

Downloads MZ/PE file

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook profiles

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Checks processor information in registry

Interacts with shadow copies

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies registry class

outlook_office_path

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-14 06:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-14 06:28

Reported

2023-07-14 06:30

Platform

win10v2004-20230703-en

Max time kernel

159s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe"

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4976 created 768 N/A C:\Users\Admin\AppData\Local\Temp\ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (475) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[3DFD8301-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\81}9pBfy8T.exe C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\81}9pBfy8T = "C:\\Users\\Admin\\AppData\\Local\\81}9pBfy8T.exe" C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\81}9pBfy8T = "C:\\Users\\Admin\\AppData\\Local\\81}9pBfy8T.exe" C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2520 set thread context of 2392 N/A C:\Users\Admin\AppData\Local\Microsoft\`s6.exe C:\Users\Admin\AppData\Local\Microsoft\`s6.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libssl-1_1-x64.dll.id[3DFD8301-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\TinyTile.scale-200_contrast-white.png C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-30_altform-lightunplated.png C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_reject_18.svg.id[3DFD8301-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\ui-strings.js.id[3DFD8301-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-remote_ja.jar.id[3DFD8301-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_ja_JP.jar.id[3DFD8301-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ko-KR\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\swresample-3_ms.dll C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\UnblockUse.vst C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libshm_plugin.dll C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lt-LT\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL.id[3DFD8301-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\AppxBundleManifest.xml C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-tw_get.svg C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-tw\ui-strings.js.id[3DFD8301-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pe.dll.id[3DFD8301-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.DLL.id[3DFD8301-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.tree.dat C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll.id[3DFD8301-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GenericMailWideTile.scale-100.png C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Example2.Diagnostics.psd1 C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf.id[3DFD8301-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-36_contrast-high.png C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\ui-strings.js.id[3DFD8301-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\SY______.PFB.id[3DFD8301-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ul-oob.xrm-ms.id[3DFD8301-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nb.pak C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.id[3DFD8301-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll.id[3DFD8301-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_as.dll C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_contrast-black.png C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Services.Design.dll C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\lt.pak C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jdwp.dll C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluNoSearchResults_180x160.svg C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteMedTile.scale-150.png C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileLargeSquare.scale-100.png C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_delete_18.svg C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_up_selected_18.svg C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\ui-strings.js.id[3DFD8301-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestDrive.Tests.ps1 C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\WEBSANDBOX.DLL.id[3DFD8301-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor.Native.dll C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\msth8ES.LEX.id[3DFD8301-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\`s6.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\`s6.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\`s6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\`s6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\`s6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4976 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe C:\Windows\system32\certreq.exe
PID 4976 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe C:\Windows\system32\certreq.exe
PID 4976 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe C:\Windows\system32\certreq.exe
PID 4976 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe C:\Windows\system32\certreq.exe
PID 2520 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Microsoft\`s6.exe C:\Users\Admin\AppData\Local\Microsoft\`s6.exe
PID 2520 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Microsoft\`s6.exe C:\Users\Admin\AppData\Local\Microsoft\`s6.exe
PID 2520 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Microsoft\`s6.exe C:\Users\Admin\AppData\Local\Microsoft\`s6.exe
PID 2520 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Microsoft\`s6.exe C:\Users\Admin\AppData\Local\Microsoft\`s6.exe
PID 2520 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Microsoft\`s6.exe C:\Users\Admin\AppData\Local\Microsoft\`s6.exe
PID 2520 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Microsoft\`s6.exe C:\Users\Admin\AppData\Local\Microsoft\`s6.exe
PID 1664 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe C:\Windows\system32\cmd.exe
PID 1664 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe C:\Windows\system32\cmd.exe
PID 1664 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe C:\Windows\system32\cmd.exe
PID 1664 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe C:\Windows\system32\cmd.exe
PID 3884 wrote to memory of 1052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3884 wrote to memory of 1052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4148 wrote to memory of 3484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4148 wrote to memory of 3484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3884 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3884 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4148 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4148 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4148 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4148 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4148 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4148 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4148 wrote to memory of 268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4148 wrote to memory of 268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 768 wrote to memory of 544 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E0C6.exe
PID 768 wrote to memory of 544 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E0C6.exe
PID 768 wrote to memory of 544 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E0C6.exe
PID 768 wrote to memory of 1828 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 1828 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 1828 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 1828 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 3764 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 768 wrote to memory of 3764 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 768 wrote to memory of 3764 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 768 wrote to memory of 1960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 1960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 1960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 1960 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 3796 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 3796 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 3796 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 3796 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 3368 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 3368 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 3368 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 3368 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 280 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 768 wrote to memory of 280 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 768 wrote to memory of 280 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 768 wrote to memory of 4272 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 4272 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 4272 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 4272 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 2388 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 768 wrote to memory of 2388 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 768 wrote to memory of 2388 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 768 wrote to memory of 872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 768 wrote to memory of 872 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe

"C:\Users\Admin\AppData\Local\Temp\ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4976 -ip 4976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 944

C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe

"C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe"

C:\Users\Admin\AppData\Local\Microsoft\Pi)pp[Y.exe

"C:\Users\Admin\AppData\Local\Microsoft\Pi)pp[Y.exe"

C:\Users\Admin\AppData\Local\Microsoft\`s6.exe

"C:\Users\Admin\AppData\Local\Microsoft\`s6.exe"

C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe

"C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe"

C:\Users\Admin\AppData\Local\Microsoft\`s6.exe

"C:\Users\Admin\AppData\Local\Microsoft\`s6.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5108 -ip 5108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 188

C:\Users\Admin\AppData\Local\Temp\E0C6.exe

C:\Users\Admin\AppData\Local\Temp\E0C6.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 544 -ip 544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 492

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Users\Admin\AppData\Roaming\gwduwui

C:\Users\Admin\AppData\Roaming\gwduwui

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 servblog25.xyz udp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 61.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
DE 45.131.66.61:80 servblog25.xyz tcp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 serverxlogs21.xyz udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 120.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 fexstat257.xyz udp
DE 45.89.125.136:80 fexstat257.xyz tcp
US 8.8.8.8:53 136.125.89.45.in-addr.arpa udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/4976-134-0x0000000000840000-0x0000000000940000-memory.dmp

memory/4976-135-0x0000000002270000-0x00000000022E1000-memory.dmp

memory/4976-136-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4976-137-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4976-138-0x0000000002230000-0x0000000002237000-memory.dmp

memory/4976-139-0x0000000002440000-0x0000000002840000-memory.dmp

memory/4976-140-0x0000000002440000-0x0000000002840000-memory.dmp

memory/4976-141-0x0000000002440000-0x0000000002840000-memory.dmp

memory/4976-142-0x0000000002440000-0x0000000002840000-memory.dmp

memory/4976-143-0x0000000000840000-0x0000000000940000-memory.dmp

memory/388-144-0x00000294147E0000-0x00000294147E3000-memory.dmp

memory/4976-145-0x0000000002270000-0x00000000022E1000-memory.dmp

memory/4976-146-0x0000000003300000-0x0000000003336000-memory.dmp

memory/4976-152-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4976-154-0x0000000002440000-0x0000000002840000-memory.dmp

memory/4976-153-0x0000000003300000-0x0000000003336000-memory.dmp

memory/4976-156-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/4976-157-0x0000000002440000-0x0000000002840000-memory.dmp

memory/388-159-0x00000294147E0000-0x00000294147E3000-memory.dmp

memory/388-160-0x0000029414A80000-0x0000029414A87000-memory.dmp

memory/388-162-0x00007FF4565F0000-0x00007FF45671D000-memory.dmp

memory/388-161-0x00007FF4565F0000-0x00007FF45671D000-memory.dmp

memory/388-163-0x00007FF4565F0000-0x00007FF45671D000-memory.dmp

memory/388-164-0x00007FF4565F0000-0x00007FF45671D000-memory.dmp

memory/388-165-0x00007FF4565F0000-0x00007FF45671D000-memory.dmp

memory/388-167-0x00007FF4565F0000-0x00007FF45671D000-memory.dmp

memory/388-169-0x00007FF4565F0000-0x00007FF45671D000-memory.dmp

memory/388-170-0x00007FF4565F0000-0x00007FF45671D000-memory.dmp

memory/388-171-0x00007FF4565F0000-0x00007FF45671D000-memory.dmp

memory/388-172-0x00007FF9C5DD0000-0x00007FF9C5FC5000-memory.dmp

memory/388-173-0x00007FF4565F0000-0x00007FF45671D000-memory.dmp

memory/388-174-0x00007FF4565F0000-0x00007FF45671D000-memory.dmp

memory/388-175-0x00007FF4565F0000-0x00007FF45671D000-memory.dmp

memory/388-176-0x00007FF4565F0000-0x00007FF45671D000-memory.dmp

memory/388-177-0x00007FF4565F0000-0x00007FF45671D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe

MD5 486417849d6c58436232f8b427e34bfe
SHA1 f897bc1186540da5fa1a7a83a066fc1eb9319928
SHA256 8113218903975b81b22049796f201e06638595d2f6fadd82da06817bfbce85d7
SHA512 1c418391bf38906addfd5641c652712b39e85f6fac38a2591785bff365db98b7870a4b1c3ce775edd2a283c932a892ac25709733da1238c4deccc87653a4871b

C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe

MD5 486417849d6c58436232f8b427e34bfe
SHA1 f897bc1186540da5fa1a7a83a066fc1eb9319928
SHA256 8113218903975b81b22049796f201e06638595d2f6fadd82da06817bfbce85d7
SHA512 1c418391bf38906addfd5641c652712b39e85f6fac38a2591785bff365db98b7870a4b1c3ce775edd2a283c932a892ac25709733da1238c4deccc87653a4871b

C:\Users\Admin\AppData\Local\Microsoft\Pi)pp[Y.exe

MD5 b491e36144e3790aaa815cd7baa797d4
SHA1 5798399c5fd4f0f6dca5e1ad15fd54d0e5d8b18c
SHA256 30fa8b928ee11aec28d392bd864a56e8e4a4da9690c14ed12a607ce2c6c983f1
SHA512 c8c2be6c225d27e4a61c92d064cca72f8ccfbfe6851e49d9dd623bb4ff0a7c9726e3e13dbdfc7e6e60c8fad5da972355d7f7590f3e668d4210bb25176b0ca845

C:\Users\Admin\AppData\Local\Microsoft\Pi)pp[Y.exe

MD5 b491e36144e3790aaa815cd7baa797d4
SHA1 5798399c5fd4f0f6dca5e1ad15fd54d0e5d8b18c
SHA256 30fa8b928ee11aec28d392bd864a56e8e4a4da9690c14ed12a607ce2c6c983f1
SHA512 c8c2be6c225d27e4a61c92d064cca72f8ccfbfe6851e49d9dd623bb4ff0a7c9726e3e13dbdfc7e6e60c8fad5da972355d7f7590f3e668d4210bb25176b0ca845

C:\Users\Admin\AppData\Local\Microsoft\`s6.exe

MD5 d2550da62b0b2ce4b06c6e3572327c67
SHA1 72437d6c18d12360d873370d2407b9f28963a130
SHA256 dcbbede2e65822b531c8426309b2b251efddf9535e08f4779d510c7ed4a6f0b8
SHA512 f87be745c674028b2e70a88dabdc9bc950def15ca6088f199badf9954e34bce347c7d649df9860cfc39c3bd4473eebdeb2b2561e2e20178995fedcd1222863af

C:\Users\Admin\AppData\Local\Microsoft\`s6.exe

MD5 d2550da62b0b2ce4b06c6e3572327c67
SHA1 72437d6c18d12360d873370d2407b9f28963a130
SHA256 dcbbede2e65822b531c8426309b2b251efddf9535e08f4779d510c7ed4a6f0b8
SHA512 f87be745c674028b2e70a88dabdc9bc950def15ca6088f199badf9954e34bce347c7d649df9860cfc39c3bd4473eebdeb2b2561e2e20178995fedcd1222863af

memory/388-190-0x00007FF9C5DD0000-0x00007FF9C5FC5000-memory.dmp

memory/388-191-0x00007FF9C5DD0000-0x00007FF9C5FC5000-memory.dmp

memory/3572-192-0x0000000000680000-0x0000000000780000-memory.dmp

memory/3572-193-0x0000000000600000-0x0000000000605000-memory.dmp

memory/3572-194-0x0000000000400000-0x000000000049E000-memory.dmp

memory/1664-195-0x0000000000600000-0x000000000060F000-memory.dmp

memory/1664-196-0x0000000000680000-0x0000000000780000-memory.dmp

memory/1664-197-0x0000000000400000-0x000000000049E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\81}9pBfy8T.exe

MD5 486417849d6c58436232f8b427e34bfe
SHA1 f897bc1186540da5fa1a7a83a066fc1eb9319928
SHA256 8113218903975b81b22049796f201e06638595d2f6fadd82da06817bfbce85d7
SHA512 1c418391bf38906addfd5641c652712b39e85f6fac38a2591785bff365db98b7870a4b1c3ce775edd2a283c932a892ac25709733da1238c4deccc87653a4871b

memory/2520-200-0x00000000006E0000-0x00000000007E0000-memory.dmp

memory/2520-201-0x00000000005B0000-0x00000000005B9000-memory.dmp

memory/2392-202-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\`s6.exe

MD5 d2550da62b0b2ce4b06c6e3572327c67
SHA1 72437d6c18d12360d873370d2407b9f28963a130
SHA256 dcbbede2e65822b531c8426309b2b251efddf9535e08f4779d510c7ed4a6f0b8
SHA512 f87be745c674028b2e70a88dabdc9bc950def15ca6088f199badf9954e34bce347c7d649df9860cfc39c3bd4473eebdeb2b2561e2e20178995fedcd1222863af

memory/2392-204-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3572-206-0x0000000000680000-0x0000000000780000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[3DFD8301-3483].[[email protected]].8base

MD5 f9c856a9cdeb93156eabc214f407509a
SHA1 21efdfc52a971f8bc5f15eb7003b354104690aff
SHA256 32ec73f74a4e35179c4f34f8bbeeb69932c88543023924991f27a1774652695d
SHA512 2a6ac5ab8d28421fd60f2137d0ebd7574286094f74fff46d6376e3051fb773075de42edbfa8ca86b9754433131acc46c5354c3360bd9342d6e50dc0de86d1652

memory/768-405-0x0000000002640000-0x0000000002656000-memory.dmp

memory/2392-417-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1664-506-0x0000000000680000-0x0000000000780000-memory.dmp

memory/1664-507-0x0000000000400000-0x000000000049E000-memory.dmp

memory/5108-1746-0x0000000000530000-0x0000000000630000-memory.dmp

memory/5108-1776-0x00000000020A0000-0x00000000020AF000-memory.dmp

memory/5108-1788-0x0000000000400000-0x000000000049E000-memory.dmp

memory/768-1912-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/768-1914-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/768-1939-0x00000000027C0000-0x00000000027D0000-memory.dmp

memory/768-1956-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/768-1913-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/768-1962-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/768-2005-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/768-2002-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/768-2019-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/768-2042-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/768-2056-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/768-2077-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/768-2076-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/768-2112-0x00000000027C0000-0x00000000027D0000-memory.dmp

memory/768-2114-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/768-2225-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/768-2168-0x00000000027C0000-0x00000000027D0000-memory.dmp

memory/768-2263-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/1664-2272-0x0000000000400000-0x000000000049E000-memory.dmp

memory/768-2234-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/768-2157-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/768-2306-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/768-2328-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/768-2356-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/768-2391-0x0000000002700000-0x0000000002710000-memory.dmp

memory/768-2375-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/768-2390-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/5108-2394-0x0000000000530000-0x0000000000630000-memory.dmp

memory/768-2395-0x00000000008F0000-0x0000000000900000-memory.dmp

memory/768-2829-0x00000000027C0000-0x00000000027D0000-memory.dmp

memory/768-3987-0x00000000027C0000-0x00000000027D0000-memory.dmp

memory/768-4265-0x0000000002700000-0x0000000002710000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E0C6.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

C:\Users\Admin\AppData\Local\Temp\E0C6.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

memory/1664-4328-0x0000000000400000-0x000000000049E000-memory.dmp

memory/3764-4385-0x0000000001220000-0x0000000001227000-memory.dmp

memory/3764-4383-0x0000000001210000-0x000000000121C000-memory.dmp

memory/3764-4388-0x0000000001210000-0x000000000121C000-memory.dmp

memory/1828-4393-0x0000000001200000-0x000000000126B000-memory.dmp

memory/1828-4396-0x0000000001270000-0x00000000012E5000-memory.dmp

memory/1828-4400-0x0000000001200000-0x000000000126B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\cookies.sqlite.id[3DFD8301-3483].[[email protected]].8base

MD5 afbd29ca08042a9f2ff16b72fc04d795
SHA1 058f25e11cfc8e4e366c993d3477a4f597ac4735
SHA256 12b678dc99db5e436b0a03cbf7682356c250f70ac2177d2c8a2727c443ad978b
SHA512 3605fdd58ca8b7b20866d9274ae6e75df96d79e1f2d85378bc3fd5e342d37dbd23119132644f8a0ae51d2dfc328093dc0968d08b503e85bd17a8a69b0c7b44ff

memory/1960-4605-0x0000000000EF0000-0x0000000000EF9000-memory.dmp

memory/1960-4622-0x0000000000F00000-0x0000000000F04000-memory.dmp

memory/1960-4625-0x0000000000EF0000-0x0000000000EF9000-memory.dmp

memory/1828-4792-0x0000000001200000-0x000000000126B000-memory.dmp

memory/3796-4890-0x0000000000D10000-0x0000000000D1B000-memory.dmp

memory/3796-4891-0x0000000000D20000-0x0000000000D2A000-memory.dmp

memory/3796-4892-0x0000000000D10000-0x0000000000D1B000-memory.dmp

memory/3368-5007-0x0000000001090000-0x000000000109B000-memory.dmp

memory/3368-5014-0x00000000010A0000-0x00000000010A7000-memory.dmp

memory/3368-5021-0x0000000001090000-0x000000000109B000-memory.dmp

memory/280-5043-0x0000000000D20000-0x0000000000D2F000-memory.dmp

memory/280-5042-0x0000000000D30000-0x0000000000D39000-memory.dmp

memory/280-5044-0x0000000000D20000-0x0000000000D2F000-memory.dmp

memory/4272-5328-0x0000000001240000-0x0000000001245000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000027.db.id[3DFD8301-3483].[[email protected]].8base

MD5 fdc410bdf0245e78f24fed86fb297eaa
SHA1 7fb5cc6968ccb5e7b641015c76bf6a2747568ea1
SHA256 be05a48b3a2fbd7c1e4d5186c2293f116855e7c954ac77300a197ed6fb420401
SHA512 0689bfc47e0abba9fef540c9e2d7646b86a608fc6f4eeaeb2dadece9c78c309089324f9c0d2c3ad1dfb94c670ab6028f7ca98f793e2b23763a773f6c645bf071

C:\Users\Admin\AppData\Local\Temp\D54\C\Windows\System32\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\D54\C\Windows\SysWOW64\WalletProxy.dll

MD5 d09724c29a8f321f2f9c552de6ef6afa
SHA1 d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA256 23cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512 cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed

C:\Users\Admin\AppData\Local\Temp\D54\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

MD5 94f90fcd2b8f7f1df69224f845d9e9b7
SHA1 a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256 a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA512 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

C:\Users\Admin\AppData\Local\Temp\D54\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Local\Temp\D54\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\D54\C\Windows\System32\Windows.ApplicationModel.Wallet.dll

MD5 02557c141c9e153c2b7987b79a3a2dd7
SHA1 a054761382ee68608b6a3b62b68138dc205f576b
SHA256 207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512 a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3

C:\Users\Admin\AppData\Local\Temp\D54\C\Windows\System32\WalletBackgroundServiceProxy.dll

MD5 1097d1e58872f3cf58f78730a697ce4b
SHA1 96db4e4763a957b28dd80ec1e43eb27367869b86
SHA256 83ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512 b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351

C:\Users\Admin\AppData\Local\Temp\D54\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

MD5 108f130067a9df1719c590316a5245f7
SHA1 79bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256 c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512 d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

C:\Users\Admin\AppData\Local\Temp\D54\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xml

MD5 108f130067a9df1719c590316a5245f7
SHA1 79bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256 c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512 d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301

C:\Users\Admin\AppData\Local\Temp\D54\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xml

MD5 94f90fcd2b8f7f1df69224f845d9e9b7
SHA1 a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256 a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA512 51f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3

C:\Users\Admin\AppData\Local\Temp\D54\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe

MD5 cfe72ed40a076ae4f4157940ce0c5d44
SHA1 8010f7c746a7ba4864785f798f46ec05caae7ece
SHA256 6868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32
SHA512 f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0

C:\Users\Admin\AppData\Local\Temp\D54\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dll

MD5 cfec6071de123e36263ad00288b2da8e
SHA1 9520d018eaad8be98bce1e4f5c84322fe583dfb9
SHA256 5d70da1497ef34aeaa9c778747ead173b4e5295899ef20bb9e44f9e2cf64faf5
SHA512 3c34bc50ef9782f8379175393f12cc840ad898fb6bc0e692dc4e87b1f280e48910b8647325530e96271355f80d3bd66c5fcea5882c63685a1dc40f89dbd74378

C:\Users\Admin\AppData\Roaming\fdawcfs

MD5 f7b6ab505472074505a534594b9e0924
SHA1 d6ce27884fe0777901e31df5b4d4e3a355201a7a
SHA256 9f6bb84a3d79a07c89668262bddb7c72e0f0fcf3807b1cb0dbf0d43fdd3b1b9d
SHA512 6b8939431ff1d1211951b75d8ed3b21e99c236451405d2491d335e85c5c53689b57dab5c662680e7a28ac198ba209a0dfda646433b039d67fa369d28e218810f

C:\Users\Admin\AppData\Roaming\gwduwui

MD5 d2550da62b0b2ce4b06c6e3572327c67
SHA1 72437d6c18d12360d873370d2407b9f28963a130
SHA256 dcbbede2e65822b531c8426309b2b251efddf9535e08f4779d510c7ed4a6f0b8
SHA512 f87be745c674028b2e70a88dabdc9bc950def15ca6088f199badf9954e34bce347c7d649df9860cfc39c3bd4473eebdeb2b2561e2e20178995fedcd1222863af

C:\info.hta

MD5 3182295181d0464de2cd79c885c6a425
SHA1 18e9616360364337abec0e952f2db393f240688c
SHA256 327a381bc24890a46a544a8521e2435d27783bf4530a4d57894607a695735a91
SHA512 849398e154decc39692c01b95e4d98be65d9c806b66ccccb29649b1d5fcbf2560af53a61aee07b3d5c3e2159e7687eace5b742864f68345e9c6d0fc74e21e6b0

C:\users\public\desktop\info.hta

MD5 3182295181d0464de2cd79c885c6a425
SHA1 18e9616360364337abec0e952f2db393f240688c
SHA256 327a381bc24890a46a544a8521e2435d27783bf4530a4d57894607a695735a91
SHA512 849398e154decc39692c01b95e4d98be65d9c806b66ccccb29649b1d5fcbf2560af53a61aee07b3d5c3e2159e7687eace5b742864f68345e9c6d0fc74e21e6b0

C:\Users\Admin\Desktop\info.hta

MD5 3182295181d0464de2cd79c885c6a425
SHA1 18e9616360364337abec0e952f2db393f240688c
SHA256 327a381bc24890a46a544a8521e2435d27783bf4530a4d57894607a695735a91
SHA512 849398e154decc39692c01b95e4d98be65d9c806b66ccccb29649b1d5fcbf2560af53a61aee07b3d5c3e2159e7687eace5b742864f68345e9c6d0fc74e21e6b0

C:\info.hta

MD5 3182295181d0464de2cd79c885c6a425
SHA1 18e9616360364337abec0e952f2db393f240688c
SHA256 327a381bc24890a46a544a8521e2435d27783bf4530a4d57894607a695735a91
SHA512 849398e154decc39692c01b95e4d98be65d9c806b66ccccb29649b1d5fcbf2560af53a61aee07b3d5c3e2159e7687eace5b742864f68345e9c6d0fc74e21e6b0

F:\info.hta

MD5 3182295181d0464de2cd79c885c6a425
SHA1 18e9616360364337abec0e952f2db393f240688c
SHA256 327a381bc24890a46a544a8521e2435d27783bf4530a4d57894607a695735a91
SHA512 849398e154decc39692c01b95e4d98be65d9c806b66ccccb29649b1d5fcbf2560af53a61aee07b3d5c3e2159e7687eace5b742864f68345e9c6d0fc74e21e6b0

C:\Users\Admin\AppData\Roaming\gwduwui

MD5 d2550da62b0b2ce4b06c6e3572327c67
SHA1 72437d6c18d12360d873370d2407b9f28963a130
SHA256 dcbbede2e65822b531c8426309b2b251efddf9535e08f4779d510c7ed4a6f0b8
SHA512 f87be745c674028b2e70a88dabdc9bc950def15ca6088f199badf9954e34bce347c7d649df9860cfc39c3bd4473eebdeb2b2561e2e20178995fedcd1222863af