Analysis
-
max time kernel
142s -
max time network
133s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-02-2021 17:54
Static task
static1
Behavioral task
behavioral1
Sample
cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
Resource
win10v20201028
General
-
Target
cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe
-
Size
369KB
-
MD5
df919a46da2377f913e99fa5d4997ae9
-
SHA1
03cd2235f0e68f297020dd40ad48395fad78bd8d
-
SHA256
cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536
-
SHA512
22870750ef402c958353faefaaa77d4549c3d3a6f1f0bf36da77d881db0d0f5ebdb758e5cef21629f407d80e155dad62de747c472624424436125ba3835e9a61
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\HOW_TO_RETURN_FILES.txt
"helper.china@aol.com"
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Installed Components in the registry 2 TTPs
-
Modifies extensions of user files 14 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exedescription ioc process File renamed C:\Users\Admin\Pictures\DenySuspend.tif => C:\Users\Admin\Pictures\DenySuspend.tif.cnhelp cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File renamed C:\Users\Admin\Pictures\PushSet.tiff => C:\Users\Admin\Pictures\PushSet.tiff.cnhelp cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File renamed C:\Users\Admin\Pictures\SetUnblock.crw => C:\Users\Admin\Pictures\SetUnblock.crw.cnhelp cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File renamed C:\Users\Admin\Pictures\DenyLock.tiff => C:\Users\Admin\Pictures\DenyLock.tiff.cnhelp cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File renamed C:\Users\Admin\Pictures\MeasureTrace.crw => C:\Users\Admin\Pictures\MeasureTrace.crw.cnhelp cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\PushSet.tiff cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File renamed C:\Users\Admin\Pictures\RestartClear.tif => C:\Users\Admin\Pictures\RestartClear.tif.cnhelp cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File renamed C:\Users\Admin\Pictures\RestoreApprove.tiff => C:\Users\Admin\Pictures\RestoreApprove.tiff.cnhelp cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File renamed C:\Users\Admin\Pictures\SetRegister.crw => C:\Users\Admin\Pictures\SetRegister.crw.cnhelp cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\RestoreApprove.tiff cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\DenyLock.tiff cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Users\Admin\Pictures\InvokeRename.tiff cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File renamed C:\Users\Admin\Pictures\InvokeRename.tiff => C:\Users\Admin\Pictures\InvokeRename.tiff.cnhelp cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File renamed C:\Users\Admin\Pictures\MountHide.raw => C:\Users\Admin\Pictures\MountHide.raw.cnhelp cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe -
Stops running service(s) 3 TTPs
-
Drops startup file 1 IoCs
Processes:
cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_RETURN_FILES.txt cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe -
Drops file in Program Files directory 64 IoCs
Processes:
cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exedescription ioc process File created C:\Program Files\Reference Assemblies\HOW_TO_RETURN_FILES.txt cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\lua\HOW_TO_RETURN_FILES.txt cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21482_.GIF cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableUpArrow.jpg cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\HOW_TO_RETURN_FILES.txt cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\cmm\LINEAR_RGB.pf cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.config cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Waveform.eftx cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\HOW_TO_RETURN_FILES.txt cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_de_DE.jar cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HM00114_.WMF cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\HOW_TO_RETURN_FILES.txt cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10253_.GIF cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POST.CFG cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099159.WMF cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21427_.GIF cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_K_COL.HXK cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\settings.js cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185818.WMF cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217262.WMF cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME50.CSS cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-services_ja.jar cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-It.otf cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\OPHPROXY.DLL cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285820.WMF cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0295241.GIF cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN090.XML cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105506.WMF cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\localedata.jar cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File created C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\HOW_TO_RETURN_FILES.txt cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\HOW_TO_RETURN_FILES.txt cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPPT.OLB cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyMergeLetter.dotx cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_ButtonGraphic.png cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\icon.png cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\SPRING.INF cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107364.WMF cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN097.XML cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File created C:\Program Files\Windows Media Player\HOW_TO_RETURN_FILES.txt cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_h.png cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21297_.GIF cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\720x480blacksquare.png cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00306_.WMF cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281640.WMF cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00068_.WMF cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE_F_COL.HXK cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImagesMask.bmp cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\HOW_TO_RETURN_FILES.txt cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe -
Drops file in Windows directory 2 IoCs
Processes:
Explorer.EXEdescription ioc process File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe Explorer.EXE File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe Explorer.EXE -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1748 1260 WerFault.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1836 taskkill.exe 1940 taskkill.exe 636 taskkill.exe 1040 taskkill.exe -
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Explorer.EXE -
Modifies registry class 5 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_Classes\Local Settings Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Explorer.EXE -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1924 NOTEPAD.EXE -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exeWerFault.exepid process 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe 1748 WerFault.exe 1748 WerFault.exe 1748 WerFault.exe 1748 WerFault.exe 1748 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1396 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 61 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exeWerFault.exeExplorer.EXEAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1836 taskkill.exe Token: SeDebugPrivilege 1940 taskkill.exe Token: SeDebugPrivilege 636 taskkill.exe Token: SeDebugPrivilege 1040 taskkill.exe Token: SeIncreaseQuotaPrivilege 1500 WMIC.exe Token: SeSecurityPrivilege 1500 WMIC.exe Token: SeTakeOwnershipPrivilege 1500 WMIC.exe Token: SeLoadDriverPrivilege 1500 WMIC.exe Token: SeSystemProfilePrivilege 1500 WMIC.exe Token: SeSystemtimePrivilege 1500 WMIC.exe Token: SeProfSingleProcessPrivilege 1500 WMIC.exe Token: SeIncBasePriorityPrivilege 1500 WMIC.exe Token: SeCreatePagefilePrivilege 1500 WMIC.exe Token: SeBackupPrivilege 1500 WMIC.exe Token: SeRestorePrivilege 1500 WMIC.exe Token: SeShutdownPrivilege 1500 WMIC.exe Token: SeDebugPrivilege 1500 WMIC.exe Token: SeSystemEnvironmentPrivilege 1500 WMIC.exe Token: SeRemoteShutdownPrivilege 1500 WMIC.exe Token: SeUndockPrivilege 1500 WMIC.exe Token: SeManageVolumePrivilege 1500 WMIC.exe Token: 33 1500 WMIC.exe Token: 34 1500 WMIC.exe Token: 35 1500 WMIC.exe Token: SeIncreaseQuotaPrivilege 1500 WMIC.exe Token: SeSecurityPrivilege 1500 WMIC.exe Token: SeTakeOwnershipPrivilege 1500 WMIC.exe Token: SeLoadDriverPrivilege 1500 WMIC.exe Token: SeSystemProfilePrivilege 1500 WMIC.exe Token: SeSystemtimePrivilege 1500 WMIC.exe Token: SeProfSingleProcessPrivilege 1500 WMIC.exe Token: SeIncBasePriorityPrivilege 1500 WMIC.exe Token: SeCreatePagefilePrivilege 1500 WMIC.exe Token: SeBackupPrivilege 1500 WMIC.exe Token: SeRestorePrivilege 1500 WMIC.exe Token: SeShutdownPrivilege 1500 WMIC.exe Token: SeDebugPrivilege 1500 WMIC.exe Token: SeSystemEnvironmentPrivilege 1500 WMIC.exe Token: SeRemoteShutdownPrivilege 1500 WMIC.exe Token: SeUndockPrivilege 1500 WMIC.exe Token: SeManageVolumePrivilege 1500 WMIC.exe Token: 33 1500 WMIC.exe Token: 34 1500 WMIC.exe Token: 35 1500 WMIC.exe Token: SeBackupPrivilege 1324 vssvc.exe Token: SeRestorePrivilege 1324 vssvc.exe Token: SeAuditPrivilege 1324 vssvc.exe Token: SeDebugPrivilege 1748 WerFault.exe Token: SeShutdownPrivilege 1396 Explorer.EXE Token: SeShutdownPrivilege 1396 Explorer.EXE Token: SeShutdownPrivilege 1396 Explorer.EXE Token: SeShutdownPrivilege 1396 Explorer.EXE Token: SeShutdownPrivilege 1396 Explorer.EXE Token: SeShutdownPrivilege 1396 Explorer.EXE Token: 33 1708 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1708 AUDIODG.EXE Token: 33 1708 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1708 AUDIODG.EXE Token: SeShutdownPrivilege 1396 Explorer.EXE Token: SeShutdownPrivilege 1396 Explorer.EXE Token: SeShutdownPrivilege 1396 Explorer.EXE -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
Explorer.EXEpid process 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE -
Suspicious use of SendNotifyMessage 26 IoCs
Processes:
Explorer.EXEpid process 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE 1396 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exedescription pid process target process PID 1432 wrote to memory of 1428 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 1432 wrote to memory of 1428 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 1432 wrote to memory of 1428 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 1432 wrote to memory of 1428 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 1428 wrote to memory of 1116 1428 cmd.exe net.exe PID 1428 wrote to memory of 1116 1428 cmd.exe net.exe PID 1428 wrote to memory of 1116 1428 cmd.exe net.exe PID 1428 wrote to memory of 1116 1428 cmd.exe net.exe PID 1116 wrote to memory of 1968 1116 net.exe net1.exe PID 1116 wrote to memory of 1968 1116 net.exe net1.exe PID 1116 wrote to memory of 1968 1116 net.exe net1.exe PID 1116 wrote to memory of 1968 1116 net.exe net1.exe PID 1432 wrote to memory of 2004 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 1432 wrote to memory of 2004 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 1432 wrote to memory of 2004 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 1432 wrote to memory of 2004 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 2004 wrote to memory of 1932 2004 cmd.exe net.exe PID 2004 wrote to memory of 1932 2004 cmd.exe net.exe PID 2004 wrote to memory of 1932 2004 cmd.exe net.exe PID 2004 wrote to memory of 1932 2004 cmd.exe net.exe PID 1932 wrote to memory of 1912 1932 net.exe net1.exe PID 1932 wrote to memory of 1912 1932 net.exe net1.exe PID 1932 wrote to memory of 1912 1932 net.exe net1.exe PID 1932 wrote to memory of 1912 1932 net.exe net1.exe PID 1432 wrote to memory of 2040 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 1432 wrote to memory of 2040 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 1432 wrote to memory of 2040 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 1432 wrote to memory of 2040 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 2040 wrote to memory of 1220 2040 cmd.exe net.exe PID 2040 wrote to memory of 1220 2040 cmd.exe net.exe PID 2040 wrote to memory of 1220 2040 cmd.exe net.exe PID 2040 wrote to memory of 1220 2040 cmd.exe net.exe PID 1220 wrote to memory of 364 1220 net.exe net1.exe PID 1220 wrote to memory of 364 1220 net.exe net1.exe PID 1220 wrote to memory of 364 1220 net.exe net1.exe PID 1220 wrote to memory of 364 1220 net.exe net1.exe PID 1432 wrote to memory of 332 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 1432 wrote to memory of 332 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 1432 wrote to memory of 332 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 1432 wrote to memory of 332 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 332 wrote to memory of 592 332 cmd.exe net.exe PID 332 wrote to memory of 592 332 cmd.exe net.exe PID 332 wrote to memory of 592 332 cmd.exe net.exe PID 332 wrote to memory of 592 332 cmd.exe net.exe PID 592 wrote to memory of 1608 592 net.exe net1.exe PID 592 wrote to memory of 1608 592 net.exe net1.exe PID 592 wrote to memory of 1608 592 net.exe net1.exe PID 592 wrote to memory of 1608 592 net.exe net1.exe PID 1432 wrote to memory of 820 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 1432 wrote to memory of 820 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 1432 wrote to memory of 820 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 1432 wrote to memory of 820 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 820 wrote to memory of 1444 820 cmd.exe net.exe PID 820 wrote to memory of 1444 820 cmd.exe net.exe PID 820 wrote to memory of 1444 820 cmd.exe net.exe PID 820 wrote to memory of 1444 820 cmd.exe net.exe PID 1444 wrote to memory of 1040 1444 net.exe net1.exe PID 1444 wrote to memory of 1040 1444 net.exe net1.exe PID 1444 wrote to memory of 1040 1444 net.exe net1.exe PID 1444 wrote to memory of 1040 1444 net.exe net1.exe PID 1432 wrote to memory of 816 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 1432 wrote to memory of 816 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 1432 wrote to memory of 816 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe PID 1432 wrote to memory of 816 1432 cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\cadbbf76fd42b925147d01cc74e82bc8b2b6b03a82a63ca39d2ef1c2877eb536.bin.sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NET stop MSSQLSERVER /Y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exeNET stop MSSQLSERVER /Y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER /Y4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NET stop MSSQL$SQLEXPRESS /Y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exeNET stop MSSQL$SQLEXPRESS /Y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$SQLEXPRESS /Y4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NET STOP acrsch2svc /Y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exeNET STOP acrsch2svc /Y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP acrsch2svc /Y4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NET STOP acronisagent /Y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exeNET STOP acronisagent /Y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP acronisagent /Y4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NET STOP arsm /Y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exeNET STOP arsm /Y3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP arsm /Y4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NET STOP FirebirdServerDefaultInstance /Y2⤵
-
C:\Windows\SysWOW64\net.exeNET STOP FirebirdServerDefaultInstance /Y3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP FirebirdServerDefaultInstance /Y4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NET STOP FirebirdGuardianDefaultInstance /Y2⤵
-
C:\Windows\SysWOW64\net.exeNET STOP FirebirdGuardianDefaultInstance /Y3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP FirebirdGuardianDefaultInstance /Y4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c NET STOP MuzzleServer /Y2⤵
-
C:\Windows\SysWOW64\net.exeNET STOP MuzzleServer /Y3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP MuzzleServer /Y4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im 1cv7s.exe /T /F2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 1cv7s.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im 1cv8s.exe /T /F2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 1cv8s.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im 1cv7.exe /T /F2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 1cv7.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im 1cv8.exe /T /F2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 1cv8.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic shadowcopy delete2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop "Acronis VSS Provider" /y2⤵
-
C:\Windows\SysWOW64\sc.exesc stop "Acronis VSS Provider" /y3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop "Enterprise Client Service" /y2⤵
-
C:\Windows\SysWOW64\sc.exesc stop "Enterprise Client Service" /y3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop "Sophos Agent" /y2⤵
-
C:\Windows\SysWOW64\sc.exesc stop "Sophos Agent" /y3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop "Sophos AutoUpdate Service" /y2⤵
-
C:\Windows\SysWOW64\sc.exesc stop "Sophos AutoUpdate Service" /y3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop "Sophos Clean Service" /y2⤵
-
C:\Windows\SysWOW64\sc.exesc stop "Sophos Clean Service" /y3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop "Sophos Device Control Service" /y2⤵
-
C:\Windows\SysWOW64\sc.exesc stop "Sophos Device Control Service" /y3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop "Sophos File Scanner Service" /y2⤵
-
C:\Windows\SysWOW64\sc.exesc stop "Sophos File Scanner Service" /y3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop "Sophos Health Service" /y2⤵
-
C:\Windows\SysWOW64\sc.exesc stop "Sophos Health Service" /y3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop "Sophos MCS Agent" /y2⤵
-
C:\Windows\SysWOW64\sc.exesc stop "Sophos MCS Agent" /y3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop "Sophos MCS Client" /y2⤵
-
C:\Windows\SysWOW64\sc.exesc stop "Sophos MCS Client" /y3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1260 -s 28641⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Explorer.EXE"C:\Windows\Explorer.EXE"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HOW_TO_RETURN_FILES.txt3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5901⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000014.db.cnhelpMD5
efeb80db2000f0331a75d3951e2fdf2b
SHA10d07de404c589bb2c5c25a962607d026051c175c
SHA256b79d995a0e2aceb35b86e7ae825b051614fa2ffe6117d9167c5d951933f1db85
SHA512d9ad4a58fe1369789b70392fe2d6cfebca3898dc40e13737729ca3bd45d73f1d78e177389c6092bf0a052bb03439e24f07cc0a734a11a52fbfdadba6c5236072
-
C:\ProgramData\Microsoft\Windows\Caches\{8BFFF793-2B14-4F95-B176-BEEF84057C2B}.2.ver0x0000000000000001.db.cnhelpMD5
6278d0e91d439d64e57939a44ad615e6
SHA1abffd4e40bb0efcc909bde8032a1e3512693eefa
SHA256cfd657d75513d037af170aea57c7e61ecf9d634866d792b6e8f14bf7f6c0310f
SHA51264d0fa523164751191db2b8fe4d18847f8db09421a52e32a08d9102186b67dab1027141790bcd76530bf1977002e8d7a2d33b6bf31308dbcd30a03a5ff1ee7cf
-
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.cnhelpMD5
0a8944a2696bece40d4c663d1d1fa8e6
SHA126aca3efe1d877daf856e757f2bf80084d34f77d
SHA256b382412f494530dd5c535e3186ce5d78f106d5a8c532307dc3e2e5d086472e36
SHA5123cbd0a63422f27522b9643b5300a2b27f26f72c8a0e8aa31b9a68012b610c47d56c8e6e8c0e4631d37720b0f203d230dcfcae8be5bf09adeb87926d90ffa7f78
-
C:\Users\Admin\AppData\Local\Temp\WPDNSE\HOW_TO_RETURN_FILES.txtMD5
daf47760204eef6db5c5440b98f1eb50
SHA152756553b5101000263b641a3c307b270033ee86
SHA256077bebd3572738fd0807ca990db964823937190017fa0aab7d76cd5a39071964
SHA512aeac7156938680320fce4fe71dc1c88f77da441765d60c588005b5ed4f9e31e9e8469d211d8e0c02704a8e813f1549a49a5eac0e45e73dca7e3865cfa543190c
-
C:\Users\Admin\Desktop\CloseStop.wmv.cnhelpMD5
8fe001e908a84476a10bcc8d39844120
SHA1f5b9fa4a69b57130bbb7f478ce7d11aa8ca00950
SHA256b51ab8d302e7164afb58b7dc42357c3ac48e6b0fa8409a471e44a827d479b3f8
SHA512945340f6b9b3046fa6cb185e6119df18b7c54de4cf1ba37241d071dbdd374ca1f98398ba101d8a5804620bae74e6d44097b402692066bf32251e35018412e398
-
C:\Users\Admin\Desktop\ConfirmDismount.pps.cnhelpMD5
114ebc947c95cc2778839df04cf4a984
SHA1f15dbb10c1983d56b74fafba62410c76749d263d
SHA256e1d739bca77d943fff28385c2f9001187c0be186b2dbd2030d39bdaa151febdb
SHA51211f7c50ac0e46e51f0b713466e49d0859ef77391c5a71a3c11c04ae4178dfa3b636ef9ac9f27b680afd00732c23a53aaf733730ce3a2c312f3463b0555b6c2e7
-
C:\Users\Admin\Desktop\ConvertToConvert.vssx.cnhelpMD5
33e413820c73bcd2a433b4c2415c2b11
SHA1972cc14b34a5bf03bb8f54cdac73627a544ab0a7
SHA25647057aa50969eeb7e50c62a6444e7811c4635db83c4631752e7e7564239311b2
SHA5126eb1764ddc58350f0935e9be8dbbdaf80b667b77998400654908fc7e71e1f823f0d240f995f00118f9063cc1103f5fac500b825d042f15c408be82defb592fd0
-
C:\Users\Admin\Desktop\ConvertUnblock.jtx.cnhelpMD5
1d084130147c0bbf4b2c6dd683a1211d
SHA1fc783e3aa9397b83149c618cc5912b7d9b038434
SHA256585e09ee0cd206776d1b248b8fb189b901ec0449d4032c3e05b84e579e88ceb0
SHA512fc1559cdd35a188c93a6b28199319b253c1c9c89685c81a4d6bc64963c419c80f9d1b6a69e1b1f18423ef2a70def9b45a44b566913559b3124e45f2a875f88c3
-
C:\Users\Admin\Desktop\DenyUse.i64.cnhelpMD5
bfd7a7034bea70fe3669fedf25e25b01
SHA1b7c6c6d6aa0a1d6da43726a6e72bea247848172c
SHA256e385b7dea1448ba97222ee69f1c90b17f442cb0fe87629bf348350c62687779b
SHA5128c1ad791dd4b4983017d7646ded2e9c211b8c628d8cc76ecc5147c21e25d13056e48179b49a00f575bb3e419252f608ebb05d606d07f68113406ffd726d73f28
-
C:\Users\Admin\Desktop\ExportApprove.mp3.cnhelpMD5
b6934b88d8120f82647a8cb79325c93a
SHA1a1ba0c71884909284549248904eb69c4da8a5622
SHA25641092761295fef0740fee3d40dad0e3054e69a0446a7280955095c6d6fb4ecec
SHA5125bebbcc94c08dc9147c1a9062fdf2404114cce3652ebc7f11d0f1fd607c46c985ec9c6cbc3f279bc86ecacb53de12ac502c02d6963f03846b6b1e126f4e890b2
-
C:\Users\Admin\Desktop\FindPublish.au.cnhelpMD5
a5634fdab17aa90d7774e5107881cd84
SHA1cf7f50955352e76ba21fb1ff90cb3e8dfb4d82e7
SHA256fe4266003f3d6768976bdb38dff8cc32a0d49c4a2e7f5a21d0c09fffa42c9b86
SHA512cd44b7c0d1f4ce27cc25aba2b5f68ecaed573f7cab628489c74701ff3dc22a72e84116a1cbec17d2db9e3176865926355ea8a2202ed8b0d9aa10a2fff245d758
-
C:\Users\Admin\Desktop\HOW_TO_RETURN_FILES.txtMD5
daf47760204eef6db5c5440b98f1eb50
SHA152756553b5101000263b641a3c307b270033ee86
SHA256077bebd3572738fd0807ca990db964823937190017fa0aab7d76cd5a39071964
SHA512aeac7156938680320fce4fe71dc1c88f77da441765d60c588005b5ed4f9e31e9e8469d211d8e0c02704a8e813f1549a49a5eac0e45e73dca7e3865cfa543190c
-
C:\Users\Admin\Desktop\ImportSearch.mov.cnhelpMD5
cfbea1fbf7801784ba1fea4b1adc0a1c
SHA1ef9f32871dac6a943beb16e735de5233b024aea9
SHA256bd02f81388376fcaf5d6839e7df8f78bb4958300c43659f5bc88d19d1e785d46
SHA512b21d23a32b600c0bda2b6db0fd2d12d97ad1adb303505c1bf29dae3ae7e671d09d2353ce22a1eb7c0072d0c525334dc4501d2276df0d9324af81b92d778590d4
-
C:\Users\Admin\Desktop\InstallEdit.wmv.cnhelpMD5
7a0357e6d7696de33305e2a53384091e
SHA1282f618ba21a0f809934aaa0564b578a4d020680
SHA2564486105f249e023c220a387b65d949772cfcf75e4d73841646ffa27f9401f7a4
SHA5126900ed199d1cc63b2ed0fa7b6970b1de28ef8064364b41e705ed2ba18ba7ec132f53dcc6e10c905c8ce3e47f6f674fcefbed918a2ea58dab73eb539d47c11442
-
C:\Users\Admin\Desktop\OpenFormat.temp.cnhelpMD5
3915c69d079b285b559f1d3c4cf819b1
SHA17c329853d7fbc40a05134ad68acace28b13d9ed6
SHA256b50d91514a78a4e5496f344d8927ce07824d40757a4ed98b0d2a1a2d697d87a8
SHA51224d59c43bca98a1f706f093324e2a1e5bf92f88574b273290def1daa7630e723e4d4a852bf1ad4afc259cf26a084504262387e4f63c12dc57f071a33fdb81290
-
C:\Users\Admin\Desktop\OptimizeReceive.shtml.cnhelpMD5
dd99c2ede03995ea96956467a33bf6e6
SHA1e4ace3d263e9f2896d448e9a871cae322357cdf5
SHA256fdc134de2169ef7593679c04f880a969ce977ed090ef323a696b98742c5cc127
SHA512c051a5f6c7434055c577dc85e52ffe47e3b0b4eaf87b0d92a048b00ee998b38ef15c897ba133896552e04fac8589b5f15d4f8529b8660c00356b0f682a3b0421
-
C:\Users\Admin\Desktop\PopRestore.inf.cnhelpMD5
58cbacceaf7f19107908de2edea7b8f8
SHA1d49057a7fb55009aff4b13d2ee4ab2525b1768f7
SHA25675271619ed8b330c0ee51c20582f5ca9c15029bf0ec46512ffd4e272fc5fa2d5
SHA512f5d1e07b49caaac3157bd2882438033bf3e29777ce66273d3fd7fb9814b0e13a350537c74be50e565fc6a1de4b200e261ef75fcac0619f0ea965712a61946d32
-
C:\Users\Admin\Desktop\PushRevoke.ppsm.cnhelpMD5
f1e1355da3e8c3b7ad2530303b6e499e
SHA16c3144e498c6bcab98597ad42c38538b4230ea46
SHA2567e00c7bde1c138a4864b6a1997a2c55c85e2c6b8dd29fe616873f476e7801911
SHA512d389f306fb41bcc7527a99fba17908efb1c303ec4d107e4c98765718e09c1b47fc1ea72ee00a2b0304fc5eb3df941f1cd584a17601cb66073094ff521cd27aea
-
C:\Users\Admin\Desktop\ReceiveRequest.vb.cnhelpMD5
c16f399079678289667010a4a27feb01
SHA1fdbc9ef22030758cea5cee5cf0b792663b68522c
SHA2562ce8a5e9dd95eb2f7918285bd5aafb5f4555a40f7da958395c3912e6e3feee93
SHA5125c3c875796daa00c71398c83be769136479302c3d529376f4be4ef44b34fccd2321296d41016859e4430da67ad90f1414003c4448803e30f62c95ea4863d24ea
-
C:\Users\Admin\Desktop\RepairDisconnect.nfo.cnhelpMD5
a0cb5c0295e608e51ce6df159b6224f3
SHA165919b21d668ba6103e3bbd59bb3fbee778885ff
SHA25661f1e334bd228c3cd7148ab516fe3c8a336b583082a6c39de8b49154eb4588ee
SHA5124ddaa87d9465004dc13953d3d5e6c84d3746de433696a3e545a654b62cfede7b30e96356774f294182b4ae466b3b139850d6f33d978df8d3294b15e4457caaa9
-
C:\Users\Admin\Desktop\RequestRemove.jtx.cnhelpMD5
2f7bee8a9dce139fe9e7070d0ce1d2f7
SHA1835fa2eeff1de089123bbd8ff75cb4ca37c0b7ec
SHA256c8b2a07e85f01ca5aea213ca7929a3eb288616de839d081d17fdcde038391ed6
SHA5125e0445772c45f0b583c4918f5a78544c394b58fd84991b80f6a81633973154e01177be98e36d883d8e00dbe291d538729d54ff277ff53cff3f7dd044971b2194
-
C:\Users\Admin\Desktop\ResizeRevoke.mp4.cnhelpMD5
6d0bebe7a7b39f0ed696ee75a94ed4b8
SHA17c6cbc981244b3c09b3276e860253aae4b937fd3
SHA256553f8d5f5e84647bae1b6466f465e21677760b039317c432b90432d05621d264
SHA51207fa4c63b52e4631f425fac5640615a9d0c1ba3481f027d7ee86965bac4b56544bf81f23b4f97e6be9f6a187ecefa4100736bf9c75f962ee726ef09dc6becdca
-
C:\Users\Admin\Desktop\ResolveSend.scf.cnhelpMD5
2b74df7bda8bcb158015dccb66f379c3
SHA13a6a4b9db2b430b1aa0796dfa085cc83a2073dc3
SHA25679f772e0b426c520dcafdfb64f2868d917e6d9291d64ce46d88eeb35d2317040
SHA51204a56d314f77afb62745a65d8d02e6908b13e34174229cddb497480f3fea3dfc3f669b855eb9235da312311d036e3988653ee10c5fa63b1f2fed2abcf33e653b
-
C:\Users\Admin\Desktop\ShowSelect.nfo.cnhelpMD5
c059c8b21463736a51d60ec2704bed02
SHA135062a8fb4bf0a227520d7b1102128c0def15f5f
SHA256a22f9c833c154c8c5c48e8ec0a89216e595e08b87ed28651d2afe64a1255d308
SHA51215ad4ada7894d71e26efe28ddc6f3d08933d4144f088de6964491b7ada4010ca4bbcb9836455021065b6cb66d201baa8e0dd9fe9a72c25cfdbe6c246938e37f0
-
C:\Users\Admin\Desktop\SplitConnect.mhtml.cnhelpMD5
ec92f2a3a8b1aa5f0f0ae29f922134aa
SHA1bdea2263771036068e08f2db758185db31ddfa9e
SHA256f96c5477ee5c709c6d873a93864962a4527634759285914eb5ee5fc9496ed759
SHA5123a737b2b2ed3be0981d5d1127a8d3db0583e2dc9522e077aadd67691f6f594aee056db95bb26d16bfa9428a62a101e0b17e44e1a1b8be44fa5b77694cc743fde
-
C:\Users\Admin\Desktop\SplitDeny.tif.cnhelpMD5
cf6f9383b1ef6bf8364648b8078faefb
SHA1b6682175eae27b709079f3fba6d34d2bcabbd7b3
SHA2563a3f7e4a9b392f73ef8a925817fffdf8913611abaa5a4263d71ac316c4a1a975
SHA5120fc7f4fbf3a5df6f5b378ad9d5a817210ef9835d0eb033959c5dd860ff3c0899c03e8f8d4485d9eccc72e56e35cd9b46be83ae06ba969806c47a03e1785b2037
-
C:\Users\Admin\Desktop\StartRevoke.potx.cnhelpMD5
ffa59a8c16b30b0ce14f94d790a999a5
SHA112c2c6dbbe0f25deccf02bcef0a6f6035651a01b
SHA256194584d03c92fd7e1e1e5f3366373a30b398295192fe52dfb08c5afd1c7bd3ef
SHA51249ba41519c7fe1b09b5771993d6fff1f3e563fcbbe97a358616e5d3e165ccac4cede29888d4494d6783335247037121de3c5ce2dda1bb6af7213effc5f8d90f9
-
C:\Users\Admin\Desktop\StartWatch.sys.cnhelpMD5
a8414bd8078192be0c120f25629a8e2f
SHA13728db8048069188d329a4a8c939595066733592
SHA256cfdb7710a702769b0a57a93d17cc69df94842f0937aaac9dd2b025434e7ec802
SHA512a171f97ea9545b4430b5f097164b9b1e0a88a32798a840f879e3e7df2fa0c18e3ab2ba91191dda90a5ebe754b27d905cf61588d3642ab1f2d3051f094bd25d80
-
C:\Users\Admin\Desktop\StopReset.wma.cnhelpMD5
9f5412f00765d0beb6b015b19c6a0e7a
SHA1e8349d5bcd57ac3cf4335686a2e1f5c730369830
SHA25623c9f19d3aa494c2c6ef90557b7b1df5dd109a866652c60abd2cbd8cc60bc987
SHA51204ce721646ea7b43bebb34b740a792bcb2e5eb73f522676027c59396a810aa2ad300bd1574509a297e05d1996b04815e25d53ce094893218d56cd3cc164efd32
-
C:\Users\Admin\Desktop\SuspendCompare.ocx.cnhelpMD5
e9cb7bfc511510cacb8f696b991be04d
SHA1e2bc1e53628e8ebf924fae9e0abac69c5c3663ec
SHA25692cc8b822615fc5c4375131e172440a38854d11abacaa329f482ce43b43777e3
SHA51255d7f64834b7110568801da5e14913b8a2d485f1f5c3692fbdb3704217be650325f2510d4fb6608d555f0b4bdcf399c78a20136f3989c73e657fead4498f2e31
-
C:\Users\Admin\Desktop\SyncRemove.TS.cnhelpMD5
6c62fb45f5d25f83b7670ced730773cb
SHA15fe4ac95220cec960a77bf74ae9cea67b40b709e
SHA256239c4c391e0dc9a4773004f45dab6f664c348c2cbb38a941e3d2a9fb15ed0f1e
SHA512ade572de61574afc77d28cb34c45efce4d23ed7905ed49d14678e50c826a288b79d6b7194598b9886a9f42ae0c49124886d34badae04133718df8af3a9cf3b2f
-
C:\Users\Admin\Desktop\UninstallExpand.jtx.cnhelpMD5
d5e340d528a2bba8880b4914c6d7383f
SHA15c1270dbd9fe9cf02219f437b4d94d55b85e6014
SHA25695c52fb94acb6c444ddb01d51558d60580c53f8b72230fcd17c0e179f896849d
SHA5125e9d5b101d34ba2afb0c98fda421eb9187fba798b84646a1ae4cacbe820ab5c9b89025a326d791cc996ad04f2b4ec63c92c5529e07521444bbbb4b7932c97eca
-
C:\Users\Admin\Desktop\UnlockUndo.mpa.cnhelpMD5
4c1e97c963cf36dbec416fb376f55d0d
SHA1b45edcba7b2d169c13189c665cda700ca28eb7f1
SHA256263be491dffabe6bf3704033ea5df804cb5a4842f9219bc6f6636fbff7ca9f89
SHA512f618c8d50820379807518c8fe10462e63be9b73ba799ee91db6b5c5b7dec419f1ac22b7a13a649f371fb9ec7179b7cf859527b5c541bc4577a464ae09d9c61c0
-
C:\Users\Admin\Desktop\UseGroup.inf.cnhelpMD5
2c1b1c28a6e6a78b7b8dc29df8170694
SHA151cc7bb80f79b58ee17eff0547bf6ba03af952fd
SHA25665a2e18817962dc4e27ef7a38c67c2bbc6a85bbee693a9478221e5ec9c7bdb69
SHA512691e4b66b17633826246ec9a360ffd39ead5f2847d4fe3f7815c9720bf1d1c2464c1bfcdbabb60dec51567e01d39686aa386d0bbbf45d66ce8abffb3ff560e4f
-
C:\Users\Public\Desktop\HOW_TO_RETURN_FILES.txtMD5
daf47760204eef6db5c5440b98f1eb50
SHA152756553b5101000263b641a3c307b270033ee86
SHA256077bebd3572738fd0807ca990db964823937190017fa0aab7d76cd5a39071964
SHA512aeac7156938680320fce4fe71dc1c88f77da441765d60c588005b5ed4f9e31e9e8469d211d8e0c02704a8e813f1549a49a5eac0e45e73dca7e3865cfa543190c
-
memory/240-32-0x0000000000000000-mapping.dmp
-
memory/304-34-0x0000000000000000-mapping.dmp
-
memory/304-50-0x0000000000000000-mapping.dmp
-
memory/308-22-0x0000000000000000-mapping.dmp
-
memory/332-11-0x0000000000000000-mapping.dmp
-
memory/364-10-0x0000000000000000-mapping.dmp
-
memory/432-55-0x0000000000000000-mapping.dmp
-
memory/524-49-0x0000000000000000-mapping.dmp
-
memory/576-43-0x0000000000000000-mapping.dmp
-
memory/580-20-0x0000000000000000-mapping.dmp
-
memory/592-12-0x0000000000000000-mapping.dmp
-
memory/636-31-0x0000000000000000-mapping.dmp
-
memory/816-17-0x0000000000000000-mapping.dmp
-
memory/820-14-0x0000000000000000-mapping.dmp
-
memory/896-52-0x0000000000000000-mapping.dmp
-
memory/1036-24-0x0000000000000000-mapping.dmp
-
memory/1040-16-0x0000000000000000-mapping.dmp
-
memory/1040-33-0x0000000000000000-mapping.dmp
-
memory/1080-40-0x0000000000000000-mapping.dmp
-
memory/1084-47-0x0000000000000000-mapping.dmp
-
memory/1116-3-0x0000000000000000-mapping.dmp
-
memory/1120-25-0x0000000000000000-mapping.dmp
-
memory/1132-19-0x0000000000000000-mapping.dmp
-
memory/1220-9-0x0000000000000000-mapping.dmp
-
memory/1236-30-0x0000000000000000-mapping.dmp
-
memory/1372-21-0x0000000000000000-mapping.dmp
-
memory/1396-59-0x0000000000000000-mapping.dmp
-
memory/1396-95-0x00000000040A0000-0x00000000040A1000-memory.dmpFilesize
4KB
-
memory/1396-60-0x000007FEFB431000-0x000007FEFB433000-memory.dmpFilesize
8KB
-
memory/1428-2-0x0000000000000000-mapping.dmp
-
memory/1444-45-0x0000000000000000-mapping.dmp
-
memory/1444-15-0x0000000000000000-mapping.dmp
-
memory/1500-35-0x0000000000000000-mapping.dmp
-
memory/1500-18-0x0000000000000000-mapping.dmp
-
memory/1588-39-0x0000000000000000-mapping.dmp
-
memory/1608-13-0x0000000000000000-mapping.dmp
-
memory/1620-26-0x0000000000000000-mapping.dmp
-
memory/1620-54-0x0000000000000000-mapping.dmp
-
memory/1636-46-0x0000000000000000-mapping.dmp
-
memory/1664-37-0x0000000000000000-mapping.dmp
-
memory/1748-56-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmpFilesize
8KB
-
memory/1748-57-0x0000000001DA0000-0x0000000001DB1000-memory.dmpFilesize
68KB
-
memory/1748-58-0x0000000002380000-0x0000000002381000-memory.dmpFilesize
4KB
-
memory/1760-48-0x0000000000000000-mapping.dmp
-
memory/1808-98-0x000007FEF74A0000-0x000007FEF771A000-memory.dmpFilesize
2.5MB
-
memory/1836-27-0x0000000000000000-mapping.dmp
-
memory/1860-38-0x0000000000000000-mapping.dmp
-
memory/1912-7-0x0000000000000000-mapping.dmp
-
memory/1924-96-0x0000000000000000-mapping.dmp
-
memory/1928-53-0x0000000000000000-mapping.dmp
-
memory/1932-42-0x0000000000000000-mapping.dmp
-
memory/1932-6-0x0000000000000000-mapping.dmp
-
memory/1940-29-0x0000000000000000-mapping.dmp
-
memory/1968-4-0x0000000000000000-mapping.dmp
-
memory/1968-51-0x0000000000000000-mapping.dmp
-
memory/1972-36-0x0000000000000000-mapping.dmp
-
memory/2004-5-0x0000000000000000-mapping.dmp
-
memory/2004-41-0x0000000000000000-mapping.dmp
-
memory/2012-28-0x0000000000000000-mapping.dmp
-
memory/2028-23-0x0000000000000000-mapping.dmp
-
memory/2040-8-0x0000000000000000-mapping.dmp
-
memory/2040-44-0x0000000000000000-mapping.dmp