Resubmissions
05-10-2022 11:39
221005-nsrtyaedfm 905-10-2022 08:12
221005-j3wtesdfg7 905-10-2022 06:56
221005-hqhwcsdeg8 9Analysis
-
max time kernel
155s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-10-2022 06:56
Static task
static1
Behavioral task
behavioral1
Sample
830004.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
830004.exe
Resource
win10v2004-20220901-en
General
-
Target
830004.exe
-
Size
691KB
-
MD5
58aea2aac89947773dfae8e3859e20b0
-
SHA1
be17c41c65703f9475e36dff55fd3de220e395f3
-
SHA256
39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d
-
SHA512
f3d43c0759b05b949498cc63084b54b869c228a427f1590a1010007b4bdbebf760145a29e5f1a7c5585133ed76a3c1a5d7bf2ace46858ac9a48ff5c05eafa6eb
-
SSDEEP
12288:i0iads6yn93ySQDWYgeWYg955/155/m6q5iKn3zMCO342FoqdXS:dicFyn93ySQJ5f34Jo2Fi
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 18 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
830004.exedescription ioc process File renamed C:\Users\Admin\Pictures\RestoreClear.raw => C:\Users\Admin\Pictures\RestoreClear.raw.crypt 830004.exe File renamed C:\Users\Admin\Pictures\UnregisterConnect.png => C:\Users\Admin\Pictures\UnregisterConnect.png.crypt 830004.exe File opened for modification C:\Users\Admin\Pictures\ConvertFromDisconnect.png.crypt 830004.exe File opened for modification C:\Users\Admin\Pictures\NewBackup.tif.crypt 830004.exe File renamed C:\Users\Admin\Pictures\NewSuspend.tiff => C:\Users\Admin\Pictures\NewSuspend.tiff.crypt 830004.exe File renamed C:\Users\Admin\Pictures\AssertConvert.png => C:\Users\Admin\Pictures\AssertConvert.png.crypt 830004.exe File opened for modification C:\Users\Admin\Pictures\UnregisterConnect.png.crypt 830004.exe File opened for modification C:\Users\Admin\Pictures\RestoreClear.raw.crypt 830004.exe File renamed C:\Users\Admin\Pictures\TestWait.crw => C:\Users\Admin\Pictures\TestWait.crw.crypt 830004.exe File renamed C:\Users\Admin\Pictures\ConvertFromDisconnect.png => C:\Users\Admin\Pictures\ConvertFromDisconnect.png.crypt 830004.exe File renamed C:\Users\Admin\Pictures\NewBackup.tif => C:\Users\Admin\Pictures\NewBackup.tif.crypt 830004.exe File opened for modification C:\Users\Admin\Pictures\NewSuspend.tiff.crypt 830004.exe File renamed C:\Users\Admin\Pictures\RestoreFind.crw => C:\Users\Admin\Pictures\RestoreFind.crw.crypt 830004.exe File opened for modification C:\Users\Admin\Pictures\RestoreFind.crw.crypt 830004.exe File opened for modification C:\Users\Admin\Pictures\AssertConvert.png.crypt 830004.exe File renamed C:\Users\Admin\Pictures\ConfirmCompress.tiff => C:\Users\Admin\Pictures\ConfirmCompress.tiff.crypt 830004.exe File opened for modification C:\Users\Admin\Pictures\ConfirmCompress.tiff.crypt 830004.exe File opened for modification C:\Users\Admin\Pictures\TestWait.crw.crypt 830004.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\830004.exe" reg.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
830004.exedescription ioc process File opened (read-only) \??\L: 830004.exe File opened (read-only) \??\M: 830004.exe File opened (read-only) \??\R: 830004.exe File opened (read-only) \??\W: 830004.exe File opened (read-only) \??\Y: 830004.exe File opened (read-only) \??\A: 830004.exe File opened (read-only) \??\G: 830004.exe File opened (read-only) \??\K: 830004.exe File opened (read-only) \??\Z: 830004.exe File opened (read-only) \??\U: 830004.exe File opened (read-only) \??\V: 830004.exe File opened (read-only) \??\X: 830004.exe File opened (read-only) \??\I: 830004.exe File opened (read-only) \??\N: 830004.exe File opened (read-only) \??\T: 830004.exe File opened (read-only) \??\O: 830004.exe File opened (read-only) \??\P: 830004.exe File opened (read-only) \??\S: 830004.exe File opened (read-only) \??\B: 830004.exe File opened (read-only) \??\E: 830004.exe File opened (read-only) \??\H: 830004.exe File opened (read-only) \??\F: 830004.exe File opened (read-only) \??\J: 830004.exe File opened (read-only) \??\Q: 830004.exe -
Drops file in Program Files directory 64 IoCs
Processes:
830004.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02296_.WMF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RECL.ICO.crypt 830004.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml.crypt 830004.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceSimplifiedShuangPin.txt.crypt 830004.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml.crypt 830004.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\calendar.html.crypt 830004.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageBlank.gif.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate.css.crypt 830004.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml.crypt 830004.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT.crypt 830004.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\picturePuzzle.js.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\ROGERS.COM.XML.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ORIG98.POC.crypt 830004.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\external_extensions.json.crypt 830004.exe File opened for modification C:\Program Files\Java\jre7\lib\jfr.jar.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105246.WMF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Person.gif.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\INCOMING.ICO.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\2 Top.accdt.crypt 830004.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\settings.js.crypt 830004.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui.crypt 830004.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_CN.jar.crypt 830004.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\RSSFeeds.css.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00194_.WMF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Composite.eftx.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Country.gif.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana.css.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREET11.POC.crypt 830004.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.crypt 830004.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Rome.crypt 830004.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD06200_.WMF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Black Tie.xml.crypt 830004.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system.png.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SAVE.GIF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE.crypt 830004.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\25.png.crypt 830004.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FBIBLIO.DLL.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386485.JPG.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMask.bmp.crypt 830004.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png.crypt 830004.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts.crypt 830004.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvmstat.jar.crypt 830004.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\weather.js.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00135_.WMF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00564_.WMF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187647.WMF.crypt 830004.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\icon.png.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03236_.WMF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\background.gif.crypt 830004.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns.crypt 830004.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\service.js.crypt 830004.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\PREVIEW.GIF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00780L.GIF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14794_.GIF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\localizedStrings.js.crypt 830004.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE.crypt 830004.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-previous-static.png.crypt 830004.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.crypt 830004.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar.crypt 830004.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\winamp2.xml.crypt 830004.exe -
Delays execution with timeout.exe 61 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 1924 timeout.exe 892 timeout.exe 820 timeout.exe 1328 timeout.exe 1664 timeout.exe 828 timeout.exe 580 timeout.exe 1752 timeout.exe 2040 timeout.exe 1568 timeout.exe 1776 timeout.exe 1600 timeout.exe 1732 timeout.exe 1248 timeout.exe 1396 timeout.exe 1344 timeout.exe 1108 timeout.exe 1924 timeout.exe 1320 timeout.exe 1152 timeout.exe 872 timeout.exe 1612 timeout.exe 1328 timeout.exe 1844 timeout.exe 1112 timeout.exe 1612 timeout.exe 1420 timeout.exe 156 timeout.exe 1380 timeout.exe 820 timeout.exe 1320 timeout.exe 1176 timeout.exe 1904 timeout.exe 1460 timeout.exe 1540 timeout.exe 1180 timeout.exe 1008 timeout.exe 1748 timeout.exe 576 timeout.exe 540 timeout.exe 1720 timeout.exe 1532 timeout.exe 752 timeout.exe 1700 timeout.exe 692 timeout.exe 972 timeout.exe 1348 timeout.exe 2016 timeout.exe 1172 timeout.exe 1732 timeout.exe 1908 timeout.exe 1488 timeout.exe 1472 timeout.exe 1988 timeout.exe 1000 timeout.exe 1704 timeout.exe 752 timeout.exe 308 timeout.exe 552 timeout.exe 2028 timeout.exe 328 timeout.exe -
Enumerates processes with tasklist 1 TTPs 61 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 1504 tasklist.exe 1504 tasklist.exe 1372 tasklist.exe 1728 tasklist.exe 1212 tasklist.exe 1744 tasklist.exe 1612 tasklist.exe 1628 tasklist.exe 1540 tasklist.exe 2032 tasklist.exe 1484 tasklist.exe 1336 tasklist.exe 1332 tasklist.exe 960 tasklist.exe 108 tasklist.exe 1328 tasklist.exe 2032 tasklist.exe 1704 tasklist.exe 1236 tasklist.exe 1396 tasklist.exe 1096 tasklist.exe 1636 tasklist.exe 1652 tasklist.exe 364 tasklist.exe 1488 tasklist.exe 1064 tasklist.exe 1932 tasklist.exe 2016 tasklist.exe 1232 tasklist.exe 1232 tasklist.exe 1704 tasklist.exe 1176 tasklist.exe 1124 tasklist.exe 892 tasklist.exe 960 tasklist.exe 560 tasklist.exe 1668 tasklist.exe 1124 tasklist.exe 1344 tasklist.exe 1372 tasklist.exe 1476 tasklist.exe 800 tasklist.exe 1588 tasklist.exe 1756 tasklist.exe 800 tasklist.exe 900 tasklist.exe 1552 tasklist.exe 1324 tasklist.exe 1924 tasklist.exe 1776 tasklist.exe 1668 tasklist.exe 1892 tasklist.exe 1396 tasklist.exe 1644 tasklist.exe 1316 tasklist.exe 896 tasklist.exe 2028 tasklist.exe 744 tasklist.exe 1540 tasklist.exe 1676 tasklist.exe 2040 tasklist.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1624 vssadmin.exe -
Kills process with taskkill 10 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1320 taskkill.exe 1928 taskkill.exe 756 taskkill.exe 680 taskkill.exe 828 taskkill.exe 1936 taskkill.exe 1532 taskkill.exe 1180 taskkill.exe 1772 taskkill.exe 204 taskkill.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 18 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 explorer.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
830004.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 1076 830004.exe Token: SeBackupPrivilege 1076 830004.exe Token: SeRestorePrivilege 1076 830004.exe Token: 35 1076 830004.exe Token: SeSecurityPrivilege 1076 830004.exe Token: SeManageVolumePrivilege 1076 830004.exe Token: 32 1076 830004.exe Token: SeTcbPrivilege 1076 830004.exe Token: SeSystemProfilePrivilege 1076 830004.exe Token: SeTakeOwnershipPrivilege 1076 830004.exe Token: SeDebugPrivilege 1396 tasklist.exe Token: SeDebugPrivilege 1644 tasklist.exe Token: SeDebugPrivilege 1668 tasklist.exe Token: SeDebugPrivilege 1232 tasklist.exe Token: SeDebugPrivilege 744 tasklist.exe Token: SeDebugPrivilege 1124 tasklist.exe Token: SeDebugPrivilege 2032 tasklist.exe Token: SeDebugPrivilege 1504 tasklist.exe Token: SeDebugPrivilege 1704 tasklist.exe Token: SeDebugPrivilege 364 tasklist.exe Token: SeDebugPrivilege 1744 tasklist.exe Token: SeDebugPrivilege 1316 tasklist.exe Token: SeDebugPrivilege 800 tasklist.exe Token: SeDebugPrivilege 1612 tasklist.exe Token: SeDebugPrivilege 1484 tasklist.exe Token: SeDebugPrivilege 1628 tasklist.exe Token: SeDebugPrivilege 1504 tasklist.exe Token: SeDebugPrivilege 1488 tasklist.exe Token: SeDebugPrivilege 900 tasklist.exe Token: SeDebugPrivilege 1932 tasklist.exe Token: SeDebugPrivilege 1728 tasklist.exe Token: SeDebugPrivilege 1176 tasklist.exe Token: SeDebugPrivilege 1540 tasklist.exe Token: SeDebugPrivilege 1328 tasklist.exe Token: SeDebugPrivilege 1124 tasklist.exe Token: SeDebugPrivilege 2032 tasklist.exe Token: SeDebugPrivilege 1552 tasklist.exe Token: SeDebugPrivilege 1324 tasklist.exe Token: SeDebugPrivilege 892 tasklist.exe Token: SeDebugPrivilege 1652 tasklist.exe Token: SeDebugPrivilege 896 tasklist.exe Token: SeDebugPrivilege 1212 tasklist.exe Token: SeDebugPrivilege 1924 tasklist.exe Token: SeDebugPrivilege 2028 tasklist.exe Token: SeDebugPrivilege 1344 tasklist.exe Token: SeDebugPrivilege 1336 tasklist.exe Token: SeDebugPrivilege 2016 tasklist.exe Token: SeDebugPrivilege 1372 tasklist.exe Token: SeDebugPrivilege 1704 tasklist.exe Token: SeDebugPrivilege 1476 tasklist.exe Token: SeDebugPrivilege 960 tasklist.exe Token: SeDebugPrivilege 1776 tasklist.exe Token: SeDebugPrivilege 1676 tasklist.exe Token: SeDebugPrivilege 800 tasklist.exe Token: SeDebugPrivilege 1064 tasklist.exe Token: SeDebugPrivilege 1332 tasklist.exe Token: SeDebugPrivilege 2040 tasklist.exe Token: SeDebugPrivilege 1892 tasklist.exe Token: SeDebugPrivilege 1372 tasklist.exe Token: SeDebugPrivilege 1236 tasklist.exe Token: SeDebugPrivilege 1396 tasklist.exe Token: SeDebugPrivilege 560 tasklist.exe Token: SeDebugPrivilege 1588 tasklist.exe Token: SeDebugPrivilege 1096 tasklist.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
830004.execmd.execmd.execmd.exenet.exedescription pid process target process PID 1076 wrote to memory of 1420 1076 830004.exe cmd.exe PID 1076 wrote to memory of 1420 1076 830004.exe cmd.exe PID 1076 wrote to memory of 1420 1076 830004.exe cmd.exe PID 1076 wrote to memory of 1556 1076 830004.exe cmd.exe PID 1076 wrote to memory of 1556 1076 830004.exe cmd.exe PID 1076 wrote to memory of 1556 1076 830004.exe cmd.exe PID 1076 wrote to memory of 1752 1076 830004.exe cmd.exe PID 1076 wrote to memory of 1752 1076 830004.exe cmd.exe PID 1076 wrote to memory of 1752 1076 830004.exe cmd.exe PID 1556 wrote to memory of 1396 1556 cmd.exe tasklist.exe PID 1556 wrote to memory of 1396 1556 cmd.exe tasklist.exe PID 1556 wrote to memory of 1396 1556 cmd.exe tasklist.exe PID 1420 wrote to memory of 1596 1420 cmd.exe reg.exe PID 1420 wrote to memory of 1596 1420 cmd.exe reg.exe PID 1420 wrote to memory of 1596 1420 cmd.exe reg.exe PID 1556 wrote to memory of 960 1556 cmd.exe findstr.exe PID 1556 wrote to memory of 960 1556 cmd.exe findstr.exe PID 1556 wrote to memory of 960 1556 cmd.exe findstr.exe PID 1752 wrote to memory of 1432 1752 cmd.exe net.exe PID 1752 wrote to memory of 1432 1752 cmd.exe net.exe PID 1752 wrote to memory of 1432 1752 cmd.exe net.exe PID 1432 wrote to memory of 892 1432 net.exe net1.exe PID 1432 wrote to memory of 892 1432 net.exe net1.exe PID 1432 wrote to memory of 892 1432 net.exe net1.exe PID 1556 wrote to memory of 1320 1556 cmd.exe timeout.exe PID 1556 wrote to memory of 1320 1556 cmd.exe timeout.exe PID 1556 wrote to memory of 1320 1556 cmd.exe timeout.exe PID 1556 wrote to memory of 1644 1556 cmd.exe tasklist.exe PID 1556 wrote to memory of 1644 1556 cmd.exe tasklist.exe PID 1556 wrote to memory of 1644 1556 cmd.exe tasklist.exe PID 1556 wrote to memory of 1568 1556 cmd.exe findstr.exe PID 1556 wrote to memory of 1568 1556 cmd.exe findstr.exe PID 1556 wrote to memory of 1568 1556 cmd.exe findstr.exe PID 1556 wrote to memory of 1348 1556 cmd.exe timeout.exe PID 1556 wrote to memory of 1348 1556 cmd.exe timeout.exe PID 1556 wrote to memory of 1348 1556 cmd.exe timeout.exe PID 1556 wrote to memory of 1668 1556 cmd.exe tasklist.exe PID 1556 wrote to memory of 1668 1556 cmd.exe tasklist.exe PID 1556 wrote to memory of 1668 1556 cmd.exe tasklist.exe PID 1556 wrote to memory of 1748 1556 cmd.exe findstr.exe PID 1556 wrote to memory of 1748 1556 cmd.exe findstr.exe PID 1556 wrote to memory of 1748 1556 cmd.exe findstr.exe PID 1556 wrote to memory of 1924 1556 cmd.exe timeout.exe PID 1556 wrote to memory of 1924 1556 cmd.exe timeout.exe PID 1556 wrote to memory of 1924 1556 cmd.exe timeout.exe PID 1556 wrote to memory of 1232 1556 cmd.exe tasklist.exe PID 1556 wrote to memory of 1232 1556 cmd.exe tasklist.exe PID 1556 wrote to memory of 1232 1556 cmd.exe tasklist.exe PID 1556 wrote to memory of 1720 1556 cmd.exe findstr.exe PID 1556 wrote to memory of 1720 1556 cmd.exe findstr.exe PID 1556 wrote to memory of 1720 1556 cmd.exe findstr.exe PID 1556 wrote to memory of 1176 1556 cmd.exe timeout.exe PID 1556 wrote to memory of 1176 1556 cmd.exe timeout.exe PID 1556 wrote to memory of 1176 1556 cmd.exe timeout.exe PID 1556 wrote to memory of 744 1556 cmd.exe tasklist.exe PID 1556 wrote to memory of 744 1556 cmd.exe tasklist.exe PID 1556 wrote to memory of 744 1556 cmd.exe tasklist.exe PID 1556 wrote to memory of 108 1556 cmd.exe findstr.exe PID 1556 wrote to memory of 108 1556 cmd.exe findstr.exe PID 1556 wrote to memory of 108 1556 cmd.exe findstr.exe PID 1556 wrote to memory of 1000 1556 cmd.exe timeout.exe PID 1556 wrote to memory of 1000 1556 cmd.exe timeout.exe PID 1556 wrote to memory of 1000 1556 cmd.exe timeout.exe PID 1556 wrote to memory of 1124 1556 cmd.exe tasklist.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\830004.exe"C:\Users\Admin\AppData\Local\Temp\830004.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c C:\ProgramData\Microsoft\Settings\4g8D6x6k9.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add hklm\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityUpdate /t REG_EXPAND_SZ /d C:\Users\Admin\AppData\Local\Temp\830004.exe /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add hklm\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityUpdate /t REG_EXPAND_SZ /d C:\Users\Admin\AppData\Local\Temp\830004.exe /f3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net config server /autodisconnect:-12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet config server /autodisconnect:-13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config server /autodisconnect:-14⤵
-
C:\Windows\explorer.exeexplorer.exe .\readme_for_unlock.txt2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /quiet2⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /All /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\5n7Q5j3t3.bat2⤵
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM 830004.exe.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM 830004.exe.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM 830004.exe.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM 830004.exe.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM 830004.exe.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM 830004.exe.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM 830004.exe.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM 830004.exe.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM 830004.exe.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM 830004.exe.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\6a9I6o3y5.bat3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Settings\4g8D6x6k9.batFilesize
163B
MD53578e838f655c9bd9426651cc13f6a84
SHA110b312cca508e1958507cd3f8a6feae72f6a3a3d
SHA25642f5a94a41364f4ab334ab6bf3638b1861d3a10b7684df6e5968567ca5027bde
SHA5124ccd6320fe0eb7dccd3b322ffbb94b9f718123dec2781f9f9404e3c520628f8f9d544b88189dda079a8f431cebdecc7a3cd94e37d21eb9257fdc65408465a995
-
C:\Users\Admin\AppData\Local\Temp\5n7Q5j3t3.batFilesize
1.0MB
MD58be4f44d1ff4adadd6eb288744075886
SHA19f7e1ab5de532eb3ce683a7ec9e63ceda9577a36
SHA25653fabf81e4db5654817bcdfbbe6cac96ec763ae1e9692e0f01f0e768f52478dc
SHA5128ca0226335cad5dce101a88032a8203c7dd5b574a8acdb416c05b26ada4988a13d904fc956af89469cabe92b350948a327d8509eaf757a5fcb020d3c8cb8e6a5
-
C:\Users\Admin\AppData\Local\Temp\6a9I6o3y5.batFilesize
56B
MD5c1c96250e2d9b4b03a0a805952467b3d
SHA1c7d3e1d97525e29245735acddcf290835dfe0e89
SHA256142deb583f865af0134063d85ad5a1742a29748617d5200c40f6473ec047252a
SHA512225ac0d6a190c74c0a05abea5a34c9abcc299da7db69a333449d04dfc6b66c6e6952137b6ed992626e2cdee69016e35f7099506e633bd0b5124c58b7b8d46323
-
C:\Users\Admin\Documents\Are.docx.cryptFilesize
11KB
MD5c8e603fda2594edb44d562541cebeaf5
SHA18fce177f4fc54125d7d6e47330d50d0361820b54
SHA2562748219fdbd283dcf9360030b9b129c262d1b9db0a2d99f7ef57bcd4dd309f32
SHA5126f15b2fd8a3041365fa7f2b14fb9a49571b133f09097062762f6b4dc3d77dce33f951348fbd80f60d38650620c414e7313fbae65c29ea93c7f016eb779bb8998
-
C:\Users\Admin\Documents\AssertEnter.odt.cryptFilesize
604KB
MD5a453fe04a1ea92bc5da93b7cbd634310
SHA13cb473f91c54ba19de52851d1ffa0072c6e87ca1
SHA25676f5735764445b15b09a48ae8e8f7e70bce3559c65d8ae5fc88acf62acac0288
SHA5121bff73a1547b8860e93a72a5129e5c5e9c1303cd7de909e76da3f9802e284fd611b8fa96782ef2936661630b57ad4fa28d0f5383cbb10474b6576c03fe74c278
-
C:\Users\Admin\Documents\BackupGroup.vdw.cryptFilesize
698KB
MD538fb1538a0a8340c82b1643baa9357c5
SHA1fdf4172765a9b7a382862dc86d8caf0299cb7ab6
SHA25645067a0c67dba5480bbeda5a3730194276cdccdcf1b83f3bedd2b659c5aaf579
SHA5126aca60fc0f5597acbf59aa4edc62478cf40e6e5879ae7500826b20c5f4f9c65500aea8df90379593f90537a7a4207ccb263297a684e68e42d3bad9fcd3448da0
-
C:\Users\Admin\Documents\CheckpointMeasure.pot.cryptFilesize
954KB
MD5a239cd8b78daa94b70710a5f6444551d
SHA14485a15a3bce9bb36e3d815433697da086a1bec1
SHA256d820a91e86e0ce62f25b534c04bea8fe9dc16f2ceaaf9b40dd25875121897f25
SHA51275d3e23853a7a3d7f1da7dfe9b3af67431401a969de3687b8ecbaae956b983435a0189e5aca645e473f6042df0002225822775984276080ff1e409cd5210b6e4
-
C:\Users\Admin\Documents\CompleteInvoke.vst.cryptFilesize
644KB
MD52e206f28caaafc621d4506b77487ccb1
SHA1f91579f942570d2815618b10b295f15f132287e5
SHA25618b54e373086d8a4018183ad8f30b278e759160b944cfb0d3b7fdcf64641d94b
SHA5128a328fe286b6bbee46f396255ff55ea02125ccef59c9476c53e0fe3667d84c493b4351e6034c5ca0d293374f5597e30427ddb104a1f21f9fc792f72bf04b1660
-
C:\Users\Admin\Documents\CompleteSuspend.pptm.cryptFilesize
403KB
MD56a772b6ed60888b6376730f9e8e647e5
SHA1240ec734b20d800194bc17f302778997c244d8a6
SHA256aaddcbfc90e283dfbd7e156acce77eefff9f8d52d2935f3c3139982cd419cbb0
SHA512266eb823081b0554b76bef03cbdbebe0bc9b6f02dc07803d08a75b0c0bc869fe524c5ada327b0c2d9d8bad259eb3148dd84f94a1edd9170270d400d78955dc44
-
C:\Users\Admin\Documents\ConvertCheckpoint.ppt.cryptFilesize
685KB
MD52a62ae04624f5ea50aa7615adecdbad0
SHA1c2ccfac8e076fbe6fcddd0d54ecb0ab8a7eaa95b
SHA25636ce22f7db1f6226f9964f6714e79e6578704493e99304c7b94ab55b6c5097b1
SHA5129fb6b591a8c482acc911cf8c0629993c5de805a846821b9f3c975fdf6ef48d280d040f291eb0f627f381493c26d7acb406662024c691a8d5d7d2231de195b8f3
-
C:\Users\Admin\Documents\ConvertInstall.vsx.cryptFilesize
309KB
MD52d41fb82d6772eb43b584668db1c21bd
SHA1fb8cd769a9075f399fe7460b67e956e656f7ec65
SHA2564dfa9090c216dc37ef075a16006e72d4741486031392125c6f8f66d9fb9b00d5
SHA5122897c467ba242f75b726f473396d5f77ffb37865809a68f361246dc9fd8e0bf67c4a86e2fde8ce395b5bf90a7cefbafc751ed0cb2e2f6f54f8cc7f8fe20025d7
-
C:\Users\Admin\Documents\ConvertUse.vstm.cryptFilesize
550KB
MD5d6d15f8e000991e8b02dd8de6eef4a18
SHA18f173b724c56a0610ba66002babdbb4c99723c7b
SHA2561312ab2ada863fe0cb4ce465124e0f2d7902a8e47b20883e2137d3c36f9baf6c
SHA512d0701fa254d7390e6cb7efe611e6f5f818c8f3976782f85c130bff8f5d210aaf0e3c3bdabce272d3520e9bc34ab8f79cac048a21c7162de4347b2722b1d62557
-
C:\Users\Admin\Documents\DebugEdit.ods.cryptFilesize
510KB
MD5daf80d0fb3d68e5f80cec49c5acb3655
SHA19969ea0dad9e122a783c317d1c5837d0101a7735
SHA256ae6af4b27adc53297824aeb6f33867b8600c3d2bee4f10f4e976a674344c1055
SHA512b5c772688f0ff30864efe2a031ba61b629bb678c0c3b63ea05235bf24ce40ea6242d53af387da3fe299b890ce9ef80f05bae23c8f08d81e95e112eef7f998b1f
-
C:\Users\Admin\Documents\DisableSearch.vstm.cryptFilesize
658KB
MD5196fcce82c2ccfb3a1b5dd1d7fc6691c
SHA12f2d133a771a884d6ccf6ca24a6f467777825b1a
SHA256812d4f424a9e112df028016d281cae022cdb9a8428b4c6f504f6521689628b4a
SHA512ab622d2303f75b4f1caf30d2b604b5f1e4d0fa1150e5b7abbc97ab0c65a72af7fe3bb5443931cb76d34baec0061984dbf0af94b7d1679d9aac8f02b4112cfe92
-
C:\Users\Admin\Documents\EditReset.potm.cryptFilesize
430KB
MD5c79acb7024fa87f80a675d4a6dc651ee
SHA142728cfa3c76077d11067a82225183ed5fb28fe0
SHA2566bf4a4ac1096831ad9de60e2ba5eafa929e4e7c671efadf83f0f0febdb42d3ea
SHA512c8596684086cb8e3d6b44cc6211ae3c4d1bb36ce8a85aa1976f09445111e096e562166f73a9082d52b1cd656174c6915f34970852b7a677b67c48df6d91da629
-
C:\Users\Admin\Documents\EnableInvoke.xltx.cryptFilesize
591KB
MD5522ac0f596445019c1ca49fb2db8e89d
SHA146e8acd62ef5487798e403c273bfffa344c1d176
SHA2566eb97568c28b36f0a587346b9e709e0f5015485e205e8e1dcdbbb0fa3d064d86
SHA51211a76b307f027b2389124a188d8ced3fbf32792363cd1af317544e489e0d08e39041e9c7ffbdec457602bcf2048c42e9d75505fb2cac010fde4cd99855873e1b
-
C:\Users\Admin\Documents\ExportSet.pot.cryptFilesize
389KB
MD5720a6eb48245cbf72518f42cf27ad09a
SHA1e3fb3e6e3a1b42ec56a595e62cdd16be086e5c84
SHA256d768d7422324ec7305db1069c2691c64d72caa745f9642d030b8b7104598a467
SHA51292c86c84697774d5ec0c951007a2640915ea320c8b971b9fc86147f8490a25dbad5b91e5eb1a8a1e869d4c68baabf484c87516e4be369571c61edacbe5bd9b2f
-
C:\Users\Admin\Documents\Files.docx.cryptFilesize
11KB
MD52791e5353408c88ce5b929cca41bc6b9
SHA11886e91df1b2c65bea65a7e84148b2b172a9e36a
SHA256356c8153c1c99570141b88990b29a1e84b9b9b7153940f96bb810b7ff233bae0
SHA5127235cbc35b9e1bdc63d7aa8c3f1fb33c1c50b775605e0a6f3754d1bed8ae21f11f93255e25f60d986f9bdad620ecde0a774206b6285e23d7cb8abcc813b316f0
-
C:\Users\Admin\Documents\FindDebug.pptm.cryptFilesize
671KB
MD54b7fad7bd97104250fc8f0ef2f56a879
SHA1e46f9726d253064f0a442d476ee032386a1e57c1
SHA2562147b846898a84242019d8beca738473833770f82ece1df7c9a836daa1b9a825
SHA5124fc36453008d6a4046daa9c2280dc4e6ea5a93b88701263b00d720c16369420601cd385ec7685f2ba6e59fbc19bac1fb3f4a24c54c2c48021a5e0ce968bb3b6d
-
C:\Users\Admin\Documents\InvokeSelect.vstm.cryptFilesize
631KB
MD50f778d5c0ce8c6c9fc5f65403fd30754
SHA101034c9b4427d46c4db1c47a9fd6e4c8f42f3e11
SHA2566bc8b92411512ac23b0db2b081cdc73d5a3c67c87bff9e6dac5a9c72e27f80b3
SHA512ea48f23e4f33611fba5b155fa0e4b5059b4c08c75ec8ad9b3606b6ec57401cba39bbca5803e804ddb1ec5021ab064073cb88b3ebd4531cb7e4f9d335fa79b077
-
C:\Users\Admin\Documents\MergeHide.vsd.cryptFilesize
497KB
MD537902dccc80f1691c3c814c62e73e6ab
SHA163bc2289b2dd3affc576e405546aa90d54d899e7
SHA2566fe7bedca7f9d63bacef6718b811e21cdca5ade89761ade9603d234c3249662b
SHA5125488c3cbdc5b0f6d821122108db6f3d15fd66881295293286db0ee75fa2a0422790e21399c4fc0c5eaf1d651a1f94c0d8dde388dd7a57e260e6ba5d095f2771f
-
C:\Users\Admin\Documents\MoveWrite.xltx.cryptFilesize
242KB
MD5def90c8bff650d031c4bec2e95a817c6
SHA17f3f25a00ea12c49d9d002b8858013ccf9a539c8
SHA25611ba2261e3b5fee0c535697f814cab8eed9161a762cb5a9953dfad24b4ace653
SHA5120f5096d02c8d8e6222e664e76226f23e1d0fbb9598701ed097c9d2735662f031e18cfcf889d518e7077fd27a5218dc4569fdcdbf119676b9a444bdfdf459cd58
-
C:\Users\Admin\Documents\Opened.docx.cryptFilesize
11KB
MD5ef00530de236ee697255e04a737e023b
SHA1f1d10dd4375dcf4a1a6043c8c72d8babd7e5bb1a
SHA256888cab7fbd16f62c025afa9e54fe069520c505fc3b57d3872ff66c2c1ceb9069
SHA5125e009e92f914e5a5800e5a29b0bfeb3bd7caa7749433d32c9bbe2dceae79ab05a1b7598491938f245aed95730b7414c64f33af089bbf783d217bcf2d8f8d6c3e
-
memory/108-74-0x0000000000000000-mapping.dmp
-
memory/364-88-0x0000000000000000-mapping.dmp
-
memory/688-80-0x0000000000000000-mapping.dmp
-
memory/744-73-0x0000000000000000-mapping.dmp
-
memory/800-97-0x0000000000000000-mapping.dmp
-
memory/892-111-0x0000000000000000-mapping.dmp
-
memory/892-62-0x0000000000000000-mapping.dmp
-
memory/900-115-0x0000000000000000-mapping.dmp
-
memory/900-89-0x0000000000000000-mapping.dmp
-
memory/960-60-0x0000000000000000-mapping.dmp
-
memory/1000-75-0x0000000000000000-mapping.dmp
-
memory/1112-105-0x0000000000000000-mapping.dmp
-
memory/1124-76-0x0000000000000000-mapping.dmp
-
memory/1172-108-0x0000000000000000-mapping.dmp
-
memory/1176-72-0x0000000000000000-mapping.dmp
-
memory/1232-70-0x0000000000000000-mapping.dmp
-
memory/1248-110-0x0000000000000000-mapping.dmp
-
memory/1248-84-0x0000000000000000-mapping.dmp
-
memory/1316-94-0x0000000000000000-mapping.dmp
-
memory/1320-90-0x0000000000000000-mapping.dmp
-
memory/1320-116-0x0000000000000000-mapping.dmp
-
memory/1320-63-0x0000000000000000-mapping.dmp
-
memory/1328-101-0x0000000000000000-mapping.dmp
-
memory/1348-66-0x0000000000000000-mapping.dmp
-
memory/1396-114-0x0000000000000000-mapping.dmp
-
memory/1396-58-0x0000000000000000-mapping.dmp
-
memory/1416-119-0x000007FEFB901000-0x000007FEFB903000-memory.dmpFilesize
8KB
-
memory/1420-54-0x0000000000000000-mapping.dmp
-
memory/1432-61-0x0000000000000000-mapping.dmp
-
memory/1484-103-0x0000000000000000-mapping.dmp
-
memory/1488-112-0x0000000000000000-mapping.dmp
-
memory/1488-86-0x0000000000000000-mapping.dmp
-
memory/1504-82-0x0000000000000000-mapping.dmp
-
memory/1504-109-0x0000000000000000-mapping.dmp
-
memory/1540-99-0x0000000000000000-mapping.dmp
-
memory/1556-55-0x0000000000000000-mapping.dmp
-
memory/1568-65-0x0000000000000000-mapping.dmp
-
memory/1568-117-0x0000000000000000-mapping.dmp
-
memory/1572-107-0x0000000000000000-mapping.dmp
-
memory/1596-59-0x0000000000000000-mapping.dmp
-
memory/1600-121-0x0000000003690000-0x00000000036A0000-memory.dmpFilesize
64KB
-
memory/1612-100-0x0000000000000000-mapping.dmp
-
memory/1628-106-0x0000000000000000-mapping.dmp
-
memory/1644-64-0x0000000000000000-mapping.dmp
-
memory/1652-113-0x0000000000000000-mapping.dmp
-
memory/1668-67-0x0000000000000000-mapping.dmp
-
memory/1704-85-0x0000000000000000-mapping.dmp
-
memory/1720-71-0x0000000000000000-mapping.dmp
-
memory/1732-81-0x0000000000000000-mapping.dmp
-
memory/1744-91-0x0000000000000000-mapping.dmp
-
memory/1748-68-0x0000000000000000-mapping.dmp
-
memory/1752-56-0x0000000000000000-mapping.dmp
-
memory/1752-87-0x0000000000000000-mapping.dmp
-
memory/1756-95-0x0000000000000000-mapping.dmp
-
memory/1836-83-0x0000000000000000-mapping.dmp
-
memory/1844-93-0x0000000000000000-mapping.dmp
-
memory/1924-96-0x0000000000000000-mapping.dmp
-
memory/1924-69-0x0000000000000000-mapping.dmp
-
memory/1932-92-0x0000000000000000-mapping.dmp
-
memory/1932-118-0x0000000000000000-mapping.dmp
-
memory/1988-77-0x0000000000000000-mapping.dmp
-
memory/2016-78-0x0000000000000000-mapping.dmp
-
memory/2028-98-0x0000000000000000-mapping.dmp
-
memory/2032-79-0x0000000000000000-mapping.dmp
-
memory/2036-104-0x0000000000000000-mapping.dmp
-
memory/2040-102-0x0000000000000000-mapping.dmp