Malware Analysis Report

2025-01-22 14:02

Sample ID 240224-dxslxsff85
Target New Client.exe
SHA256 13fde5c8aeb2fe2335dcb803a1a31a404e2f65e990d2a728a0df681ef832b616
Tags
njrat antivirus bootkit persistence trojan ransomware hacked
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13fde5c8aeb2fe2335dcb803a1a31a404e2f65e990d2a728a0df681ef832b616

Threat Level: Known bad

The file New Client.exe was found to be: Known bad.

Malicious Activity Summary

njrat antivirus bootkit persistence trojan ransomware hacked

njRAT/Bladabindi

Modifies Installed Components in the registry

Checks computer location settings

Drops startup file

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Enumerates connected drives

AutoIT Executable

Sets desktop wallpaper using registry

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy WMI provider

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Control Panel

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Suspicious use of SendNotifyMessage

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-24 03:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-24 03:23

Reported

2024-02-24 04:42

Platform

win10v2004-20240221-en

Max time kernel

59s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New Client.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2f0a0f36e26b4a1fac1b7b824fa348eb.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .." C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .." C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2f0a0f36e26b4a1fac1b7b824fa348eb.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\windows\system32\ohseqk.exe C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\TASKKILL.exe N/A
N/A N/A C:\Windows\SYSTEM32\TASKKILL.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\TASKKILL.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2f0a0f36e26b4a1fac1b7b824fa348eb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New Client.exe

"C:\Users\Admin\AppData\Local\Temp\New Client.exe"

C:\Windows\SYSTEM32\TASKKILL.exe

TASKKILL /F /IM wscript.exe

C:\Windows\SYSTEM32\TASKKILL.exe

TASKKILL /F /IM cmd.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /f im explorer.exe

C:\Users\Admin\AppData\Local\Temp\2f0a0f36e26b4a1fac1b7b824fa348eb.exe

"C:\Users\Admin\AppData\Local\Temp\2f0a0f36e26b4a1fac1b7b824fa348eb.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 cut-britney.gl.at.ply.gg udp
US 147.185.221.16:38277 cut-britney.gl.at.ply.gg tcp
US 8.8.8.8:53 16.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 147.185.221.16:38277 cut-britney.gl.at.ply.gg tcp

Files

memory/2384-0-0x000000001B660000-0x000000001BB2E000-memory.dmp

memory/2384-1-0x00007FFE6AF20000-0x00007FFE6B8C1000-memory.dmp

memory/2384-2-0x0000000000C60000-0x0000000000C70000-memory.dmp

memory/2384-3-0x00007FFE6AF20000-0x00007FFE6B8C1000-memory.dmp

memory/2384-4-0x000000001C030000-0x000000001C06A000-memory.dmp

memory/2384-5-0x000000001C290000-0x000000001C336000-memory.dmp

memory/2384-11-0x000000001CF80000-0x000000001D01C000-memory.dmp

memory/2384-12-0x0000000000C00000-0x0000000000C08000-memory.dmp

memory/2384-13-0x000000001D090000-0x000000001D0F2000-memory.dmp

memory/2384-14-0x000000001D280000-0x000000001D299000-memory.dmp

memory/2384-15-0x0000000000C60000-0x0000000000C70000-memory.dmp

memory/2384-17-0x0000000000C60000-0x0000000000C70000-memory.dmp

memory/2384-16-0x00007FFE6AF20000-0x00007FFE6B8C1000-memory.dmp

memory/2384-18-0x0000000000C60000-0x0000000000C70000-memory.dmp

memory/2384-19-0x0000000000A90000-0x0000000000A9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2f0a0f36e26b4a1fac1b7b824fa348eb.exe

MD5 af2379cc4d607a45ac44d62135fb7015
SHA1 39b6d40906c7f7f080e6befa93324dddadcbd9fa
SHA256 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
SHA512 69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

memory/1620-27-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1620-28-0x00000000005A0000-0x00000000005B2000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-24 03:23

Reported

2024-02-24 04:43

Platform

win11-20240221-en

Max time kernel

1800s

Max time network

1804s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New Client.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .." C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .." C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\WScript.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\windows\system32\zm0u1_.exe C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Web\\Wallpaper\\Windows\\img0.jpg" C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\TASKKILL.exe N/A
N/A N/A C:\Windows\SYSTEM32\TASKKILL.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\Locker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4280069375-290121026-380765049-1000\{B1635794-0AC2-46FA-B5C6-72018B3A1A29} C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\5d71b00b8a674bc4bb44882ec07efcce.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 140000000700000001000100050000001400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070200420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000ad5f60b4c764da0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1042" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Ention.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4280069375-290121026-380765049-1000\{C29CF54E-15CF-43F0-8C4F-6A342F44E7F2} C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400280010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040000000010020000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Ention.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1042" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1042" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\TASKKILL.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1412 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\SYSTEM32\TASKKILL.exe
PID 1412 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\SYSTEM32\TASKKILL.exe
PID 1412 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\SYSTEM32\TASKKILL.exe
PID 1412 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\SYSTEM32\TASKKILL.exe
PID 1412 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1412 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1384 wrote to memory of 244 N/A C:\Windows\system32\sihost.exe C:\Windows\explorer.exe
PID 1384 wrote to memory of 244 N/A C:\Windows\system32\sihost.exe C:\Windows\explorer.exe
PID 1412 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\68e808a32a7445e081481e1a576a6eea.exe
PID 1412 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\68e808a32a7445e081481e1a576a6eea.exe
PID 1412 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\68e808a32a7445e081481e1a576a6eea.exe
PID 4436 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\68e808a32a7445e081481e1a576a6eea.exe C:\Users\Admin\AppData\Local\Temp\Ention.exe
PID 4436 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\68e808a32a7445e081481e1a576a6eea.exe C:\Users\Admin\AppData\Local\Temp\Ention.exe
PID 4436 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\68e808a32a7445e081481e1a576a6eea.exe C:\Users\Admin\AppData\Local\Temp\Ention.exe
PID 4436 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\68e808a32a7445e081481e1a576a6eea.exe C:\Users\Admin\AppData\Local\Temp\Locker.exe
PID 4436 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\68e808a32a7445e081481e1a576a6eea.exe C:\Users\Admin\AppData\Local\Temp\Locker.exe
PID 4436 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\68e808a32a7445e081481e1a576a6eea.exe C:\Users\Admin\AppData\Local\Temp\Locker.exe
PID 1856 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Ention.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1856 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Ention.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1856 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Ention.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1412 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\fe70bfde50bf46b298d0a63350d2cf4f.exe
PID 1412 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\fe70bfde50bf46b298d0a63350d2cf4f.exe
PID 1412 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\fe70bfde50bf46b298d0a63350d2cf4f.exe
PID 4972 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\fe70bfde50bf46b298d0a63350d2cf4f.exe C:\Users\Admin\AppData\Local\Temp\Ention.exe
PID 4972 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\fe70bfde50bf46b298d0a63350d2cf4f.exe C:\Users\Admin\AppData\Local\Temp\Ention.exe
PID 4972 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\fe70bfde50bf46b298d0a63350d2cf4f.exe C:\Users\Admin\AppData\Local\Temp\Ention.exe
PID 1536 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\Ention.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1536 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\Ention.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1536 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\Ention.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 1412 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe
PID 1412 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe
PID 1412 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe
PID 1412 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe
PID 1412 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe
PID 1412 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe
PID 1412 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\7ae6b7a89ffa41948a832202917a02fd.exe
PID 1412 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\7ae6b7a89ffa41948a832202917a02fd.exe
PID 1412 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\5d71b00b8a674bc4bb44882ec07efcce.exe
PID 1412 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\5d71b00b8a674bc4bb44882ec07efcce.exe
PID 1412 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\5d71b00b8a674bc4bb44882ec07efcce.exe
PID 3656 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\5d71b00b8a674bc4bb44882ec07efcce.exe C:\Windows\SysWOW64\WScript.exe
PID 3656 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\5d71b00b8a674bc4bb44882ec07efcce.exe C:\Windows\SysWOW64\WScript.exe
PID 3656 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\5d71b00b8a674bc4bb44882ec07efcce.exe C:\Windows\SysWOW64\WScript.exe
PID 1412 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\aa99e63a512a4219a7e849a1b04a46b1.exe
PID 1412 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\aa99e63a512a4219a7e849a1b04a46b1.exe
PID 1412 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\aa99e63a512a4219a7e849a1b04a46b1.exe
PID 3664 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\aa99e63a512a4219a7e849a1b04a46b1.exe C:\Windows\system32\cmd.exe
PID 3664 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\aa99e63a512a4219a7e849a1b04a46b1.exe C:\Windows\system32\cmd.exe
PID 3104 wrote to memory of 1444 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3104 wrote to memory of 1444 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1444 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1444 wrote to memory of 4452 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1444 wrote to memory of 4856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1444 wrote to memory of 4856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1444 wrote to memory of 4856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1444 wrote to memory of 4856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1444 wrote to memory of 4856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1444 wrote to memory of 4856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1444 wrote to memory of 4856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1444 wrote to memory of 4856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1444 wrote to memory of 4856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1444 wrote to memory of 4856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1444 wrote to memory of 4856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1444 wrote to memory of 4856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\New Client.exe

"C:\Users\Admin\AppData\Local\Temp\New Client.exe"

C:\Windows\SYSTEM32\TASKKILL.exe

TASKKILL /F /IM wscript.exe

C:\Windows\SYSTEM32\TASKKILL.exe

TASKKILL /F /IM cmd.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /f im explorer.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\explorer.exe

explorer.exe /LOADSAVEDWINDOWS

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Users\Admin\AppData\Local\Temp\68e808a32a7445e081481e1a576a6eea.exe

"C:\Users\Admin\AppData\Local\Temp\68e808a32a7445e081481e1a576a6eea.exe"

C:\Users\Admin\AppData\Local\Temp\Ention.exe

"C:\Users\Admin\AppData\Local\Temp\Ention.exe"

C:\Users\Admin\AppData\Local\Temp\Locker.exe

"C:\Users\Admin\AppData\Local\Temp\Locker.exe"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Новый текстовый документ.txt

C:\Users\Admin\AppData\Local\Temp\fe70bfde50bf46b298d0a63350d2cf4f.exe

"C:\Users\Admin\AppData\Local\Temp\fe70bfde50bf46b298d0a63350d2cf4f.exe"

C:\Users\Admin\AppData\Local\Temp\Ention.exe

"C:\Users\Admin\AppData\Local\Temp\Ention.exe"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Новый текстовый документ.txt

C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe

"C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe"

C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe

"C:\Users\Admin\AppData\Local\Temp\e88f17b8ff0a4f2ebbd6d3f2551f6ef4.exe"

C:\Users\Admin\AppData\Local\Temp\7ae6b7a89ffa41948a832202917a02fd.exe

"C:\Users\Admin\AppData\Local\Temp\7ae6b7a89ffa41948a832202917a02fd.exe"

C:\Users\Admin\AppData\Local\Temp\5d71b00b8a674bc4bb44882ec07efcce.exe

"C:\Users\Admin\AppData\Local\Temp\5d71b00b8a674bc4bb44882ec07efcce.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loll.VBS"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004D0

C:\Users\Admin\AppData\Local\Temp\aa99e63a512a4219a7e849a1b04a46b1.exe

"C:\Users\Admin\AppData\Local\Temp\aa99e63a512a4219a7e849a1b04a46b1.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A2F3.tmp\A2F4.tmp\A2F5.bat C:\Users\Admin\AppData\Local\Temp\aa99e63a512a4219a7e849a1b04a46b1.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/lFwy2c-5Rwg

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffff6c23cb8,0x7ffff6c23cc8,0x7ffff6c23cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4036 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,16550767142821304254,2483594917616841752,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:8

Network

Country Destination Domain Proto
US 147.185.221.16:38277 cut-britney.gl.at.ply.gg tcp
US 52.111.229.43:443 tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 147.185.221.16:38277 cut-britney.gl.at.ply.gg tcp
GB 172.217.16.238:443 www.youtube.com tcp
GB 142.250.200.14:443 www.youtube.com udp
US 8.8.8.8:53 rr1---sn-1gi7znes.googlevideo.com udp
GB 216.58.213.22:443 i.ytimg.com tcp
CH 173.194.160.70:443 rr1---sn-1gi7znes.googlevideo.com tcp
CH 173.194.160.70:443 rr1---sn-1gi7znes.googlevideo.com tcp
US 8.8.8.8:53 22.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 70.160.194.173.in-addr.arpa udp
GB 216.58.213.22:443 i.ytimg.com udp
NL 108.177.119.84:443 accounts.google.com tcp
NL 108.177.119.84:443 accounts.google.com udp
US 173.194.140.234:443 rr5---sn-q4fl6nde.googlevideo.com udp
GB 172.217.169.10:443 jnn-pa.googleapis.com tcp
GB 172.217.169.10:443 jnn-pa.googleapis.com udp
GB 172.217.16.225:443 yt3.ggpht.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.187.238:443 youtube.com tcp
N/A 224.0.0.251:5353 udp

Files

memory/1412-1-0x00007FFFEB4E0000-0x00007FFFEBE81000-memory.dmp

memory/1412-0-0x000000001C5E0000-0x000000001CAAE000-memory.dmp

memory/1412-2-0x0000000001A40000-0x0000000001A50000-memory.dmp

memory/1412-3-0x00007FFFEB4E0000-0x00007FFFEBE81000-memory.dmp

memory/1412-4-0x000000001BFF0000-0x000000001C02A000-memory.dmp

memory/1412-5-0x000000001D060000-0x000000001D106000-memory.dmp

memory/1412-11-0x000000001DCE0000-0x000000001DD7C000-memory.dmp

memory/1412-12-0x0000000001730000-0x0000000001738000-memory.dmp

memory/1412-13-0x000000001DDF0000-0x000000001DE52000-memory.dmp

memory/1412-14-0x000000001E100000-0x000000001E119000-memory.dmp

memory/1412-15-0x00007FFFEB4E0000-0x00007FFFEBE81000-memory.dmp

memory/1412-16-0x0000000001A40000-0x0000000001A50000-memory.dmp

memory/1412-17-0x0000000001A40000-0x0000000001A50000-memory.dmp

memory/1412-18-0x00007FFFEB4E0000-0x00007FFFEBE81000-memory.dmp

memory/1412-19-0x0000000001A40000-0x0000000001A50000-memory.dmp

memory/1096-112-0x000001C3F3E80000-0x000001C3F3EA0000-memory.dmp

memory/1412-114-0x0000000001620000-0x000000000162A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\68e808a32a7445e081481e1a576a6eea.exe

MD5 3afdd7b7018fff0ff6c7d378ddc641d6
SHA1 2915697b0e41ec983e489166152cdddf8a13a5f7
SHA256 9755b75a23a85e19954802f757b2f86e5dde5bd661e7dbed2141d89090da924e
SHA512 04435208aa767888c296d007ba25711f5d21d2edc38a6c3271ad8b10d33516f67b04c60f579a5ad48ef34fa09e380b7cd2b0d9959591875b1aae14efb118fed4

memory/4436-123-0x0000000000400000-0x0000000000A31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ention.exe

MD5 f5b8df2da0ed3f5a9b1ab5be3e101c1b
SHA1 d5c5b56640f184c632182113f4131986964ff298
SHA256 1dc93a7e26d97c3ab84b04b4523aafcc7128808d2317899b7042df9121a175d7
SHA512 3133246462d2b766ffa3430f14e4b83399cfdc681caa4d8813aebcbff59633ea201cbb584d38156d40d6c837dce85e98f046c13327f8141ae3141c2a3380759e

C:\Users\Admin\AppData\Local\Temp\Ention.exe

MD5 cd28d0784df50ad12f23fb01318b919c
SHA1 656410308828cbc9b166c83202b4e0694f4d0afb
SHA256 de6565f29a91aa40f8c6b52f8a3310299a9156691333297170f4c54dbecaa6ca
SHA512 ef525394228ca56e10140317808ffe8245ab8c8552b84f8b7af2728202765900e6948ea4a7e006e9aacae2e1d4ff175af03c4e02a1a4dfe26d6947a462d62290

C:\Users\Admin\AppData\Local\Temp\Locker.exe

MD5 a83185ef7c03bfe0e0fbe10098876a34
SHA1 b166fed95e9bcc9f8b0ac4deafa9c45c21e91d0d
SHA256 7a923db27ae488a02e77242b1bbceb9a64898b9c2d085372a5ef5fca06b2a4be
SHA512 283e698b326d044480c49351531249ab9ed3a851c1d2c4a36c87fc5ecbaf2771af58f39cc0fc1551d08a4674ad766a3d4b96b6ee6ca1e6e967727f320f599f4c

C:\Users\Admin\AppData\Local\Temp\Ention.exe

MD5 0c76b107535a2013e87dc31afad8d6d0
SHA1 e07360cba00b326173c0eff2f3fbb8504b34aabf
SHA256 e11a7fa7fd54c5a494066c77ac66dd85937fd8bad4e8ed5722cb04a05d5e84e6
SHA512 f93a13eac5d287a16bc9867a541441f742436f317b800d4ded9ba725f6c08f8e015e65127f0e3ec02a329c15df2f5a24aee313c049a203ed2ea011b0bc301c6d

memory/1856-144-0x0000000000400000-0x000000000075A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Новый текстовый документ.txt

MD5 e7cf6700045181cb6889772d0d915586
SHA1 ec2478210baee9d7e7ac72d43b66ce642ffc4147
SHA256 3f93a8b1cdb1a748236e3d4230bd856abefa8d3660b691de89c5fc4e249a0fed
SHA512 79f764665cabbba8cf707b6af065c92c3a91ee8f393c6bfe121db64e8fc446aef39bbd8d47efea20c948d907454bde6b1deefba3ef3fb847ec3452bf136a3352

C:\Users\Admin\Desktop\Lock.Microsoft Edge.lnk

MD5 79c872ac551ad173413b0cb6439a0a42
SHA1 6eda7d14aba6a97ae22514036feaf32726561dde
SHA256 4cdea9096a8c487843ba92e63b483e18e0897b563b2a2f550de039a8e99e8217
SHA512 368b4a093253cfe825f8ae9b54825ab7fdb24f904c543170a3b866795df5fd3257efa729477ee12f58c7e875e6ecf9d67a9540abfe87dd60528149ed489df815

C:\Users\Admin\Desktop\Lock.InstallExpand.wdp

MD5 f2332b52537cb769bc41902453cabfa0
SHA1 1a2754ad7212affc541b0c90794bf0fb58b4a51d
SHA256 5863f4971ba107664a084ab965803c46a5bee9882d32f796e2d6e13a0e885f07
SHA512 dd262c2f3c086150f7c0fc6c677662639b4d8726abc480948efed24e954ed39b6980ec721512048357b8c6882144917bef66a00a955e32d1076248037ff3dd97

C:\Users\Admin\Desktop\Lock.GetDismount.ppsm

MD5 7a9a2e2d76281d41d895cf9baa65cc7a
SHA1 0716d2d15b7650724eaacfcfce1691d45629639e
SHA256 07ab68dc73d0b771cf9fbcb05daaf3bde35baf3498cd18e5fe2fc0b3316f90c7
SHA512 a153c5d3f19ea3ded89dc1e6c2b89470d806ac62d36154cedb5fb2fe827a292aa9f61a28fc860602a9907a3a3b472b2fc75047cdfaad21334c24c2aef6a40be8

C:\Users\Admin\Desktop\Lock.LockConfirm.m1v

MD5 56d58f024e1da31635efe75d51b48cbf
SHA1 bdc549457c99b244135e6eb7ddf9ce0ba13f0035
SHA256 7334effd9f09615a5a9bf7b563bddfa40223cc8092f974ac897ef6a580960844
SHA512 c5fead71f0755e6c63464f34b6b1a86d0886a27d8814b81b35ff0f3180b06b6bb3c6c8023aa1ae121ec21aaad554602c50c0e2ffeb40fac768ff76179435c7d0

C:\Users\Admin\Desktop\Lock.NewUndo.wmv

MD5 79f743e0f5b7b782ea5221055348ceaa
SHA1 90c54cc149628ad9d8cb527497d1a5384ec2075c
SHA256 f89e28a9a60f6b80d321ccc5ab837a54e8bfea2f969b1e3b60086592d386fc97
SHA512 aff4397a414f9376acc6f2764d65695f5fe48f4168739e255da78d1c3e2e0f45c2f1f4336989d92ab8d192cd7678236b9ef01f5d463a5654a352e60f1ae8ce7d

C:\Users\Admin\Desktop\Lock.ReadEnter.xlsb

MD5 2cf7ed17a2beb158ea709d49eaa91815
SHA1 a35c4592bdc905138632c72638d5631ff54520b0
SHA256 d6e186cab8d3b695257de965ae4417cd4deb702652d135e52389034cef40c4db
SHA512 b3aad62c8780be405b24f12b17e9df8cb7cd97aad88c8aea5f0652572644b6cfe600f94b7649a353e9190a6975b7b48c66ed93837a0be4cc7343a54fa0d81835

C:\Users\Admin\Desktop\Lock.RepairClear.M2TS

MD5 5ecd4362187ad24deaad95da477fa258
SHA1 9bc0c2f2f19715b38aa2ef7a8f02b646e07bc7d5
SHA256 20b4607003e285765b5b3fd525daa2818c56fe30acdd9bd1559a1a63ae085570
SHA512 08b5a3e5e3425a62c084ecefe2c5f07e75c13b8de0304791bd87969b3c513b073174f9b5ce35320859d322ba72dc692bf06171cfcb8a318d215e6393555f8858

C:\Users\Admin\Desktop\Lock.RequestStart.mp3

MD5 407391c7b5144a071e21e4fd963f9e7a
SHA1 32e21bdf88e74ceca7a1d031153c10c45d703338
SHA256 34e6aadca1b24b3c7ac418eb451aa9677452ed8fed80df2bacc6ef8c28f135f5
SHA512 bd3e6819818d9056bcc0fcd611a5f0d7a3e6eb2f83e1701dd24f69c7bd8c8d3d98136b729f168c68e719d6355b682e3711a01000f48840ba536b21f641c31274

C:\Users\Admin\Desktop\Lock.ResetUnpublish.mov

MD5 8c97d6b303023c293ea00ebf45e9e66c
SHA1 3613657ab2dabcd6e9e17f7ed37854cf5db5ab12
SHA256 cbd90ab2d92acf4dcab7d69ef729a109ecad0e259cbb30879077f49ec0c661c5
SHA512 fdfd6a4dc14d7779aaae0899965159aeedccfb7f7f67df004316e193c442ce10c33def770e9f15679487d4edb967921fcc5e601c607ecb4b9ff0b96d198a3dfc

C:\Users\Admin\AppData\Local\Temp\wl.jpg

MD5 7c30424c525cb64760083e066ca1f77d
SHA1 69c369028e3db4fe5c2fbc69cbd837d66496c480
SHA256 b75685e5fe51601632066ae2cb162738b340c9873f3b30cd4eb0b6f80cc27643
SHA512 59d726222ffc846ada2e7c6d040e0f0114e2cb92e72f81f23489aa6681b07a1c8cfceb7e81f9b7d7678d33b313302d9cf39c345d862e43f2768e145df14ef8df

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper

MD5 d67497594cb09cedab2d8c6e48c1373e
SHA1 cc75282c4d85bba3e6b350b27b71cdbfbf8d027d
SHA256 b31d23ec950a037f524b951726cf597b1f41a40ea9063bf63c41e3161367ec00
SHA512 3b6eb0ecda5ea35dfed5d60f4f39314c749034e2288910867071b07a0a48a8e21aeedd6c0dec815f68b7b098fdff947a0f8e9618bbca4ed91e47ce2630dd62a8

C:\Users\Admin\AppData\Local\Temp\Ention.exe

MD5 7268bf6d84c3154d1b413cb72acbefed
SHA1 18556d0b812bcacb65c710a519f480539bba9bf1
SHA256 c7d66a8f9672bafaefd09e92e3167d7caac525634e08b0cb63a861417cad5e45
SHA512 6b624d834f54ef888e309de86caad418516f01e143de626e4bf825eecfb863addf4d697afc8020517785d47e915fea81a94b2fe0551c6ad37131b2d0e150d169

C:\Users\Admin\AppData\Local\Temp\Ention.exe

MD5 646d281a28b314a9f5a4e76fe3330941
SHA1 e2c8506fef6c3455ae2228955ba8d19ce0f8f018
SHA256 eecb93b566d7d66fa01085b9c5b5c67ccd2417274a77b912268f4cd958fcb27f
SHA512 e831e8f1cae81e21a1640db03f02ecca0b22dd4173b2084fbd6aff3dc967a9029e6504a80e19e6365b489726cda68766c67f9484a70bd8fb85078ff0140547e8

C:\Users\Admin\AppData\Local\Temp\1c174b145c8e4091a5774f9441cbf620.exe

MD5 c29e84272de123ac2cae92bf8210d95b
SHA1 1b60b8f5430707ca08d806e5739553cd6cfccf89
SHA256 42c145d05f5a3d20a4df748d488e32f986ef0bbd370dd086b6f431e00a5efb14
SHA512 055aebf709f23647783f034913fd61721649ceddcc1357b4bd34ecd446b059f27c57a16392943000d7f2152cdec51043d11910fae1dd002f043f300d9724ee6e

C:\Users\Admin\AppData\Local\Temp\8x8x8

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\Desktop\Lock.AddClear.dll

MD5 304ce3f2572f45a0e434df1e30629390
SHA1 7b904711783d8dc55aa127782cb7b03a342ad448
SHA256 5658b447b7fa34b0c213d58dccda230df309102e247ecbd144a25fc3d0e0543f
SHA512 d67d8d58e04ab7f18c200f4160866c0f7caad972a4befcb5ef6d1b2a26c3aa7f57febd74570eba3919d9533f70a739c9f9a50a0a8b9d4c257ef11ffc06d43435

C:\Users\Admin\Desktop\Lock.AddDisable.mpeg3

MD5 3ea2833286efbd369f1e33005ed55b08
SHA1 cd4f1492934ca93e0a796f76cda9d208c6383ac6
SHA256 ed145c8fcf9a84047f5505bf0e756b934637a3d3b7c4bab8eaa3de0f82c13386
SHA512 a020583ba1851d7ec88354954a98a2d8511bab7af7b6e96a15a3b00e4a6bf25f6849bc2cda2758befa6fe1cb60db0ec0f6c00b4af3baf1c298930edc25de4f64

C:\Users\Admin\Desktop\Lock.ConvertHide.shtml

MD5 9b05f7a2280aec5fb91076875e9b7992
SHA1 48d04a66082525594734f583f41b060647f29099
SHA256 b3f887ceda81b77717fbef9359ae7f35c748d2f73622bfd6957fc9352a5d6fcb
SHA512 0728f62fc837dd2bc0c2adb172c442cd42da9c17d5c20eafbe134f2693f0ad3d6d9a8ffbf2b08afd8b519136baa80e40897d16c8118e214393e3f08bbacd0c16

C:\Users\Admin\Desktop\Lock.ConvertToInstall.cmd

MD5 80c63d020adfb1be6420e7253b8a362b
SHA1 01fad96ca235f37e3f5f66f7f542843c3fa90d09
SHA256 e9130a83b3c94a0db9341c6cb8a90a8fb960f0a07ead3f9f73f27e5dbffb0378
SHA512 de48bf960bcd2b47c59d7a5eb22b99e09dd0101d0014fb74a831ff4fc9d6718565f041bbeb55ddce78fd23ec499e2eb87f84aee0edea662f16e016343796a192

C:\Users\Admin\Desktop\Lock.desktop.ini

MD5 ba41cfaa9aff58c3b40c7ac73b4d1cd4
SHA1 691f19d9330522a47b16c832c6d6b51a3a2efc72
SHA256 30fb6cb48d4689a02731dedf82483a58738ba4131e4be90b2a44bd1ab9fd6a0a
SHA512 708ebe3314fd85d51ab0e73d83a7e61cb00d6c0ce5e78530f7ed6c9e6bcd827ca5b3ca4cd34842bc2d7337fdd73c4c1f39407f5e8c94ba6a5fa8e9130533350e

C:\Users\Admin\Desktop\Lock.DismountSplit.WTV

MD5 b48d718275a9b456113a71b841fc7b87
SHA1 5cb114f5ebb9f4474c145593fde2f05b47568c9a
SHA256 6721a1cc23ccc6e24e5e2a94da4482ae3151550fe3ea880554e24733bf1e5694
SHA512 9a22f9106b43549ef9e34acf9fa599e0e9d3156e47f8b14da419d57241ea80aedd4698ad6b9ae9b85f6bf90f0f016873efd223fd73b2edb834403866b0a5870f

C:\Users\Admin\Desktop\Lock.FormatConvertTo.html

MD5 57aaa626ec1d2e97e8bd14b43da54e0e
SHA1 c328bf23a7f06459daa6a155355a0024d9bb70f6
SHA256 cc691c4ddb7ced95dc882e46f0a53568a6c1e0e24745ec4f20353ac498eafcaa
SHA512 e3cabd5baacb9caa394af0a78c7a129d4882a5d0b4435568c1798738949cb8789186f6700eb35ebcde3995048333c5fda21b052515826b70e22598b467bc0fb7

C:\Users\Admin\Desktop\Lock.FormatTest.htm

MD5 d3748509ce2abd49890a306f8b31216a
SHA1 3e5a1821fa97e2fa8c1eea75625885117f58efb9
SHA256 a96d8bb33a69db65ec91f962aa1278585d7cd39b87fa09acce639bbddee8a498
SHA512 2bd9987b02324aa764fda74c8d813fe9662b235b0f8fb7cbf0f64d4739303d790e4097dfaeaf0a8c0d355d58a15a58acd7255e8c91f4e3d6bd9bf3330ae95570

C:\Users\Admin\Desktop\Lock.LimitClear.eprtx

MD5 625949adb77b0d04efb98473a8c78b2c
SHA1 764c299e669360c548911b25eb3c928f71cb861f
SHA256 3a604315a21d966703a749513cbfe94660f9a9ff7e809d37550462ff0af986ce
SHA512 3cbdc32edc0a93b878e37b040d6d00418066620b50cb446afb7014e5bbd981386be344417615e1f1ee17e68544b8545ed4314df520c62aa90bd7b93e986d88f0

C:\Users\Admin\Desktop\Lock.LockStart.DVR

MD5 bc079715dac6dbf5150d48b2d68f685a
SHA1 3652bce306ae15ae8cb109f028f7188935417413
SHA256 892bd0e53ad84bf4d8eb30183674d91098527eafd2b06b90d31d4f6a07fcd5c4
SHA512 a42b98a186273fc3e35b9e17ba3da7bbda265fa33c081972b708e7938ede1eee27dcfc3dc6a1f51926249d22f6f132c3f61b59b79d45a79b88779bb40f742316

C:\Users\Admin\Desktop\Lock.ProtectConvertTo.wvx

MD5 f804235f3e88a80c3a2bd8571f0d1cdf
SHA1 fa251919147a6671e571ec985e144e6f0f910f79
SHA256 cf7c44e0a92464613e07810cb9e82ac50a887f155e8e5b4abf8118e4067d47f9
SHA512 f4c634fc07baf5bac0c647881f4fbf7fceee573819f2c7db736abf14eaa5d0ac5463b685fe12952f861dc66879f1686469d1924a9339c5393f66644e2be6cba9

C:\Users\Admin\Desktop\Lock.PushResize.eprtx

MD5 3f93ac6e5ef3a323452294a9a84973cb
SHA1 bd0b52a42e1526f5595a6234cd1a567ba81cc903
SHA256 9c8c6af1bd50dd746062d739455708f243952c076d7e22a4832ac5a95bef0091
SHA512 f04d8c3a1a1736d45fafdef3f09ddb1d4ce4974eb7d33ba8b53d60f7bdb99892f55836a2fc0609df2ae6f77b28d4933939cb5cd498310a28175d451c3e950eb8

C:\Users\Admin\Desktop\Lock.RemoveConnect.iso

MD5 d7a60497cba076b075e4f2320df253e6
SHA1 9e75acdbc727ddf1ed7af3aa8575f72ec08b05b1
SHA256 d34550c237d1f0a2023b8ddc178969340c926fba5812afd8e31d25c1d3ec7065
SHA512 1cb9cae51abb2d6a711fca6433c7d5446d038cc9f52653c2ede79790569e107c767c89170a3294d5bf3429a3dceeaa1e780f74240875f4c205c2115c784a01fb

C:\Users\Admin\Desktop\Fixed.AddClear.dll

MD5 77bd9d03bff5e45b63b0fe8d428115e6
SHA1 a4ed79561583bd39535e80ea9ef4a3843f411f61
SHA256 54ca08a589509219e065d2d6dfff9436f84595a914d7e8aa9c803def6eb2f248
SHA512 ad35f3f2f352843af48778b443b0cdf175b19bdf645349439be00764cab62b291ff6a2373e4c6dd96ec1026cb9c842c0de922a53bc0a022532ed0fa3812ee4be

C:\Users\Admin\Desktop\Fixed.AddDisable.mpeg3

MD5 0fd455907a9c76cc4fe4e791efe0a6b6
SHA1 38dbc79321049455a46185229e0e2b9ec14c1d10
SHA256 8d6027903c2fba80bd65c5424f462dd7ecee45ebbcfe538c926d55fb8a716ec5
SHA512 cfa2c5a921c4638fde0ae2a7ffe9ac6ba81d2c1f8f555f8308b15b3289f53bb419a8a4561024b04b426139d168214ceb57e2eb98377a814d7e083fcf277c2a9b

C:\Users\Admin\Desktop\Fixed.ConvertHide.shtml

MD5 f701760ec90edfe061bec6b7f6b194d1
SHA1 4740a4d2da2edce55d058488168bf38266b844ed
SHA256 de7c9385ff241607e006020ef9c63239bc026fd2851f77e420495a9201dceda4
SHA512 5902a82e9368bbd942bb1e31ef3962373a3f165159db05d952eb8786e201258738d0f27395f78d8bed7e2c2084be57c84762ca7b8113630ff52e784ff0c94de8

C:\Users\Admin\Desktop\Lock.RestartEnter.sys

MD5 4f89ebe74fdd2887bc3f6307553e0c81
SHA1 148da7427d142abe8b5543415d44aab5e84cb684
SHA256 e4132ca0d28e2e055de9bb0810643656e4dd00e95c3e954c59352dc079823496
SHA512 0f5fe44592e0263316b66fc54c537950687acff7b27c2f290c3d585b7a69557091b2b7a4d2fae305faee7d08c33a60ac41b625b574d02f7dc41c2cb5316ae5af

C:\Users\Admin\Desktop\Fixed.ConvertToInstall.cmd

MD5 a31f9dff496dd23d7d695ada11399afe
SHA1 f0a201fe30d8eb782d5204dae49cc8ca71dc25e6
SHA256 3e3a499a9f801736f7ecae871e8113f17a92d5252c13b983fceefa9d1ffc9139
SHA512 4fb554bf2a5b05b52d4cc7a1e2e501cde00baf74e23fabbbb0bd4b7de025d04a521431904b80081e46d475cb6ee11de1d2232f447e8ac473bdc6e800ae639f2c

C:\Users\Admin\Desktop\Lock.SplitDebug.pdf

MD5 db137818214813a7dad7681905091d84
SHA1 fb31ade085115e511b4e88f58905cf3db7771037
SHA256 97320187d059e4ba4ed3571c7ae60ee109783a536e545841cc645880fcdf4dde
SHA512 95e9b110a487f3557ba49301a001395c02f9a9236c72b1247e47ad55f9592b9659536521494f937d580d53d9e9fb6cbe3973f195147462e9a76440d74e8d8332

C:\Users\Admin\Desktop\Fixed.desktop.ini

MD5 9e36cc3537ee9ee1e3b10fa4e761045b
SHA1 7726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA256 4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA512 5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

C:\Users\Admin\Desktop\Fixed.DismountSplit.WTV

MD5 baaf851fc4b466499287fd1b20ef7b89
SHA1 8e5c64ac548d1f356b76bd5fe331dc1f835f5b53
SHA256 b5a3f916172b0d3a20a9abd7be7fd78a6bf11891f2d31a5897f58b9b343b3f58
SHA512 1af3fb9955cd57bf0bf91d85d4c33f5c66a1822e696384e44c65d02fbb289328b3202ec39551749b4db06bbb229431c44a1424d57f7d291cb917c660ecd31a25

C:\Users\Admin\Desktop\Lock.WaitInvoke.vsw

MD5 0867861d94e1664930da8996149bfe1c
SHA1 0d628b49d976d68133ded1304eccefd1dcc3d58d
SHA256 c37a0542c8caeac909716bc8ffabda41f0d512de7b0b052858f6a382a74d26b7
SHA512 e8d8ad9f054f4a3925542edf4f2499ee89752cdb41fbad562be92fb56f7ec2328ba3f71103bce7fe33d4fc2e2a2112af1fae698d837e3903bb5baad71f8dc726

C:\Users\Admin\Desktop\Fixed.FormatConvertTo.html

MD5 accb062917e69c7a2cc608e3361ae0a2
SHA1 6dffdc9a99179b9e95ba3bbb22fabd299001aa4f
SHA256 b344780854ba6907a5bb21b3117c441e9258b9a7c5a3f79b540a03617c34c308
SHA512 03dda1b4361467d149c053072372ee10f2e3ef1fdb109094fbc84421a5b6367f3f4bde64b41e330f9332d37f2801a236652300860750d227891b87b6e4bc1caa

C:\Users\Admin\Desktop\Lock.WriteImport.midi

MD5 68217d5c4299cbc786d82f31f1b4d153
SHA1 5087f185d2decf39a5e9524eae303c96563f2c86
SHA256 9151958697f9d6de813064d2179ca39da7d8e2d8943b15c5c3a65dfd6a3221af
SHA512 9f86ca37f0c52e44a59f6fd464951a53850d039d2a83d653a596025d3a562d0377f7efd66722079fe2866efbfa32ca8f1818e2c69e5d25a06a9fe778ff26f280

C:\Users\Admin\Desktop\Lock.SubmitCompress.001

MD5 58a7b5b3b7f8cc9fc5ac72409575d12f
SHA1 912e62e9cbd6d7e90e2fb0f81345750eed685062
SHA256 0eaf429c03dfa8e3a07be6a4bbb7731a15d6820107a66dfda53e7e3654152672
SHA512 e31ebdac263e505746a8b0e62a350c0305db6e104caeb9c3708961b61a110fef36bef85cb5a53249717be1ed61f21bae77c956ca6c9234fa45f9abcdc1d4ae65

C:\Users\Admin\Desktop\Fixed.GetDismount.ppsm

MD5 41c5b5ec41003bb5a8224b8ccf36fe3d
SHA1 056af3f2ffdead5da637e296c7b0c61f898e80b4
SHA256 59044e1113d952903407a90bbf92e9ad14533d34b56dfc249169896e0e7e1ca6
SHA512 38fd879050f40531f55acebf91ea85b869fca29a5810725190e764bc0efdb5760628b7b417210c0658d9e9adf89ee9ce864b49c27dc8e2ff5d4488d353811f0a

C:\Users\Admin\Music\Lock.AddImport.bat

MD5 1c2b2322fd086f699f4edf127917ede7
SHA1 b300f2ccd30c641ad7c2da8b0327a6bce037ccc6
SHA256 af9c893b6a899ec70c9357ed7273e04676209ebb5efab941170563e060b9251c
SHA512 9b7c6573321e671023d06c56cddbaa2b490f0c00e2bad24e859d583949c1e6727665afc8528a445b1703fb562811ac756ac73cf59b1587f0fc927828cabba54c

C:\Users\Admin\Desktop\Fixed.FormatTest.htm

MD5 9d509fe6f9954feb73d27d7bff056c5f
SHA1 ac7e7a1308719a7a09a1e7897c269c66e3a1d502
SHA256 8ac7978338eb3109a6cd63a687dbab295972f1a6a122f1dc6a4c31e89effc158
SHA512 f666e5038049746158e0237c83121e465212db5cdaf4abe89149aaf5f770eccb4463fdafba8ae5cc92499a28a682c160a6c76b0e3c6f2270aada54c9be67208c

C:\Users\Admin\Desktop\Fixed.InstallExpand.wdp

MD5 b9216c57402f56deb49291e0c2725d03
SHA1 c83c0d347da6b3b23174b1566b9b7a00a2279b36
SHA256 1a5fc83842ceee219e4b0f1dbf497d29728547beb370525cbf144bedbf8f2e80
SHA512 851bdfade2b9d1f507babe5a13f39ef851a66d0ac9fed9b14abd97b5a7c7a6085a301d9e194c6ec9fe8ca0f37e7f61174034e62222421b6a7dff5d671c7cdaf6

C:\Users\Admin\Music\Lock.ApproveCopy.xlsm

MD5 5504656ee2fc4e53fa3f9ddaae2deee3
SHA1 110428463b6ebcb904ebf66c826d568b47493221
SHA256 03ab56dbaea993d3b7b34cf920b0ca08ea35d64e3a38c8f17ebdfe91336b3f34
SHA512 f626417c469e3a5028ca2f6ec3c7c1f7ee6a08a3e7fca7fa82ee8d3f6d5c3e1e1560658cba2cad6f73c045c4cfa0d82ee62b3fe35281022a055e2522ff5ec955

C:\Users\Admin\Desktop\Fixed.LimitClear.eprtx

MD5 7f6bc4ff4ee8f7faf06e6ec44d7e860e
SHA1 b27eb7698f3c126315f3a168e49e8774da0e4ee5
SHA256 aa6166002474c85f55070d2a97c05b547993596c280be2cc4dc3f609ccbc8da9
SHA512 9c68e3ce240e74405544b1b555e36e1e52ef2171aa8f9eccd7fdd7d5f2914ccb24209baf90939214849fb53904bc7d75562fc7fc4fad91176816bd3b1d86e411

C:\Users\Admin\Music\Lock.CheckpointLimit.cab

MD5 c1dbbdb300d651bb4318512b915e7a8b
SHA1 939545bf050d8f073d95bf2bb6cf9bcdeb1eff89
SHA256 3b74296bc26de1af9aca7bb2babd726a0508b9d966ae922d485865785514e4ee
SHA512 d0f5ce3fee581e9684ef64c88d2844f08fe40183c29b85004b43caf2effa8dabfbe99346a679b48293030c661ef488090c4f410b4024770790fcfd2ff36ad119

C:\Users\Admin\Music\Lock.ClearPing.dot

MD5 8a9fd983875dbb5b3efa7d4755049c83
SHA1 4fbda4352b4af30afc368a4f3e4ff7bce035e656
SHA256 844d099b70852da7d2745992944a96758f3f05af45bdad720ce8bf3e8f008b04
SHA512 e426b3552ef40ff5c37e952bc8b43fb859b66c82852b7a93b3495722e8bc5ca2834a9503e5051ed3f5bd6c1911d2b3cc9baff17877910498d36d15e0be275b57

C:\Users\Admin\Desktop\Fixed.LockConfirm.m1v

MD5 0913b73cf9d1d07b1e11877fc38691df
SHA1 7ff7beb4724bbe00f2de76388bf982c30e9439e4
SHA256 4acea9c97fdcae845180b769896f25a154cebcfbe69cce227f91295a864a8db3
SHA512 2b58a7152d7409d852b61bce7ac2b49d624a25bf205389391b629ed1c13e6c95029971b8adcc44c75cd4e20a867d30d1ce62fb1bab7b959c6ead695bb6268424

C:\Users\Admin\Desktop\Fixed.LockStart.DVR

MD5 fd598d26ca39aba43877852f80bec7e5
SHA1 82e34f4440a449f9779abbc28b126999d874faac
SHA256 c7adb6d33fc5d38c5085b843e86e43d5b6469714f313814ed555e604c58477cf
SHA512 e0349952342b9ea6676dcc347969c80d6c1e612d01956945a35d127f73524961c6ab9f29e9f6a4e37af63498ecea606c22259a2a5f0fa3cfe20b6fda47439be9

C:\Users\Admin\Music\Lock.desktop.ini

MD5 3e5d2582a5d0c915afef6c8cafa343d1
SHA1 7062928a2ec000838f78dce8c48693a1859471e1
SHA256 34ae08d15c34e017facda7c39f7b5f9e8cc891b160072b908969a1a2523772aa
SHA512 2cb2f561be74448d361099883ea4fdb9a1ea17a82970459fff7e35802617726561b52955b147d5fb23d3a3bb3d88539af645886c2d0e46716fba5c641a2b90b7

C:\Users\Admin\Music\Lock.BlockBackup.m4a

MD5 cbb517e54e3413dd931aa36b092ca210
SHA1 cad7c0bacbac724d9e13eec11370f4fd2d6eda6c
SHA256 4912fa3b091e756ea7862661348a097868dc8bd20ede54093dbc7a05c6363a23
SHA512 6f337727730ed9a550a4619690c66ee5dc1523b5c31fd09ac4d9d495805d847c46753b120045ccb822998fbf1688713d570c0fd8d51c2e72caeb870ad5a51051

C:\Users\Admin\AppData\Local\Temp\7ae6b7a89ffa41948a832202917a02fd.exe

MD5 828a19452ab8427212994c558b37b93c
SHA1 5847b4491f6ef4bbcf1a49b305a7403ce27cb4ba
SHA256 259addf9bc00c8ba891377c977a764b9a57422b8d803b41be0d431013fc46ce0
SHA512 194e48403a1898656916ccb87cb71c9201d212ef6adc49f255f73982e69d9c4f47fbce5ed67484589e58bfb7f5256c55271fb65d9ebc257bc733c10424883147

memory/760-637-0x00007FFFF0C30000-0x00007FFFF16F2000-memory.dmp

memory/760-638-0x00000000006A0000-0x0000000001A64000-memory.dmp

memory/760-644-0x000000001C780000-0x000000001C790000-memory.dmp

C:\Users\Admin\Pictures\Fixed.RemoveUntif

MD5 a54f0041a9e15b050f25c463f1db7449
SHA1 d9be6524a5f5047db5866813acf3277892a7a30a
SHA256 ad95131bc0b799c0b1af477fb14fcf26a6a9f76079e48bf090acb7e8367bfd0e
SHA512 ea71bb243b0b2db729b9eb88e3c55a3f490fbff23457825051224a1fe6e6d3f480590cfa3a4a6b12c622d6ac366feb03cd17004ed004cb3f0d52731626946679

memory/760-767-0x00007FFFF0C30000-0x00007FFFF16F2000-memory.dmp

memory/760-777-0x000000001C780000-0x000000001C790000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5d71b00b8a674bc4bb44882ec07efcce.exe

MD5 ce016dac7becf882e7f17190457ee568
SHA1 f2b1262fa3f78de8cc88062a36e98ce4e50e8967
SHA256 c0a140b3a484617da0127159e7cce955d6749019dffaae2e1c3b0ed65ad8b9b4
SHA512 007775b3a61cee71c30f40f274714b7fc86704904ea0b587649e19638718a9f13fd9e1491dd6eb0688c00d9cc03806c60594adcf52687e681918fb4cd14a7a8c

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

memory/2712-935-0x0000000005BF0000-0x0000000005C00000-memory.dmp

memory/2712-936-0x0000000005BF0000-0x0000000005C00000-memory.dmp

memory/2712-937-0x0000000005BF0000-0x0000000005C00000-memory.dmp

memory/2712-938-0x0000000005BF0000-0x0000000005C00000-memory.dmp

memory/2712-939-0x0000000005BF0000-0x0000000005C00000-memory.dmp

memory/2712-941-0x0000000005BF0000-0x0000000005C00000-memory.dmp

memory/2712-940-0x0000000005BF0000-0x0000000005C00000-memory.dmp

memory/2712-942-0x0000000005BF0000-0x0000000005C00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aa99e63a512a4219a7e849a1b04a46b1.exe

MD5 dd15af9b32ea193e0c82887e4601f2a7
SHA1 bab37b838bc1d858906f1ddc66c5d1168320d192
SHA256 7189f55b3d5153bd190991dc5e3349755e300fd20b0e52a34e57579e20308888
SHA512 f51542a4f6ae0d92cfe18afe4ff64c4961e04e24f2fa88da1adcaeebae28928c63e3d33e975fd413608fd3d03c5111340dbd8c4ff6a721e72154f5b7c5a54688

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ded21ddc295846e2b00e1fd766c807db
SHA1 497eb7c9c09cb2a247b4a3663ce808869872b410
SHA256 26025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305
SHA512 ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a0407c5de270b9ae0ceee6cb9b61bbf1
SHA1 fb2bb8184c1b8e680bf873e5537e1260f057751e
SHA256 a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd
SHA512 65162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8ee442ad0a89e71ba1b03dfc9770420d
SHA1 73622156b12f67e42b38b08d5af1419e4c5076c0
SHA256 d1d3c32546a06ef36a4317a11a8b5b8a1034063bf1d9ea4735abfb9702740b14
SHA512 5745a6d5cd88a2b3a28567fa82312918690b2c96a64f2c91e2bff6100509508762722858633c31c232c4432aa28c0bf70d09ac5917ad12f49c6ed05313fb1f24

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 2140e6f8b3fdd96e7dd0335e245b3be1
SHA1 9e60c19d3bb2291ab66da03144ad6eb9c2349509
SHA256 583a8a51cf921a87d398d58663a9a7cdb45951b38afd1f89a2640940b21a1440
SHA512 5b2cb9dd7e4b90fb2576f42a8c1b03e43f94c8fc8cb0820d0161ea407ae9db0e76351f4fd73630cb6a38a604dfe7a8871245b509932aa2e0dffaa86ba2c0ff7b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 7907f093288ffc648b36ec2ca2243c50
SHA1 d55929ed899e90c710bd395bfcb5cf2679275dfa
SHA256 93a80995599d5798cc8959005531e2fe945d1f7ab8068d85b34c32087c3fb2dc
SHA512 70eb903ba7d0f02d55da67207d02c23cb204ed4c87dbd2d202546c38f572793874b5e782fce6770c5e03cd5f016d09ef1df32da3c4ff05f2adf72c9db5b789b3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe72adc1.TMP

MD5 c8a53e178fd411858b7eb6c4d978e0ef
SHA1 f2fd90744d49f68d11219bdce3546095f02e7138
SHA256 872de3ade2da941fa404f099421202dfa7bdc55df94d514ce70b55079c84c4b5
SHA512 2b7d1187129c4e013e428bb26bbab2dbc76d99fcdc6f24cb746c1bb5a013c6d42ff67d5c4ba6ed9923a1b1ea4465734ea58ecacaad848751dc464b539885aea1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 0989cb3ecc0b3d1d6a5f57270ddf6d91
SHA1 f451e756c6b6b6e8e82d2439450c5c6de50f4046
SHA256 d8974f13e71a5cf5b893e271b1b2e23b75e0a7da7fc050439790231b303aa80e
SHA512 9abbc34b5384c494c3367bb5942d590acb594c7bbd45c623bf17594a0121e0c35b5800aef5fe7eaaf7c1765e9fa97effe6f402bffeea8c152b66369f3a7e95a4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 482ea82ba186de352788bb92a5a2b8d1
SHA1 48d4d3097f0cfc401bf6fbc312032c5919f21027
SHA256 c8cfc19e73653b63d2998ff132e0811502f7b5b700a75453a0327db36c8034e1
SHA512 6e591f0fe7e4d59e77f64a5ad9cdff150aacc4dea1ff94cd027e0f4f8482316336713c7c3adadb7eba74e98f5c2f1a1f0a91cd380f99955112fc91ef10f738c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 cd79a83128ab5b0c9dee0754423457d3
SHA1 352845a4f929788d9b045cfd8ef03fe93595c4a0
SHA256 19494da60cdd103a2e4c05d105825f6212b6245471d23e9b12ee5382b52f687a
SHA512 1cecae15a3b2c3873169501fdee924c0689f15e2c99626f6fbd026af82e25a5c5155599543536a33a0f032ffe210ff0d1a581e5e62de59244e6e2989763fc71d

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-24 03:23

Reported

2024-02-24 04:42

Platform

win7-20240221-en

Max time kernel

1807s

Max time network

1819s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New Client.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .." C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .." C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\windows\system32\annrns.exe C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\TASKKILL.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\TASKKILL.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\system32\TASKKILL.exe
PID 3008 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\system32\TASKKILL.exe
PID 3008 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\system32\TASKKILL.exe
PID 3008 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\system32\TASKKILL.exe
PID 3008 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\system32\TASKKILL.exe
PID 3008 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\system32\TASKKILL.exe
PID 3008 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\system32\taskkill.exe
PID 3008 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\system32\taskkill.exe
PID 3008 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\system32\taskkill.exe
PID 3008 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe
PID 3008 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe
PID 3008 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe
PID 3008 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe
PID 3008 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe
PID 3008 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe
PID 3008 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe
PID 3008 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe
PID 2504 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2504 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2504 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2504 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1620 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1620 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1620 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1620 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2504 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2504 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2504 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 2504 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1620 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1620 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1620 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 1620 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe C:\Windows\SysWOW64\TASKKILL.exe
PID 3008 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
PID 3008 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
PID 3008 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

Processes

C:\Users\Admin\AppData\Local\Temp\New Client.exe

"C:\Users\Admin\AppData\Local\Temp\New Client.exe"

C:\Windows\system32\TASKKILL.exe

TASKKILL /F /IM wscript.exe

C:\Windows\system32\TASKKILL.exe

TASKKILL /F /IM cmd.exe

C:\Windows\system32\taskkill.exe

taskkill /f im explorer.exe

C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe

"C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe"

C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe

"C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe"

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /IM wscript.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /IM wscript.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /IM cmd.exe

C:\Windows\SysWOW64\TASKKILL.exe

TASKKILL /F /IM cmd.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 1200

Network

Country Destination Domain Proto
US 8.8.8.8:53 cut-britney.gl.at.ply.gg udp
US 147.185.221.16:38277 cut-britney.gl.at.ply.gg tcp
US 147.185.221.16:38277 cut-britney.gl.at.ply.gg tcp

Files

memory/3008-0-0x0000000001E50000-0x0000000001E8A000-memory.dmp

memory/3008-1-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

memory/3008-2-0x00000000001E0000-0x0000000000260000-memory.dmp

memory/3008-3-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

memory/3008-7-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

memory/3008-8-0x00000000001E0000-0x0000000000260000-memory.dmp

memory/3008-9-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

memory/3008-10-0x00000000001E0000-0x0000000000260000-memory.dmp

memory/3008-11-0x0000000000570000-0x000000000057A000-memory.dmp

memory/3008-12-0x00000000001E0000-0x0000000000260000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe

MD5 a85056ecfbf94af8efaa2e9dcec8ebb1
SHA1 f081275fbbdddad10689e185a750e1fd1ca0d0e5
SHA256 e00d04dcc4489101599f86df3956673c2ebcb8adbf05fb603266b91e9336b955
SHA512 c510e21e4d5b2b8fb2e7e902f74a6befbe20896490e607d640a2611020f20cede1d154e894fde5be8a6a2e564d2d7eb6d741d9b3ef21cdbefc5abdbc6a056fa9

memory/1620-19-0x0000000074510000-0x0000000074ABB000-memory.dmp

memory/1620-20-0x0000000000C40000-0x0000000000C80000-memory.dmp

memory/1620-21-0x0000000074510000-0x0000000074ABB000-memory.dmp

memory/2504-28-0x0000000074510000-0x0000000074ABB000-memory.dmp

memory/1620-29-0x0000000074510000-0x0000000074ABB000-memory.dmp

memory/1620-30-0x0000000000C40000-0x0000000000C80000-memory.dmp

memory/1620-31-0x0000000074510000-0x0000000074ABB000-memory.dmp

memory/1620-32-0x0000000074510000-0x0000000074ABB000-memory.dmp

memory/2504-33-0x0000000074510000-0x0000000074ABB000-memory.dmp

memory/2900-34-0x0000000001E20000-0x0000000001E21000-memory.dmp

memory/2504-46-0x0000000074510000-0x0000000074ABB000-memory.dmp

memory/2900-47-0x0000000001E20000-0x0000000001E21000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-24 03:23

Reported

2024-02-24 04:42

Platform

win10-20240221-en

Max time kernel

1800s

Max time network

1809s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New Client.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .." C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .." C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\WScript.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\windows\system32\tjbbns.exe C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\TASKKILL.exe N/A
N/A N/A C:\Windows\SYSTEM32\TASKKILL.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\6a34055d7546487c979a4f66440271b7.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\TASKKILL.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\TASKKILL.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4404 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\SYSTEM32\TASKKILL.exe
PID 4404 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\SYSTEM32\TASKKILL.exe
PID 4404 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\SYSTEM32\TASKKILL.exe
PID 4404 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\SYSTEM32\TASKKILL.exe
PID 4404 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\SYSTEM32\taskkill.exe
PID 4404 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Windows\SYSTEM32\taskkill.exe
PID 4404 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe
PID 4404 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe
PID 4404 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe
PID 4404 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\6a34055d7546487c979a4f66440271b7.exe
PID 4404 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\6a34055d7546487c979a4f66440271b7.exe
PID 4404 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\New Client.exe C:\Users\Admin\AppData\Local\Temp\6a34055d7546487c979a4f66440271b7.exe
PID 4200 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\6a34055d7546487c979a4f66440271b7.exe C:\Windows\SysWOW64\WScript.exe
PID 4200 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\6a34055d7546487c979a4f66440271b7.exe C:\Windows\SysWOW64\WScript.exe
PID 4200 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\6a34055d7546487c979a4f66440271b7.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\New Client.exe

"C:\Users\Admin\AppData\Local\Temp\New Client.exe"

C:\Windows\SYSTEM32\TASKKILL.exe

TASKKILL /F /IM wscript.exe

C:\Windows\SYSTEM32\TASKKILL.exe

TASKKILL /F /IM cmd.exe

C:\Windows\SYSTEM32\taskkill.exe

taskkill /f im explorer.exe

C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe

"C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe"

C:\Users\Admin\AppData\Local\Temp\6a34055d7546487c979a4f66440271b7.exe

"C:\Users\Admin\AppData\Local\Temp\6a34055d7546487c979a4f66440271b7.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loll.VBS"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x248

Network

Country Destination Domain Proto
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 cut-britney.gl.at.ply.gg udp
US 147.185.221.16:38277 cut-britney.gl.at.ply.gg tcp
US 8.8.8.8:53 16.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 cut-britney.gl.at.ply.gg udp
US 147.185.221.16:38277 cut-britney.gl.at.ply.gg tcp

Files

memory/4404-0-0x00007FFB15D70000-0x00007FFB16710000-memory.dmp

memory/4404-1-0x00000000025F0000-0x0000000002600000-memory.dmp

memory/4404-2-0x00007FFB15D70000-0x00007FFB16710000-memory.dmp

memory/4404-3-0x000000001B6F0000-0x000000001BBBE000-memory.dmp

memory/4404-4-0x000000001C130000-0x000000001C16A000-memory.dmp

memory/4404-5-0x000000001C370000-0x000000001C416000-memory.dmp

memory/4404-11-0x000000001D070000-0x000000001D10C000-memory.dmp

memory/4404-12-0x00000000025A0000-0x00000000025A8000-memory.dmp

memory/4404-13-0x000000001D180000-0x000000001D1E2000-memory.dmp

memory/4404-14-0x000000001CF50000-0x000000001CF69000-memory.dmp

memory/4404-15-0x00000000025F0000-0x0000000002600000-memory.dmp

memory/4404-16-0x00007FFB15D70000-0x00007FFB16710000-memory.dmp

memory/4404-17-0x00000000025F0000-0x0000000002600000-memory.dmp

memory/4404-18-0x00007FFB15D70000-0x00007FFB16710000-memory.dmp

memory/4404-19-0x00000000025F0000-0x0000000002600000-memory.dmp

memory/4404-20-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe

MD5 a83185ef7c03bfe0e0fbe10098876a34
SHA1 b166fed95e9bcc9f8b0ac4deafa9c45c21e91d0d
SHA256 7a923db27ae488a02e77242b1bbceb9a64898b9c2d085372a5ef5fca06b2a4be
SHA512 283e698b326d044480c49351531249ab9ed3a851c1d2c4a36c87fc5ecbaf2771af58f39cc0fc1551d08a4674ad766a3d4b96b6ee6ca1e6e967727f320f599f4c

C:\Users\Admin\AppData\Local\Temp\autDF6E.tmp

MD5 7c30424c525cb64760083e066ca1f77d
SHA1 69c369028e3db4fe5c2fbc69cbd837d66496c480
SHA256 b75685e5fe51601632066ae2cb162738b340c9873f3b30cd4eb0b6f80cc27643
SHA512 59d726222ffc846ada2e7c6d040e0f0114e2cb92e72f81f23489aa6681b07a1c8cfceb7e81f9b7d7678d33b313302d9cf39c345d862e43f2768e145df14ef8df

C:\Users\Admin\AppData\Local\Temp\6a34055d7546487c979a4f66440271b7.exe

MD5 a703c3b8a39537ce9be339bbc7339a45
SHA1 10354130b42e12c39eb6f3ce95b8368f581ef71b
SHA256 fce41ec4380d80f04eea4f2bb4ed9734c0ed31fb85c8897c0e299fbc0de41f60
SHA512 f73d2daaf572028655e4168834af7fb5477af4748f99845db314c57ab3a08c16d64bd2c5489f5c84ac3b0dcd16ec414284b5994091c3e44929fc7e923d26cb07

C:\Users\Admin\AppData\Local\Temp\RarSFX0\loll.VBS

MD5 2b56784f8f16a689b305a1c768f28689
SHA1 e81ce025337ff3ebfc8bc48d43d360345a18688f
SHA256 dcd7fe09e32ec3a9fd356f12ded8e3f2ae520a99c8dc996b48dc98a39d68a077
SHA512 d0134e11bea5809b966cae3cc60828e557d6acddab890e56c0e22bed7c4facda582f77dd00a7ccb6da66200cc610ba9bd4423dcf33075f3b2b18434f219bbd68

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\prj_13626871_c66985d209c8197ecce4f5ce7899b49d_1656581581.mp3

MD5 4843241a72238329e13f2497733fd70c
SHA1 c6b6fcc361bbcf17e9d05868deec5700b9e1d048
SHA256 3c6de7e0e9b3781a9bbf710553efaacbd61afd486034a1a633e571fdb02f4348
SHA512 f302d7b69c6a9eced6770ca2e6da3119c3bdf9c2a6a90657814cf0b5ddc52f3c336a4c5e45152443bb6d6f3fa777e3d99c82a3c090c6fa5b4b377f5aa0e1ba20

memory/4560-197-0x0000000007F60000-0x0000000007F70000-memory.dmp

memory/4560-198-0x0000000007F60000-0x0000000007F70000-memory.dmp

memory/4560-203-0x0000000007F60000-0x0000000007F70000-memory.dmp

memory/4560-202-0x0000000007F60000-0x0000000007F70000-memory.dmp

memory/4560-200-0x0000000007F60000-0x0000000007F70000-memory.dmp

memory/4560-204-0x0000000007F60000-0x0000000007F70000-memory.dmp

memory/4560-206-0x0000000007F60000-0x0000000007F70000-memory.dmp

memory/4560-207-0x0000000007F60000-0x0000000007F70000-memory.dmp