Analysis
-
max time kernel
1800s -
max time network
1795s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-11-2020 12:01
Static task
static1
Behavioral task
behavioral1
Sample
System.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
System.exe
Resource
win7v20201028
General
-
Target
System.exe
-
Size
66KB
-
MD5
8d6ab03994b0ce3466873aa7532fe76b
-
SHA1
156aecd4d8e65d205181ad5eace466c8798d3c86
-
SHA256
e5242266d9fc1e27e583a920ff6b9ff445c0942793ed80a92d5c5b6792d25f62
-
SHA512
2c1df9fb201b4a750378dfa7029755239167efa51ae4ddc9c5042218a1d01c3bf5557c09faeda4f3f68818082a6f95526d5776d432b5b6774ae2c1c90dc7a84c
Malware Config
Signatures
-
Hakbit
Ransomware which encrypts files using AES, first seen in November 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
Processes:
System.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk System.exe -
Modifies file permissions 1 TTPs 29 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exepid process 4232 icacls.exe 4604 icacls.exe 4692 icacls.exe 5076 icacls.exe 4140 icacls.exe 4184 icacls.exe 4112 icacls.exe 1484 icacls.exe 4908 icacls.exe 4736 icacls.exe 4368 icacls.exe 4400 icacls.exe 4528 icacls.exe 4996 icacls.exe 4272 icacls.exe 4440 icacls.exe 4952 icacls.exe 4648 icacls.exe 4820 icacls.exe 5036 icacls.exe 4664 icacls.exe 4484 icacls.exe 4776 icacls.exe 4864 icacls.exe 4156 icacls.exe 4212 icacls.exe 4752 icacls.exe 4316 icacls.exe 4360 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
System.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Information..." System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "\r\n*** ATTENTION ***\r\nYour File Locked By \"Military Algorithm\" And Wiped. \r\nFor Recovery Your Files Contact : [email protected]" System.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe -
Interacts with shadow copies 2 TTPs 14 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 4016 vssadmin.exe 268 vssadmin.exe 3692 vssadmin.exe 3008 vssadmin.exe 3868 vssadmin.exe 1180 vssadmin.exe 4032 vssadmin.exe 4000 vssadmin.exe 500 vssadmin.exe 3956 vssadmin.exe 3504 vssadmin.exe 3500 vssadmin.exe 3584 vssadmin.exe 3792 vssadmin.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 2948 taskkill.exe 4056 taskkill.exe 196 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
taskmgr.exepid process 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
System.exetaskkill.exetaskkill.exetaskkill.exevssvc.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 580 System.exe Token: SeDebugPrivilege 2948 taskkill.exe Token: SeDebugPrivilege 4056 taskkill.exe Token: SeDebugPrivilege 196 taskkill.exe Token: SeBackupPrivilege 1392 vssvc.exe Token: SeRestorePrivilege 1392 vssvc.exe Token: SeAuditPrivilege 1392 vssvc.exe Token: SeDebugPrivilege 2892 taskmgr.exe Token: SeSystemProfilePrivilege 2892 taskmgr.exe Token: SeCreateGlobalPrivilege 2892 taskmgr.exe Token: 33 2892 taskmgr.exe Token: SeIncBasePriorityPrivilege 2892 taskmgr.exe -
Suspicious use of FindShellTrayWindow 51 IoCs
Processes:
taskmgr.exeSystem.exepid process 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 580 System.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe -
Suspicious use of SendNotifyMessage 51 IoCs
Processes:
taskmgr.exeSystem.exepid process 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 580 System.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe 2892 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
System.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 580 wrote to memory of 3944 580 System.exe net.exe PID 580 wrote to memory of 3944 580 System.exe net.exe PID 3944 wrote to memory of 3924 3944 net.exe net1.exe PID 3944 wrote to memory of 3924 3944 net.exe net1.exe PID 580 wrote to memory of 2952 580 System.exe net.exe PID 580 wrote to memory of 2952 580 System.exe net.exe PID 2952 wrote to memory of 416 2952 net.exe net1.exe PID 2952 wrote to memory of 416 2952 net.exe net1.exe PID 580 wrote to memory of 2744 580 System.exe net.exe PID 580 wrote to memory of 2744 580 System.exe net.exe PID 2744 wrote to memory of 1180 2744 net.exe net1.exe PID 2744 wrote to memory of 1180 2744 net.exe net1.exe PID 580 wrote to memory of 184 580 System.exe net.exe PID 580 wrote to memory of 184 580 System.exe net.exe PID 184 wrote to memory of 936 184 net.exe net1.exe PID 184 wrote to memory of 936 184 net.exe net1.exe PID 580 wrote to memory of 2400 580 System.exe net.exe PID 580 wrote to memory of 2400 580 System.exe net.exe PID 2400 wrote to memory of 500 2400 net.exe net1.exe PID 2400 wrote to memory of 500 2400 net.exe net1.exe PID 580 wrote to memory of 1160 580 System.exe net.exe PID 580 wrote to memory of 1160 580 System.exe net.exe PID 1160 wrote to memory of 2124 1160 net.exe net1.exe PID 1160 wrote to memory of 2124 1160 net.exe net1.exe PID 580 wrote to memory of 3860 580 System.exe net.exe PID 580 wrote to memory of 3860 580 System.exe net.exe PID 3860 wrote to memory of 2344 3860 net.exe net1.exe PID 3860 wrote to memory of 2344 3860 net.exe net1.exe PID 580 wrote to memory of 3028 580 System.exe net.exe PID 580 wrote to memory of 3028 580 System.exe net.exe PID 3028 wrote to memory of 4004 3028 net.exe net1.exe PID 3028 wrote to memory of 4004 3028 net.exe net1.exe PID 580 wrote to memory of 752 580 System.exe net.exe PID 580 wrote to memory of 752 580 System.exe net.exe PID 752 wrote to memory of 4052 752 net.exe net1.exe PID 752 wrote to memory of 4052 752 net.exe net1.exe PID 580 wrote to memory of 3104 580 System.exe net.exe PID 580 wrote to memory of 3104 580 System.exe net.exe PID 3104 wrote to memory of 508 3104 net.exe net1.exe PID 3104 wrote to memory of 508 3104 net.exe net1.exe PID 580 wrote to memory of 200 580 System.exe net.exe PID 580 wrote to memory of 200 580 System.exe net.exe PID 200 wrote to memory of 4056 200 net.exe net1.exe PID 200 wrote to memory of 4056 200 net.exe net1.exe PID 580 wrote to memory of 2944 580 System.exe net.exe PID 580 wrote to memory of 2944 580 System.exe net.exe PID 2944 wrote to memory of 2316 2944 net.exe net1.exe PID 2944 wrote to memory of 2316 2944 net.exe net1.exe PID 580 wrote to memory of 1444 580 System.exe net.exe PID 580 wrote to memory of 1444 580 System.exe net.exe PID 1444 wrote to memory of 1352 1444 net.exe net1.exe PID 1444 wrote to memory of 1352 1444 net.exe net1.exe PID 580 wrote to memory of 2060 580 System.exe net.exe PID 580 wrote to memory of 2060 580 System.exe net.exe PID 2060 wrote to memory of 3928 2060 net.exe net1.exe PID 2060 wrote to memory of 3928 2060 net.exe net1.exe PID 580 wrote to memory of 2344 580 System.exe net.exe PID 580 wrote to memory of 2344 580 System.exe net.exe PID 2344 wrote to memory of 692 2344 net.exe net1.exe PID 2344 wrote to memory of 692 2344 net.exe net1.exe PID 580 wrote to memory of 3684 580 System.exe net.exe PID 580 wrote to memory of 3684 580 System.exe net.exe PID 3684 wrote to memory of 2960 3684 net.exe net1.exe PID 3684 wrote to memory of 2960 3684 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\System.exe"C:\Users\Admin\AppData\Local\Temp\System.exe"1⤵
- Drops startup file
- Modifies WinLogon
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop avpsus /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop McAfeeDLPAgentService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop mfewc /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BMR Boot Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop NetBackup BMR MTFTP Service /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop DefWatch /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop DefWatch /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccEvtMgr /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccEvtMgr /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop ccSetMgr /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop ccSetMgr /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop SavRoam /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SavRoam /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop RTVscan /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop RTVscan /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBFCService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBFCService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBIDPService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBIDPService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop Intuit.QuickBooks.FCS /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop QBCFMonitorService /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop QBCFMonitorService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooBackup /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooBackup /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop YooIT /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop YooIT /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop zhudongfangyu /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop zhudongfangyu /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop stc_raw_agent /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop stc_raw_agent /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VSNAPVSS /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VSNAPVSS /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamTransportSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamTransportSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamDeploymentService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamDeploymentService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop VeeamNFSSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop VeeamNFSSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop veeam /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop veeam /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop PDVFSService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop PDVFSService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecVSSProvider /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecVSSProvider /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentAccelerator /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentAccelerator /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecAgentBrowser /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecAgentBrowser /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecDiveciMediaService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecDiveciMediaService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecJobEngine /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecJobEngine /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecManagementService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecManagementService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop BackupExecRPCService /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BackupExecRPCService /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcrSch2Svc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcrSch2Svc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop AcronisAgent /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop AcronisAgent /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CASAD2DWebSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CASAD2DWebSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop CAARCUpdateSvc /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop CAARCUpdateSvc /y3⤵
-
C:\Windows\SYSTEM32\net.exe"net.exe" stop sophos /y2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop sophos /y3⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SQLWriter start= disabled2⤵
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" config SstpSvc start= disabled2⤵
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mspub.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopqos.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill.exe" /IM mydesktopservice.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exe"vssadmin.exe" Delete Shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin2⤵
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" A:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" B:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" D:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" E:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" F:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" G:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" H:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" I:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" J:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" K:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" L:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" M:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" N:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" O:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" P:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" Q:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" R:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" S:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" T:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" U:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" V:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" W:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" X:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" Y:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" Z:\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\Admin\Desktop\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\Admin\Documents\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\Admin\Pictures\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\icacls.exe"icacls.exe" C:\Users\Admin\* /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\HELP_ME_RECOVER_MY_FILES.txtMD5
a9b0f276e953a902c58d3663644b8c61
SHA1f42c6061136fbf8c13c1f493d4af283c6351897a
SHA256d360747728919b8fe9cb37b08a52bde689afc39e68c437c60a6fd6a655c82671
SHA5123dd9af421e87e048ba73e5e2574cbbe3c7007e3baacd2de3bbc01529e9864455f2e9c99c50a1ee1b00f8d0082705bfd4de528907cd4e4d2d2d614dfc63c5c992
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnkMD5
519b868d3480f17ce01bc87dd93fecae
SHA13fef906e8d7db48654f9a8d2bf2bfeb1e89cfd47
SHA25677f765cab861711a19d8947c5ca15e581dd50a385df7d18108da6bba7639bcb9
SHA512867d61ccaa2b59bb703b87d1436d39241197fcdf6dd5e1256105617463f20a001fe5bf58a32756d461fe9827a868ad5058c5c1aa5b65a90d45259bcafcc5e1da
-
C:\Users\Admin\Desktop\BlockWrite.jpeg.cryptedMD5
7ab2abb5ddea18e13a47754df04e3d80
SHA18cb19c522eaa00ec95c10257c9dff4b7ecf3d415
SHA2568992fdf164ce96ca75c208ebafed769ec3f3396e9da93c2101cff9a4ecaa1bea
SHA512cd9f41f108c1a0fb4675dcf1facf2706aed4a7ba82fac7bdd7535b66d3836b16da934bfed683cb757942509d66048e967b26e218c9616909442a9a49fa377ab8
-
C:\Users\Admin\Desktop\DisconnectTrace.mhtml.cryptedMD5
e0087b660a6e52214233ad698ac45819
SHA103b81b463b78096304b7a6400b75e9c0d3e8c223
SHA25615d26297d7c14f4b7cf2850eb3c0623d37fd0d63ac3ed4a79408e4a93b8fc6b4
SHA512cb99373cf29ab8d71a2ef945f4bb94b4756ac7c898c0ce9475cd559d3246b13bde8b70c7dcd58f380c16b4228c04e540bd41b9725a0b6300117b2d7d6b0f2727
-
C:\Users\Admin\Desktop\ExpandSearch.avi.cryptedMD5
fb0f3bd03a0a4077009f20632d7bff6f
SHA1394f7501402a2eb4b2841e6d5f7481d3ccaf37ef
SHA2569ca316325b396dd593469c486837dc1eb1b02939c8f91a910355b27cf716a8e5
SHA5124fde74238faf01710c8bba47c793f1aaa09973023d763a4ee7ef1dff51b827e07e6b301da85c23752a56085018d7adf562ef30b7a96edafafd7d867a9ee8f86f
-
C:\Users\Admin\Desktop\InstallMount.htm.cryptedMD5
787407ff1ae0a872bd3fbbf2767da86e
SHA1cf6acf9b1640e5fb2c585333b0b801d947ac74e4
SHA25651b4031d2874d4e22d5f416ced8e0157ff7f8fdbf9952ebafc88ee987357dd61
SHA5126dc8118e6c8888b270ef797c6f03b9f576619de82662e67614d627610e32353e70a0914e40e0455963b2013a0a28a5f32a84b2b0e1b7d015cd85aeb7d2198edd
-
C:\Users\Admin\Desktop\InvokeSplit.snd.cryptedMD5
e02169e4f2e1b42bfcaa829dd386f787
SHA1ee096598d0b1d6c574c51d177ba0dccabc72152e
SHA256d8309a76397f45d6b100f863c3f55a0f5d264f77840720020e54b9a24caad04d
SHA51241690473077fc4729f34ad7b2d4abde1ad67f8e9c2a067541da95567e6878c4b06d9470a87b1c3783f5b9c06853820b4b1d0654c13f5c7dde0a1d95d634d4988
-
C:\Users\Admin\Desktop\LockClose.7z.cryptedMD5
66e056a9ee54b86c5f5f9f33cafd538d
SHA12d64757d2a9df94742cb1757ecc76121e935fd4c
SHA2562a048c92c5c0631dc74e0e562d804abbd582f95f27bb878994597e93ada6582e
SHA512837b1b7070d22cc28e78db923d0d1fef7dca92697a0fb523a6ea4497d0229b133e95b6c97a6077e11f79b70810ec94d069d7ffc0ab19fb25b0da312416829ae8
-
C:\Users\Admin\Desktop\RepairUnlock.pptx.cryptedMD5
ee526f48c2e7759ece8bc1498f6002d7
SHA19d68dff6adfadfb025e5b30d42654bd574505911
SHA256580ec1b9e27ea45bdf2494b29b7e0ec901a4eab04f93b040dd41528da5e40537
SHA512bb765a2161d79d6c80daead9a22e465875b382c0dbc68926eff128e941e5c8f031fce98d2658d61045067874b4abec61910cddfe18c3a5860e565c6820c775ec
-
C:\Users\Admin\Desktop\RequestLimit.rar.cryptedMD5
f56007e115de8c181bbb898dda9cd034
SHA15fa076403f9a8ee1d9f469d53121c500aec6d23a
SHA256b7f0b4b45aa863f7a6f7415c1c9a5bdb9b3e5ea9bd07300fbc36e48c72c9276b
SHA5120f48eb7b6b4cee90e2efb56ff9232c3e48dae71980a62af46f4d1fef4d791ab1aa88273986a28fafdec00478b89631cbac4d4ce1fe1941f5c6b9f31cad7c1290
-
C:\Users\Admin\Desktop\TraceUnprotect.odt.cryptedMD5
65109974fde98bd2aa594943947457a7
SHA1aace0cd49e46dd653cb6b32660bea37350b0da08
SHA256abc38dd0e2930c6cfdeccf4e3c435ac6ac2c8624b822efc40c2cc8d7da328049
SHA512f0522a720cb174a4b0e4faed47a87ea8503884b321a1f74f1ed1bdc8d499ba394f071b7322e3c058a6c260429bdddf758071da0dc69ae55775177d9e08cba73d
-
C:\Users\Admin\Desktop\UndoConfirm.jpg.cryptedMD5
77671b10eb1904db97741e8de6612f91
SHA1626923f9edf138f5529dd8f47833d8ca8a274c3c
SHA2564895153e822992444beff70988c5a2030f4552cb7f2354e1a35966bbe75f86df
SHA512fd399829fc454311673b02db81987534665f93d48950deb212fd02b87ccd69da1f5e1ab10a884e5a386cf72c40f08160d541cb26aeee29ba9f0a7ea87d44d0e4
-
C:\Users\Admin\Documents\Are.docx.cryptedMD5
4a0b95041508690966c4e4a7dd7b26fb
SHA1bfdcbdb56fb8ddc1e0d9b179b61779cc2b5aa813
SHA256d5e115b9e252e11c957f104692c47a72acd2e31f0f162d0b5c53f25bd2937431
SHA512576c8a83ae4e26e6af64b030c2785bdfc51d38475cb3eacd65bcc585f021d2a68cc6afdddee53c5dd8f58f6d92c19053b6cb2bc1f678032aeccf9cc379c2cac7
-
C:\Users\Admin\Documents\CompareConvert.rtf.cryptedMD5
1f9f42766badc4197622c4340303a9f3
SHA1186c1c8fa087944c878cb259fd07e4d1950cdd66
SHA25649a70a6275a66aa67084567799b18c629982d5c9a9687b03ce247d0aa259da24
SHA512b8ee5187c97f09fe8e1a778943b98ebc17852fa16fa124d1b2268d25c09edbd3fe7c05ce043d83eb97658e0949cf73aa01d7b39f544ce6b57db2c245baf13e39
-
C:\Users\Admin\Documents\DisconnectUpdate.xlsx.cryptedMD5
0016a79f9601e430fe635ada797d1455
SHA13c2ad501a0ebd1e6907533ee2eabb8dd7f04aba3
SHA2564a4c031bc69c4bb420d177ec7e0832f73704002a2ce8edca64801f82a811db65
SHA5127bd3b2eee1f9b80d777803406cc95944b4e89535cdd7b1b5891cd88445d1b531226b000569bd5b6b53f42f41695fd1275feb1d2d13a8c8065d766580ffc569a4
-
C:\Users\Admin\Documents\Files.docx.cryptedMD5
9f9d32f7a96ae543f479c53b7a8a2e50
SHA11089544e42bc9bfc469b8762d277cd09d273e05c
SHA2568a837406b7c8392c22df7c57c0839be7944c59ad91414c0ccd0d015d104e90e6
SHA512d9f2bc2ce819720cba6c6ef074476cdd6f8679582046d4d8dbd1dcc6dbed5931ed46176995532c0ac8b717f0f7126861f70926c7d687bd97b1a446e2e4a7864e
-
C:\Users\Admin\Documents\MoveUse.ppt.cryptedMD5
a4b21440b190caa91ac11b8e3312f24a
SHA10768c90c1819ac4975a40bf303fa7bf372380595
SHA256d60e4ae6b14e79fd15cff60f0484a49ee9b7d32f56f1a3bbbb1283915c532614
SHA512305fddd4171875b2d097fb5fc97671335d6af71198dcb3bb6e1a5efdce9e584fa7196e34c82b64be8ca698c73a4d19ec1f701f80429cbb792114188b9e17c9e6
-
C:\Users\Admin\Documents\Opened.docx.cryptedMD5
6ec19227af796164b731231f04220f60
SHA1be8bd6dc85e02d951c22a2dc92dd0f96d39b5833
SHA2563945527dc572c2481ccc9cb41bec4e86d249e66c6a3d92c76e176084d2940780
SHA512177f4ae714c25daf9d9b7f7970d8d289441bcbf4348f026555449892ec994feb4b0f732556062d4a4b646e75c43a7e8020469b4bad92cc07dcf6ad5702ca6e4a
-
C:\Users\Admin\Documents\Recently.docx.cryptedMD5
6ff78c80a1c369421f29647d005209ed
SHA1704f08f3629d9682673df82bbb16e2cec978cfc3
SHA2564088966aaede8f1860e14fc57d0d7a4d890576f519d20607f1c7c4b943c5bd75
SHA51233631e68ad47cae8cba03b06ffa567dd9dcc1ef1f2a2f1011b6c42d3eb7746411dad338d72c40dda4938adf1c7ba5155e78e8748055d93df323b5f451b31d0b3
-
C:\Users\Admin\Documents\SaveMount.html.cryptedMD5
a96167adb9e11e617712c5232a22d7ed
SHA120c591cf178ad3e4fd9d71362ef0a02bb91d7859
SHA256727cf847466f62f8a9e72bc05cc3b967a9d1f18f1e7b1d6752ce894d67e5adbf
SHA512c3df79c6c3b105c707ba629cd7f4a1c75653f76b85ccd9fb735e38bb7d044694d49da8b6e7c3088d9475f8304c465295befb9e391422d126ebd968d7f7493757
-
C:\Users\Admin\Documents\SplitExit.odt.cryptedMD5
e4a77066adde11bbc970c18e3eca2fd1
SHA1293d0aecbf5ac293876684cb274a58ac646552e7
SHA25605846e05e972f5035d74a65c839d523fe576f6208997e9deccf19cfaf4629259
SHA5120cd32416d23d5fb7e41f17468c75e70dd4f37ec6753eeb652a0292aef66900bc23b5b8198de8aa4a2abb53f260943a83144c1506f15565c0c3270d9d1e05a9c0
-
C:\Users\Admin\Documents\These.docx.cryptedMD5
6bb35e08d08860298126b621b25adc2d
SHA1774dfba8c1d6c0646ce23bc1e596911b643218dd
SHA2565c1b00abb77a79114915068f75ee5e86aef21fe7bf9bba66a1bde04d55338c9d
SHA512a38ac31c938a04f85fe0c2c107cc82d8c8f16d255214642dc56cc9fa6565fdd8c61728cd355f14774de90f4a13d679a95ad4db2caa6f01cf95039188ea1b30df
-
C:\Users\Admin\Music\CheckpointCopy.jpeg.cryptedMD5
3877d7eddf3d92d847ac6b462cad54ba
SHA1b66d29f72a4d28c6cd93b099ca14ea285f788a33
SHA25617261fd8a40ec78f4e99379b9fe7002316964dddcea3855b7b32860fce66ef1a
SHA512fa29a2f4e986689d1be61a224f264380d92047e38476bae684125df0f0f0e9ddfe21ce268ecadbdb90e053ae5adb0384fcc29f6833c3edb106447dfc19fcf889
-
C:\Users\Admin\Music\DismountRegister.dwg.cryptedMD5
cbe6445cc0da649377d5655a424f9167
SHA1c1ae9a4f53d404277680164408242c2b732fafee
SHA2567cdfa68c4c017062d42b52310facf7581afe172cc11a30833d09c2c9f6039bc3
SHA512eafb33addd94d1fb69b60391cfafc1d76d218534addc02ecc620ef9f7127882ef9952e12c9e127b1d220bc4247e567265c903595811ec286732e944b92ad1aaf
-
C:\Users\Admin\Music\RenameImport.jpg.cryptedMD5
59668dcb56b17b0f8363ab2aa2d24ac3
SHA1b9e7d52f26183f7875826773967624a2aeee8aa6
SHA256e82f6cee047a42238258765071b83bf50328344707353933ed9ae9e18b1e5809
SHA5121154900ff520665497dc0a71b08a13b0a2845663919c3a787a75760ae3534ed73f7f4ab07b024b6d91405911ad740a8095b301e8b073cfa0f37e069a7d1a57dc
-
C:\Users\Admin\Music\StepDebug.ods.cryptedMD5
e6b0c7d6f984939e0a467e3fa2a9e543
SHA1eacf8f83071780cc5bd4852e2fbcc148cd60b48c
SHA2565921ec3b9fbee5d88032dff2fa6e6e9779a289907ba3ee54ce747ed83915733a
SHA5124a6983f201bfe4fe74c6bb8435862cde31041e4fa7111414349425bf1210154fe3784373214d14fef0902f4b1b1034f674dae4ad53171ece4f9f09cbd948691d
-
C:\Users\Admin\Music\StopReset.jpeg.cryptedMD5
558ecc42fafb43ba3b91654751f71d23
SHA1a819ff857da1cafe5550a1226acc478f80924f03
SHA256ae904b1d3fe7c9ab655ff5d52fd806a0e25a733303138facf3a8d336be561c96
SHA51203e521b5022b6e9628ffce0a30c30f5e25b92a499ab33447db8464ec8563863a428ad876359dbd9ee97a6ca0143c946b2cf5323896551e668ba3b8a25a5948a1
-
C:\Users\Admin\Music\SuspendGroup.xlsx.cryptedMD5
af251314e7e689d90eea365ffd00f83d
SHA15cd3b17c74254bb0b7c58dbec1e932746e880b9b
SHA2565371c6525cb30229e8828c3cfc1333721706df0df5f6d516cc6bde63de39439a
SHA51287a5d0dcf3d7ddb322b3f6329278b523915c3383a9a32c917ae1d987fc85383a7862081d52622549494b07027ee65e7531c1d182bd5a7b14286e341a9a67ed21
-
C:\Users\Admin\Music\SwitchSuspend.csv.cryptedMD5
8cd34e7fb041f5e873ab436f7dd9e1e4
SHA1d0c0b3ec66daafc791917cad456a38161d91c145
SHA2569804717ac8ef30725602ea693eed5229e1a7b151a8b82c49973b9c1f8ac4281f
SHA512fe3249ded8799f2bd2832317b6876204fe0453cb30be76382f92124fdf2329911234a7cfced50f1327e03589f37c959543e6f7ceaae9cb9ebd52e7e12157355c
-
C:\Users\Admin\Music\WaitAdd.rtf.cryptedMD5
ba693a16c46b513f537708ef558af07a
SHA11586f156f3d4d46063f1ee0791e08e7592416243
SHA2565f16587ffba363e53da92d9461844b21566e11c6f3fb98d549d4762ebe775f2b
SHA512ec2f852090e57464f715a9853644a06c1f9ee111b09666a67a2d22310a69ef388d98f5b84669351fb700f3f0fccba5250f2eda2171bd2734449a6b5e5619cf34
-
C:\Users\Admin\Pictures\DenyGet.png.cryptedMD5
f444d249e71123e2b7f8a1dc5c3a21c2
SHA198b35d5bcb63b174164412ac6ae66b1eb59abc20
SHA256924135e1e0d3152cf5c977b8094aeda36189c29fb99b8ef40de8b19950a200ec
SHA512f9bf5d693bce4c495edb745baa1310f3fb8161a4a0abb5d5d3ff34d8bafee1a6f9f9550ad0af10b0ac17cccd9f06b3b00edb66576c4c642cf1ff068d72825d15
-
C:\Users\Admin\Pictures\RestoreOut.jpeg.cryptedMD5
6ba8915677fe0ed837b3dd0c0ec0e3bb
SHA1538c88ec842e3ba58f75485979046f0b426e5fe5
SHA25628f4df6cfc4a1e148591f586a2bb278cb17e6d39f7d012348816dae89128580c
SHA512b7a4f883d5082acef63091caf76bf1de9909af5872bb29dd64b321c19c3ddd4e906aef25c4fa707fb9c9760b2a0dbb657ba50ad2260d88824465fb3bcb6f456e
-
C:\Users\Admin\Pictures\SplitNew.dwg.cryptedMD5
1e02e77526455bf4c1345d6c2787d5bb
SHA14ec23ad14ba5665cc513c23a6ccfcc29ea3a7e4a
SHA256ad74fa4e63cab4acd09888bff3514a67d48fa140e81d7aefa18e2153ced84885
SHA51232314e715b65cd3defe5b12992d4553a4932ef5d63ba9518ccf44d04b575de992ccb8eaff94ad375303fa46dc9ef08a21ba1830604bcee1c9eb78b11f240389a
-
C:\Users\Admin\Pictures\SyncCheckpoint.raw.cryptedMD5
4372e694d8255619ac7c62150c83dde7
SHA12137977d1c80f994a96750a2507c4e0f8d112bed
SHA2561fd5047bf4f63c736516a623844af557dec73a30f3943bdf4a9ea0496df4bc8d
SHA5121bc32168e01fc573a0f0a11e4423891efc2affb07eb2b3222bc49147cf6bd5521f8fe884237edc23bf88e5d71dda968d014992db468465dea81112775f30ce10
-
C:\Users\Admin\Pictures\SyncComplete.tiff.cryptedMD5
57a1fe1fc5a099dd9829f2c8214f6136
SHA1d857e1693c9e205f333b5d7ecadb2dc746a80d8d
SHA256d3f547191fde86c16a4081025c9b3400b7e3a8f542a884c305eaf0b50fef7850
SHA5121087e491f1bc58e9c269ea4fc77f74bc72b7eb91af2e96a362e14522cd957b995bfd7c1a415fa64102895db37c3970b21e32774980d3f835c659114e89399da0
-
C:\Users\Admin\Pictures\UnregisterUse.tiff.cryptedMD5
280d794fadc9cb5dfcabfba3accfa79a
SHA12824c3f2d3237c9e63af76a9c63cb0997b22622c
SHA2560d10b5b80c4957dbb5c5914d1839545c9fac40f00e81d9218193862378e34060
SHA512fd323535ea85a555762e6c8547bb57ca946ca7e96d1b5dede66ea37e88a87df16e1946d8d561faab08eee810cc8b7b4d5d5a340176940f28ceab8756ceb3a5b2
-
C:\Users\Admin\Pictures\Wallpaper.jpg.cryptedMD5
cb6ef98fa7fe971a5cefea27c78fed87
SHA13a38648702a417bbca53ee6a282104b1655881dc
SHA2567c265defa446ce9fe2298af5e4626aaa87b5efe975da91ebd7a1c860aadb657e
SHA512b7d920aba0e8392fd99cea8611f69786961942b81b394dc5936844ecdd7667491370d4118526c6aeb1c0443ad6b55d25f6889d93272c5416cc6789749d881f32
-
memory/184-9-0x0000000000000000-mapping.dmp
-
memory/196-81-0x0000000000000000-mapping.dmp
-
memory/200-23-0x0000000000000000-mapping.dmp
-
memory/212-64-0x0000000000000000-mapping.dmp
-
memory/268-91-0x0000000000000000-mapping.dmp
-
memory/416-60-0x0000000000000000-mapping.dmp
-
memory/416-6-0x0000000000000000-mapping.dmp
-
memory/496-68-0x0000000000000000-mapping.dmp
-
memory/500-12-0x0000000000000000-mapping.dmp
-
memory/500-87-0x0000000000000000-mapping.dmp
-
memory/508-22-0x0000000000000000-mapping.dmp
-
memory/508-72-0x0000000000000000-mapping.dmp
-
memory/580-1-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/580-0-0x00007FFC354A0000-0x00007FFC35E8C000-memory.dmpFilesize
9.9MB
-
memory/692-32-0x0000000000000000-mapping.dmp
-
memory/732-78-0x0000000000000000-mapping.dmp
-
memory/752-19-0x0000000000000000-mapping.dmp
-
memory/936-39-0x0000000000000000-mapping.dmp
-
memory/936-10-0x0000000000000000-mapping.dmp
-
memory/1020-35-0x0000000000000000-mapping.dmp
-
memory/1160-13-0x0000000000000000-mapping.dmp
-
memory/1180-85-0x0000000000000000-mapping.dmp
-
memory/1180-8-0x0000000000000000-mapping.dmp
-
memory/1352-28-0x0000000000000000-mapping.dmp
-
memory/1444-27-0x0000000000000000-mapping.dmp
-
memory/1484-97-0x0000000000000000-mapping.dmp
-
memory/1524-76-0x0000000000000000-mapping.dmp
-
memory/2008-96-0x0000000000000000-mapping.dmp
-
memory/2008-66-0x0000000000000000-mapping.dmp
-
memory/2060-29-0x0000000000000000-mapping.dmp
-
memory/2064-77-0x0000000000000000-mapping.dmp
-
memory/2124-14-0x0000000000000000-mapping.dmp
-
memory/2204-55-0x0000000000000000-mapping.dmp
-
memory/2236-43-0x0000000000000000-mapping.dmp
-
memory/2316-65-0x0000000000000000-mapping.dmp
-
memory/2316-26-0x0000000000000000-mapping.dmp
-
memory/2336-42-0x0000000000000000-mapping.dmp
-
memory/2344-31-0x0000000000000000-mapping.dmp
-
memory/2344-16-0x0000000000000000-mapping.dmp
-
memory/2400-11-0x0000000000000000-mapping.dmp
-
memory/2744-7-0x0000000000000000-mapping.dmp
-
memory/2944-25-0x0000000000000000-mapping.dmp
-
memory/2948-79-0x0000000000000000-mapping.dmp
-
memory/2952-5-0x0000000000000000-mapping.dmp
-
memory/2956-49-0x0000000000000000-mapping.dmp
-
memory/2960-47-0x0000000000000000-mapping.dmp
-
memory/2960-34-0x0000000000000000-mapping.dmp
-
memory/2996-53-0x0000000000000000-mapping.dmp
-
memory/3008-94-0x0000000000000000-mapping.dmp
-
memory/3028-17-0x0000000000000000-mapping.dmp
-
memory/3104-21-0x0000000000000000-mapping.dmp
-
memory/3188-63-0x0000000000000000-mapping.dmp
-
memory/3188-36-0x0000000000000000-mapping.dmp
-
memory/3188-50-0x0000000000000000-mapping.dmp
-
memory/3204-73-0x0000000000000000-mapping.dmp
-
memory/3204-62-0x0000000000000000-mapping.dmp
-
memory/3244-57-0x0000000000000000-mapping.dmp
-
memory/3288-37-0x0000000000000000-mapping.dmp
-
memory/3292-61-0x0000000000000000-mapping.dmp
-
memory/3336-48-0x0000000000000000-mapping.dmp
-
memory/3380-41-0x0000000000000000-mapping.dmp
-
memory/3500-90-0x0000000000000000-mapping.dmp
-
memory/3504-89-0x0000000000000000-mapping.dmp
-
memory/3520-45-0x0000000000000000-mapping.dmp
-
memory/3548-74-0x0000000000000000-mapping.dmp
-
memory/3584-40-0x0000000000000000-mapping.dmp
-
memory/3584-92-0x0000000000000000-mapping.dmp
-
memory/3612-67-0x0000000000000000-mapping.dmp
-
memory/3620-38-0x0000000000000000-mapping.dmp
-
memory/3620-51-0x0000000000000000-mapping.dmp
-
memory/3680-75-0x0000000000000000-mapping.dmp
-
memory/3684-33-0x0000000000000000-mapping.dmp
-
memory/3692-46-0x0000000000000000-mapping.dmp
-
memory/3692-93-0x0000000000000000-mapping.dmp
-
memory/3716-44-0x0000000000000000-mapping.dmp
-
memory/3748-54-0x0000000000000000-mapping.dmp
-
memory/3792-95-0x0000000000000000-mapping.dmp
-
memory/3812-52-0x0000000000000000-mapping.dmp
-
memory/3844-69-0x0000000000000000-mapping.dmp
-
memory/3860-15-0x0000000000000000-mapping.dmp
-
memory/3864-56-0x0000000000000000-mapping.dmp
-
memory/3868-70-0x0000000000000000-mapping.dmp
-
memory/3868-83-0x0000000000000000-mapping.dmp
-
memory/3924-71-0x0000000000000000-mapping.dmp
-
memory/3924-4-0x0000000000000000-mapping.dmp
-
memory/3928-30-0x0000000000000000-mapping.dmp
-
memory/3936-58-0x0000000000000000-mapping.dmp
-
memory/3944-3-0x0000000000000000-mapping.dmp
-
memory/3956-88-0x0000000000000000-mapping.dmp
-
memory/3988-59-0x0000000000000000-mapping.dmp
-
memory/4000-82-0x0000000000000000-mapping.dmp
-
memory/4004-18-0x0000000000000000-mapping.dmp
-
memory/4016-84-0x0000000000000000-mapping.dmp
-
memory/4032-86-0x0000000000000000-mapping.dmp
-
memory/4052-20-0x0000000000000000-mapping.dmp
-
memory/4056-80-0x0000000000000000-mapping.dmp
-
memory/4056-24-0x0000000000000000-mapping.dmp
-
memory/4112-120-0x0000000000000000-mapping.dmp
-
memory/4140-98-0x0000000000000000-mapping.dmp
-
memory/4156-121-0x0000000000000000-mapping.dmp
-
memory/4184-99-0x0000000000000000-mapping.dmp
-
memory/4212-122-0x0000000000000000-mapping.dmp
-
memory/4232-100-0x0000000000000000-mapping.dmp
-
memory/4272-101-0x0000000000000000-mapping.dmp
-
memory/4316-102-0x0000000000000000-mapping.dmp
-
memory/4360-103-0x0000000000000000-mapping.dmp
-
memory/4368-123-0x0000000000000000-mapping.dmp
-
memory/4400-104-0x0000000000000000-mapping.dmp
-
memory/4440-105-0x0000000000000000-mapping.dmp
-
memory/4484-106-0x0000000000000000-mapping.dmp
-
memory/4528-107-0x0000000000000000-mapping.dmp
-
memory/4604-108-0x0000000000000000-mapping.dmp
-
memory/4648-109-0x0000000000000000-mapping.dmp
-
memory/4664-124-0x0000000000000000-mapping.dmp
-
memory/4692-110-0x0000000000000000-mapping.dmp
-
memory/4736-111-0x0000000000000000-mapping.dmp
-
memory/4752-132-0x0000000000000000-mapping.dmp
-
memory/4776-112-0x0000000000000000-mapping.dmp
-
memory/4820-113-0x0000000000000000-mapping.dmp
-
memory/4864-114-0x0000000000000000-mapping.dmp
-
memory/4908-115-0x0000000000000000-mapping.dmp
-
memory/4952-116-0x0000000000000000-mapping.dmp
-
memory/4996-117-0x0000000000000000-mapping.dmp
-
memory/5036-118-0x0000000000000000-mapping.dmp
-
memory/5076-119-0x0000000000000000-mapping.dmp