Resubmissions
05-10-2022 11:39
221005-nsrtyaedfm 905-10-2022 08:12
221005-j3wtesdfg7 905-10-2022 06:56
221005-hqhwcsdeg8 9Analysis
-
max time kernel
604s -
max time network
493s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
05-10-2022 08:12
Static task
static1
Behavioral task
behavioral1
Sample
830004.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
830004.exe
Resource
win10v2004-20220812-en
General
-
Target
830004.exe
-
Size
691KB
-
MD5
58aea2aac89947773dfae8e3859e20b0
-
SHA1
be17c41c65703f9475e36dff55fd3de220e395f3
-
SHA256
39b74b2fb057e8c78a2ba6639cf3d58ae91685e6ac13b57b70d2afb158cf742d
-
SHA512
f3d43c0759b05b949498cc63084b54b869c228a427f1590a1010007b4bdbebf760145a29e5f1a7c5585133ed76a3c1a5d7bf2ace46858ac9a48ff5c05eafa6eb
-
SSDEEP
12288:i0iads6yn93ySQDWYgeWYg955/155/m6q5iKn3zMCO342FoqdXS:dicFyn93ySQJ5f34Jo2Fi
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 10 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
830004.exedescription ioc process File renamed C:\Users\Admin\Pictures\SelectSearch.tif => C:\Users\Admin\Pictures\SelectSearch.tif.crypt 830004.exe File opened for modification C:\Users\Admin\Pictures\SelectSearch.tif.crypt 830004.exe File renamed C:\Users\Admin\Pictures\ExitTrace.png => C:\Users\Admin\Pictures\ExitTrace.png.crypt 830004.exe File opened for modification C:\Users\Admin\Pictures\ExitTrace.png.crypt 830004.exe File renamed C:\Users\Admin\Pictures\ExportSearch.tiff => C:\Users\Admin\Pictures\ExportSearch.tiff.crypt 830004.exe File renamed C:\Users\Admin\Pictures\WaitExit.raw => C:\Users\Admin\Pictures\WaitExit.raw.crypt 830004.exe File opened for modification C:\Users\Admin\Pictures\WaitExit.raw.crypt 830004.exe File opened for modification C:\Users\Admin\Pictures\ExportSearch.tiff.crypt 830004.exe File renamed C:\Users\Admin\Pictures\InstallUnregister.tiff => C:\Users\Admin\Pictures\InstallUnregister.tiff.crypt 830004.exe File opened for modification C:\Users\Admin\Pictures\InstallUnregister.tiff.crypt 830004.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\830004.exe" reg.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
830004.exedescription ioc process File opened (read-only) \??\B: 830004.exe File opened (read-only) \??\E: 830004.exe File opened (read-only) \??\L: 830004.exe File opened (read-only) \??\P: 830004.exe File opened (read-only) \??\Q: 830004.exe File opened (read-only) \??\X: 830004.exe File opened (read-only) \??\G: 830004.exe File opened (read-only) \??\H: 830004.exe File opened (read-only) \??\J: 830004.exe File opened (read-only) \??\M: 830004.exe File opened (read-only) \??\N: 830004.exe File opened (read-only) \??\R: 830004.exe File opened (read-only) \??\S: 830004.exe File opened (read-only) \??\U: 830004.exe File opened (read-only) \??\W: 830004.exe File opened (read-only) \??\K: 830004.exe File opened (read-only) \??\T: 830004.exe File opened (read-only) \??\A: 830004.exe File opened (read-only) \??\F: 830004.exe File opened (read-only) \??\I: 830004.exe File opened (read-only) \??\O: 830004.exe File opened (read-only) \??\V: 830004.exe File opened (read-only) \??\Y: 830004.exe File opened (read-only) \??\Z: 830004.exe -
Drops file in Program Files directory 64 IoCs
Processes:
830004.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21504_.GIF.crypt 830004.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt.crypt 830004.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\tipresx.dll.mui.crypt 830004.exe File opened for modification C:\Program Files\Windows Media Player\es-ES\WMPDMC.exe.mui.crypt 830004.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\STUDIO.INF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099176.WMF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105276.WMF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02439_.WMF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_F_COL.HXK.crypt 830004.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png.crypt 830004.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer.png.crypt 830004.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\AFTRNOON.ELM.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME47.CSS.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LOGO98.POC.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285698.WMF.crypt 830004.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat.crypt 830004.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Vladivostok.crypt 830004.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Adelaide.crypt 830004.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\clock.js.crypt 830004.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\SUMIPNTG.INF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02270_.WMF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\tab_off.gif.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Sts2.css.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB1B.BDR.crypt 830004.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\weather.js.crypt 830004.exe File opened for modification C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02958_.WMF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKREQ.CFG.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAILMOD.POC.crypt 830004.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\SYMBOL.TXT 830004.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar.crypt 830004.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01740_.GIF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue.css.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.SG.XML.crypt 830004.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png.crypt 830004.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png.crypt 830004.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties.crypt 830004.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\PST8.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00135_.GIF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_thunderstorm.png.crypt 830004.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\SmallLogoBeta.png.crypt 830004.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Mazatlan.crypt 830004.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.INF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02441_.WMF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02039_.GIF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png.crypt 830004.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-javahelp_zh_CN.jar.crypt 830004.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\slideShow.css.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107266.WMF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21520_.GIF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\viewSelectionChanged.js.crypt 830004.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft.Office.InfoPath.targets.crypt 830004.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04134_.WMF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382931.JPG.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00633_.WMF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\PMAILEXT.ECF.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_choosecolor.gif.crypt 830004.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.crypt 830004.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196142.WMF.crypt 830004.exe -
Delays execution with timeout.exe 64 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 1988 timeout.exe 1948 timeout.exe 2004 timeout.exe 2040 timeout.exe 1136 timeout.exe 1968 timeout.exe 1968 timeout.exe 156 timeout.exe 1556 timeout.exe 972 timeout.exe 1964 timeout.exe 1984 timeout.exe 1552 timeout.exe 1056 timeout.exe 2032 timeout.exe 1304 timeout.exe 1660 timeout.exe 948 timeout.exe 960 timeout.exe 864 timeout.exe 668 timeout.exe 1196 timeout.exe 580 timeout.exe 1660 timeout.exe 1152 timeout.exe 624 timeout.exe 688 timeout.exe 1384 timeout.exe 544 timeout.exe 1956 timeout.exe 688 timeout.exe 524 timeout.exe 1536 timeout.exe 1376 timeout.exe 1508 timeout.exe 1912 timeout.exe 900 timeout.exe 1840 timeout.exe 1736 timeout.exe 1372 timeout.exe 1836 timeout.exe 1836 timeout.exe 544 timeout.exe 1840 timeout.exe 2044 timeout.exe 836 timeout.exe 588 timeout.exe 524 timeout.exe 1636 timeout.exe 1764 timeout.exe 1000 timeout.exe 2032 timeout.exe 1828 timeout.exe 1528 timeout.exe 692 timeout.exe 1636 timeout.exe 916 timeout.exe 788 timeout.exe 156 timeout.exe 972 timeout.exe 1624 timeout.exe 1136 timeout.exe 1584 timeout.exe 2032 timeout.exe -
Enumerates processes with tasklist 1 TTPs 64 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 992 tasklist.exe 1948 tasklist.exe 1584 tasklist.exe 1956 tasklist.exe 1196 tasklist.exe 1592 tasklist.exe 2032 tasklist.exe 836 tasklist.exe 692 tasklist.exe 1252 tasklist.exe 1320 tasklist.exe 1604 tasklist.exe 768 tasklist.exe 1148 tasklist.exe 768 tasklist.exe 1476 tasklist.exe 1496 tasklist.exe 108 tasklist.exe 692 tasklist.exe 1940 tasklist.exe 692 tasklist.exe 1720 tasklist.exe 320 tasklist.exe 1080 tasklist.exe 1720 tasklist.exe 1576 tasklist.exe 896 tasklist.exe 1748 tasklist.exe 916 tasklist.exe 2020 tasklist.exe 560 tasklist.exe 320 tasklist.exe 1772 tasklist.exe 1592 tasklist.exe 1956 tasklist.exe 1732 tasklist.exe 1000 tasklist.exe 1696 tasklist.exe 552 tasklist.exe 1840 tasklist.exe 1252 tasklist.exe 1952 tasklist.exe 1112 tasklist.exe 1304 tasklist.exe 1476 tasklist.exe 588 tasklist.exe 1112 tasklist.exe 1140 tasklist.exe 548 tasklist.exe 2024 tasklist.exe 1348 tasklist.exe 972 tasklist.exe 768 tasklist.exe 1956 tasklist.exe 992 tasklist.exe 1772 tasklist.exe 1592 tasklist.exe 1152 tasklist.exe 1908 tasklist.exe 824 tasklist.exe 808 tasklist.exe 1940 tasklist.exe 1252 tasklist.exe 1272 tasklist.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1476 vssadmin.exe -
Kills process with taskkill 10 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1624 taskkill.exe 376 taskkill.exe 1556 taskkill.exe 624 taskkill.exe 2008 taskkill.exe 1724 taskkill.exe 1804 taskkill.exe 1404 taskkill.exe 1280 taskkill.exe 1148 taskkill.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 18 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 1508 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
830004.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetimeout.exetimeout.exetimeout.exetasklist.exetasklist.exetasklist.exefindstr.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetaskkill.exetasklist.exeexplorer.exevssadmin.exetasklist.exetasklist.exetasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 1352 830004.exe Token: SeBackupPrivilege 1352 830004.exe Token: SeRestorePrivilege 1352 830004.exe Token: 35 1352 830004.exe Token: SeSecurityPrivilege 1352 830004.exe Token: SeManageVolumePrivilege 1352 830004.exe Token: 32 1352 830004.exe Token: SeTcbPrivilege 1352 830004.exe Token: SeSystemProfilePrivilege 1352 830004.exe Token: SeTakeOwnershipPrivilege 1352 830004.exe Token: SeDebugPrivilege 808 tasklist.exe Token: SeDebugPrivilege 1840 tasklist.exe Token: SeDebugPrivilege 1476 tasklist.exe Token: SeDebugPrivilege 1772 tasklist.exe Token: SeDebugPrivilege 1252 tasklist.exe Token: SeDebugPrivilege 692 tasklist.exe Token: SeDebugPrivilege 1592 tasklist.exe Token: SeDebugPrivilege 824 tasklist.exe Token: SeDebugPrivilege 992 tasklist.exe Token: SeDebugPrivilege 2024 tasklist.exe Token: SeDebugPrivilege 1576 tasklist.exe Token: SeDebugPrivilege 1940 tasklist.exe Token: SeDebugPrivilege 896 tasklist.exe Token: SeDebugPrivilege 1772 tasklist.exe Token: SeDebugPrivilege 1252 tasklist.exe Token: SeDebugPrivilege 692 tasklist.exe Token: SeDebugPrivilege 1592 tasklist.exe Token: SeDebugPrivilege 1320 tasklist.exe Token: SeDebugPrivilege 992 tasklist.exe Token: SeDebugPrivilege 108 tasklist.exe Token: SeDebugPrivilege 1348 tasklist.exe Token: SeDebugPrivilege 1748 tasklist.exe Token: SeDebugPrivilege 1956 tasklist.exe Token: SeDebugPrivilege 1720 tasklist.exe Token: SeDebugPrivilege 1196 tasklist.exe Token: SeDebugPrivilege 972 tasklist.exe Token: SeDebugPrivilege 1952 tasklist.exe Token: SeDebugPrivilege 1732 tasklist.exe Token: SeDebugPrivilege 1592 tasklist.exe Token: SeDebugPrivilege 1112 tasklist.exe Token: SeDebugPrivilege 320 tasklist.exe Token: SeDebugPrivilege 1604 tasklist.exe Token: SeDebugPrivilege 768 tasklist.exe Token: SeDebugPrivilege 1940 tasklist.exe Token: SeDebugPrivilege 2032 timeout.exe Token: SeDebugPrivilege 1948 timeout.exe Token: SeDebugPrivilege 1000 timeout.exe Token: SeDebugPrivilege 1080 tasklist.exe Token: SeDebugPrivilege 1304 tasklist.exe Token: SeDebugPrivilege 692 tasklist.exe Token: SeDebugPrivilege 916 findstr.exe Token: SeDebugPrivilege 1152 tasklist.exe Token: SeDebugPrivilege 1696 tasklist.exe Token: SeDebugPrivilege 2020 tasklist.exe Token: SeDebugPrivilege 768 tasklist.exe Token: SeDebugPrivilege 1584 tasklist.exe Token: SeDebugPrivilege 1148 taskkill.exe Token: SeDebugPrivilege 836 tasklist.exe Token: SeDebugPrivilege 1252 explorer.exe Token: SeDebugPrivilege 1476 vssadmin.exe Token: SeDebugPrivilege 560 tasklist.exe Token: SeDebugPrivilege 1496 tasklist.exe Token: SeDebugPrivilege 588 tasklist.exe Token: SeDebugPrivilege 548 tasklist.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
explorer.exepid process 1508 explorer.exe 1508 explorer.exe 1508 explorer.exe 1508 explorer.exe 1508 explorer.exe 1508 explorer.exe 1508 explorer.exe 1508 explorer.exe 1508 explorer.exe 1508 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
830004.execmd.execmd.execmd.exenet.exedescription pid process target process PID 1352 wrote to memory of 1684 1352 830004.exe cmd.exe PID 1352 wrote to memory of 1684 1352 830004.exe cmd.exe PID 1352 wrote to memory of 1684 1352 830004.exe cmd.exe PID 1352 wrote to memory of 1328 1352 830004.exe cmd.exe PID 1352 wrote to memory of 1328 1352 830004.exe cmd.exe PID 1352 wrote to memory of 1328 1352 830004.exe cmd.exe PID 1352 wrote to memory of 2024 1352 830004.exe cmd.exe PID 1352 wrote to memory of 2024 1352 830004.exe cmd.exe PID 1352 wrote to memory of 2024 1352 830004.exe cmd.exe PID 2024 wrote to memory of 376 2024 cmd.exe net.exe PID 2024 wrote to memory of 376 2024 cmd.exe net.exe PID 2024 wrote to memory of 376 2024 cmd.exe net.exe PID 1684 wrote to memory of 1376 1684 cmd.exe reg.exe PID 1684 wrote to memory of 1376 1684 cmd.exe reg.exe PID 1684 wrote to memory of 1376 1684 cmd.exe reg.exe PID 1328 wrote to memory of 808 1328 cmd.exe tasklist.exe PID 1328 wrote to memory of 808 1328 cmd.exe tasklist.exe PID 1328 wrote to memory of 808 1328 cmd.exe tasklist.exe PID 1328 wrote to memory of 864 1328 cmd.exe findstr.exe PID 1328 wrote to memory of 864 1328 cmd.exe findstr.exe PID 1328 wrote to memory of 864 1328 cmd.exe findstr.exe PID 376 wrote to memory of 1168 376 net.exe net1.exe PID 376 wrote to memory of 1168 376 net.exe net1.exe PID 376 wrote to memory of 1168 376 net.exe net1.exe PID 1328 wrote to memory of 1828 1328 cmd.exe timeout.exe PID 1328 wrote to memory of 1828 1328 cmd.exe timeout.exe PID 1328 wrote to memory of 1828 1328 cmd.exe timeout.exe PID 1328 wrote to memory of 1840 1328 cmd.exe tasklist.exe PID 1328 wrote to memory of 1840 1328 cmd.exe tasklist.exe PID 1328 wrote to memory of 1840 1328 cmd.exe tasklist.exe PID 1328 wrote to memory of 1836 1328 cmd.exe findstr.exe PID 1328 wrote to memory of 1836 1328 cmd.exe findstr.exe PID 1328 wrote to memory of 1836 1328 cmd.exe findstr.exe PID 1328 wrote to memory of 1584 1328 cmd.exe timeout.exe PID 1328 wrote to memory of 1584 1328 cmd.exe timeout.exe PID 1328 wrote to memory of 1584 1328 cmd.exe timeout.exe PID 1328 wrote to memory of 1476 1328 cmd.exe tasklist.exe PID 1328 wrote to memory of 1476 1328 cmd.exe tasklist.exe PID 1328 wrote to memory of 1476 1328 cmd.exe tasklist.exe PID 1328 wrote to memory of 1752 1328 cmd.exe findstr.exe PID 1328 wrote to memory of 1752 1328 cmd.exe findstr.exe PID 1328 wrote to memory of 1752 1328 cmd.exe findstr.exe PID 1328 wrote to memory of 2032 1328 cmd.exe timeout.exe PID 1328 wrote to memory of 2032 1328 cmd.exe timeout.exe PID 1328 wrote to memory of 2032 1328 cmd.exe timeout.exe PID 1328 wrote to memory of 1772 1328 cmd.exe tasklist.exe PID 1328 wrote to memory of 1772 1328 cmd.exe tasklist.exe PID 1328 wrote to memory of 1772 1328 cmd.exe tasklist.exe PID 1328 wrote to memory of 1196 1328 cmd.exe findstr.exe PID 1328 wrote to memory of 1196 1328 cmd.exe findstr.exe PID 1328 wrote to memory of 1196 1328 cmd.exe findstr.exe PID 1328 wrote to memory of 960 1328 cmd.exe timeout.exe PID 1328 wrote to memory of 960 1328 cmd.exe timeout.exe PID 1328 wrote to memory of 960 1328 cmd.exe timeout.exe PID 1328 wrote to memory of 1252 1328 cmd.exe tasklist.exe PID 1328 wrote to memory of 1252 1328 cmd.exe tasklist.exe PID 1328 wrote to memory of 1252 1328 cmd.exe tasklist.exe PID 1328 wrote to memory of 1000 1328 cmd.exe findstr.exe PID 1328 wrote to memory of 1000 1328 cmd.exe findstr.exe PID 1328 wrote to memory of 1000 1328 cmd.exe findstr.exe PID 1328 wrote to memory of 544 1328 cmd.exe timeout.exe PID 1328 wrote to memory of 544 1328 cmd.exe timeout.exe PID 1328 wrote to memory of 544 1328 cmd.exe timeout.exe PID 1328 wrote to memory of 692 1328 cmd.exe tasklist.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\830004.exe"C:\Users\Admin\AppData\Local\Temp\830004.exe"1⤵
- Modifies extensions of user files
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add hklm\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityUpdate /t REG_EXPAND_SZ /d C:\Users\Admin\AppData\Local\Temp\830004.exe /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add hklm\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityUpdate /t REG_EXPAND_SZ /d C:\Users\Admin\AppData\Local\Temp\830004.exe /f3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\system32\cmd.execmd /c C:\ProgramData\Microsoft\Settings\3i4I4e3o4.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\tasklist.exeTASKLIST3⤵
-
C:\Windows\system32\findstr.exeFINDSTR /B /L /I /C:830004.exe3⤵
-
C:\Windows\system32\timeout.exeTIMEOUT /T 1 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net config server /autodisconnect:-12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet config server /autodisconnect:-13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 config server /autodisconnect:-14⤵
-
C:\Windows\explorer.exeexplorer.exe .\readme_for_unlock.txt2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /quiet2⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /All /quiet3⤵
- Interacts with shadow copies
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\2y8B5o9q5.bat2⤵
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM 830004.exe.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM 830004.exe.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM 830004.exe.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM 830004.exe.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM 830004.exe.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM 830004.exe.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM 830004.exe.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM 830004.exe.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM 830004.exe.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM 830004.exe.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\3m7T9l8d7.bat3⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Settings\3i4I4e3o4.batFilesize
163B
MD53578e838f655c9bd9426651cc13f6a84
SHA110b312cca508e1958507cd3f8a6feae72f6a3a3d
SHA25642f5a94a41364f4ab334ab6bf3638b1861d3a10b7684df6e5968567ca5027bde
SHA5124ccd6320fe0eb7dccd3b322ffbb94b9f718123dec2781f9f9404e3c520628f8f9d544b88189dda079a8f431cebdecc7a3cd94e37d21eb9257fdc65408465a995
-
C:\Users\Admin\AppData\Local\Temp\2y8B5o9q5.batFilesize
1.0MB
MD55e3324fb8772756821daec99828223a9
SHA1a9133f8aa6a78af210983103274a8498d9148730
SHA256d84c112348725078feb9723f9b50384ba0da88971c509096b51c42593779a58e
SHA512de6bc0ec59882aba76df200bcfbc74f4e6acc9b8872dc2bc832b39e4533e7857d8f7f8676fc1f00b50808b162bfe0b88e72a855d0a99186e33a7dd08dfcaab66
-
C:\Users\Admin\AppData\Local\Temp\3m7T9l8d7.batFilesize
56B
MD5b8558713fae63af5fd7f187fd54b055f
SHA10b41f4e197ce57aff24d64479233dd1533e864f7
SHA25616862092262c2201b8d1516ec73b0cc6670c2d453b08613316a63da7307bc4a3
SHA512c44c3cb79bb9b1e3df9516ed2cea6dedd7744a74a8fcf1cf2b6b7d175b1d5c8a1551810a072b04f91e6d69271191210d544fc91d17421abb1dfe9207b140bc27
-
C:\Users\Admin\Documents\Are.docx.cryptFilesize
11KB
MD5184e216a73b88496a6762b2b385cc72c
SHA144384075c15dd23998bb5fe9676eb97c6f1076e3
SHA25608bfd1442e10dac6cf82ea5435755691360442839068adb89665842202354718
SHA51238ed40de8fb59b34533a22de84b688a895396b59a60780542a9c9a848f6271da9cb0520815d96e4b62adeddd43b5c39b2805aac1ab7339008d39c66d806cae40
-
C:\Users\Admin\Documents\CompressProtect.potm.cryptFilesize
652KB
MD5fda6348cdcb37d38d8eb6361f0d0d14c
SHA1bd625658e104fe77c9f8609cdc397558927e435a
SHA256a2e81dbaf7846001c9167149f5b515e5c4cb82fc32f7195a40b5ce595be5215f
SHA51235b1f76bca7edf0566a128cc3eb7d232dc4632d75c3f4cc5ab5b1b984ae1b92fc97d0da9f005627093cf7f13a2e8c691d8db8e1bc67caa1fb27db177152cf0d6
-
C:\Users\Admin\Documents\ConfirmLimit.dot.cryptFilesize
491KB
MD5eb4fc82ca67971ae37c1ab3c260f0392
SHA17947da510b3bce6e87e0e9b023340deeeb106925
SHA2564785c26b2b61621a5f1df091916c55a1cb5a9d724b3d9b97f02366d1f8059c39
SHA5123bb91e5e380bfde543ca60c7553870f03995a6f1901c550276356e239c3ad71869393d7ff8ea119386dc47bad681c793a3c75bacd2e791e117f4edac4d700f10
-
C:\Users\Admin\Documents\CopyAssert.dot.cryptFilesize
509KB
MD50e3f55a7e4355233f5d4309e10e0d502
SHA1485bb4da4dbd7fe4ce4a99bc51efed14ac76e548
SHA256dd387a0aac488afc338452280959a87c7d84e22a854c4f3ff1946e9b3d79eb50
SHA512956cf0948fbc909dbbef52c799ef6432aa19bd4209add4ef874f4f294ae57849e63f3d5fbe5942df00c34695a01a2da335ec9d6aa8b092785c82a863a58200be
-
C:\Users\Admin\Documents\CopyEnter.dotm.cryptFilesize
295KB
MD543fd6d863a4bca2a7e42b372410929a6
SHA144a7a4e09de4395be0aa28cef789c2d771c6e7e2
SHA256dc26b91dc4bad6ee00aff9852c50f92a8fd20ca9d7aa83131fefa35acc653cba
SHA51227bf73b3c7a44e05849156779af247f1287ca0c97b7ae69231e6de1541c059dc92f421869cefd020cfa9db85943a1ced97b3796e1a6a1946702780715d2b9af6
-
C:\Users\Admin\Documents\CopyMount.htm.cryptFilesize
473KB
MD579103b1684150745fc8c0ea3de44feaa
SHA13d9bde9c8454f3fd5886ae48906a692754b282c9
SHA2567c78bcc6f72f4a6e0cb48f1c42032d4e94b89234114e71ec18903c54a914441f
SHA5123aa54783cc5fe667359be25e83c0e99736bf989a73107fa14a9a559b6fe20204ed78476a6ef47fb3ae72bf3e5ebea3a384598cf878f9de08f65d9d238f34cd82
-
C:\Users\Admin\Documents\DebugStart.xla.cryptFilesize
777KB
MD5746b0021a65c7f29af373cf4b84bfdca
SHA1ec135192bbd8464a073494e5eaaa04c3b1ad5811
SHA25685f41324ea39137dbd6affbd6e849be53a2eda681fdaac47041c4694a150fc8a
SHA512d00cfd2439d65e0b5f086df52553fedff60dae5ee789d52e1bf9e5813cc7d3c385bf45472a39fec89d72e0a960658b78f59cf55008067c3e267f0860e8995182
-
C:\Users\Admin\Documents\DenyOpen.potx.cryptFilesize
527KB
MD50f6fd756df30a2cd0d062b1e630ffed8
SHA1f91e4832197684270a63c9a07c8f6ea27e0aa307
SHA25655704e167ec4052ea3f3a1f594acda2c6d206fbdeae0976fd3491b19ad80306b
SHA512e40a6e0309f23ec312e5b1a25729cbd2f7801329a1f39c0c348a10ca7151fe5e7274d5fc46d63accf165b7fc8ed6cd8acd365cc993c0b2765ea4f940e42a289e
-
C:\Users\Admin\Documents\DisableSet.rtf.cryptFilesize
420KB
MD5bd279eca3306b84f6786df13df5164e8
SHA1edaae52fe71ee282f40ec38e7337f82c126eeb3a
SHA25680b8dc8587048e17efbbb07fbad7b5654886491be2d31ac903637c2bb526cb6f
SHA5122887cb17a72df3b6b1e9262ad6636c7e95ff5479b7d34b0b6f66277411c15db5c95f995e29c80effa68157adc8c9b61b8452d15d7f29c8401d12a205ec470ce4
-
C:\Users\Admin\Documents\DismountLimit.dotm.cryptFilesize
759KB
MD512e292c40f7ec8b2edede06540cfed1c
SHA187b42b32aef06a297bddcc3d29ab6bec8e973060
SHA2563df5a1232f5a2c72ded4492ba6da1985481b9f23e11c41696cbf7a35cda1999b
SHA512cc5df21c5490743660112100a0d7fdc3692e9bdebf6d967ee058c8b3197e0cb93ba129b195d00639f7611135f4523e19592159da8405e9964d2097b4f6dadca8
-
C:\Users\Admin\Documents\EnterMeasure.potm.cryptFilesize
616KB
MD58890297b580e1c7557dd5f5538642d17
SHA14cbcefd837c2686f0d439ead14828dfe23bd1355
SHA256b7080d79e6d0b618f477965c58630a1e2d77f37ef50ddb39407fd3ed39d116b0
SHA512f685d280f0e81618734e60a2b1d5a773cfbaa9ebd30b2143d778d537342ae9c6c44657645a35d5714a80968275bec8089cba065db64f00358f8756fa9a5080e2
-
C:\Users\Admin\Documents\Files.docx.cryptFilesize
11KB
MD52eb2cd2d5f900d020014b6be59949381
SHA1c06e150084cecdac30aa533a6c6ecc45ee91e9d5
SHA25608c004be2e3f71c687d0314e717ecfc0f4f90faef71cab4fa6f9a35bd197c0c0
SHA5126368ee5547da5730e24e7b31ba3171eefc459c3b4f239ea516ad5fd951f3c74ce8bcb3fdc09b260621e84ded405761ad299af00cdfc1fab70fc62a4a2f101c1a
-
C:\Users\Admin\Documents\FindDisable.xltm.cryptFilesize
723KB
MD59c99e527956e0a1c894959fad06a36a7
SHA14ad0e8250539711083490e7192fe2cd3b1388844
SHA25677852d63846cffa43db1a810b6fc41f91a8c378110f95106077904ccda9e7cb0
SHA512d9c35e1438d8cba7a69db280de37b5b6ac2b47a3215b48c139447765e7196d1dd6212c5dd9b98551b0410d0701c3ae0009b7ad26111a40b648f0d2dfb0b4945d
-
C:\Users\Admin\Documents\FormatAdd.xml.cryptFilesize
312KB
MD54393dc134d39f52606fd2fe5082ee9a7
SHA159b86d69a941b2ee7c0133b943cdbb2582b1430e
SHA256f4ea14a74322d95933b3ddb5031b039010df31747da6a32845a6bf5605e19ff7
SHA512554237a8061c3b77dbf335f70de3ef5287aa6ea5d63ad511e7065df974678fb6afe8982ebf8a1dafe7394137b6d814bab761d7b6378b2e95d5f6c34fa460064a
-
C:\Users\Admin\Documents\GroupEnable.txt.cryptFilesize
563KB
MD5ca670ea869147c73047ec97f3e2a2b06
SHA1b684fcd3ea0e54d1f79d67b0d97649b246f1d0eb
SHA2569777473843c2a9f22adef37fa8259dca34f0c20db9c0947697ed1cf213be7cca
SHA5125acb6ef00a2184466acaf3a1f7435f295577c97ab1963770543ebc49c19f583813840fa1443979374d12edd5c211269c9212dd7e7ef8541134c6fb6c0fa56328
-
C:\Users\Admin\Documents\ImportComplete.vsx.cryptFilesize
831KB
MD5d5c117a24767c40f9b24578fffea2e69
SHA1afaaf6582afe90f8569f09259a684a67e2ad2ab2
SHA256e0be02c4bfa1a01370d54681c5d813bf1a39049b8cc30d82fbd91077e4493ae6
SHA5125d5a573a84f06f13dbe8f45da211d4c1b0c1fc6bc1f898e190f241eb1eea8a8e7af9b7e7fcef54461698b2d7826a577982b8bc478d1631466b5b4fa215d66c83
-
C:\Users\Admin\Documents\InitializeSync.vsd.cryptFilesize
402KB
MD54423fa4b6cce11670171f0c39576e45c
SHA1140d986fb27833cf53bf3f0aafb9ba705e8331c9
SHA256a643866123a20b39730eccd18114f84896a790ca9cd423c11ab027aae2758cc2
SHA512be43257a6b08dcd3f3cabcdae09c770a6fac1504d0414998acbf1b738487afa6a884c241d44649981de9b8d49d678d2c08e382fa1fe044ee5291c3ec260eee4c
-
C:\Users\Admin\Documents\Opened.docx.cryptFilesize
11KB
MD5ab02b7c2c1108fd5d3615fe2bf73d579
SHA183c59f608bc6f1ba1fee73c082735f1f2707ba27
SHA2566621fd1137f756528363e42cf8109ac0abc4fdc459460e9b3b55cb7066a85726
SHA5127f9ac14fc0614eaf454307b3fff330585b5c3c6089b7c4403454ffb29aa526e94cf1140d1235698c28beab989e49f2e19386d377bec25338bbb2adf1baa9a308
-
C:\Users\Admin\Documents\PingClear.vdx.cryptFilesize
437KB
MD5e81a7eb75a77962d993b3f50b73b507c
SHA174609d56bfbbf75edc51f68fe26db4712d191cc2
SHA256acb3e06a7cc435625c29671fd276aa796b08dd1acd1a68cf51d4c922107963ef
SHA5122d6e0b1fdfabf134ebd9f3cda7bb4e5ee6c27ab75bc44c338f529173ac5c6fd2e1d8b2ac0b5253b9cf075b37e9627a16ffdf7185f07dd44adbfc6f04aad9b500
-
C:\Users\Admin\Documents\PopRequest.pps.cryptFilesize
384KB
MD560cafd6df24d831cdff27e35c0981487
SHA129165d89572a21d3fabbeb59d896532393a2b6c1
SHA2561c8592410bd88c2e79482c967ae3f62ae5f89104a1367519f43c17a43ca3ecd9
SHA5124cefa3aa51f54219e123ffca171e928c0683e8d33ccab4ddbe0da1dc2eedbc752563f338f93042bcc4a4fb8cd2ab73453d2a4dec6946d3068ac93a93572ec376
-
memory/108-89-0x0000000000000000-mapping.dmp
-
memory/108-118-0x0000000000000000-mapping.dmp
-
memory/240-95-0x0000000000000000-mapping.dmp
-
memory/376-116-0x0000000000000000-mapping.dmp
-
memory/376-57-0x0000000000000000-mapping.dmp
-
memory/524-117-0x0000000000000000-mapping.dmp
-
memory/544-75-0x0000000000000000-mapping.dmp
-
memory/588-111-0x0000000000000000-mapping.dmp
-
memory/668-114-0x0000000000000000-mapping.dmp
-
memory/688-78-0x0000000000000000-mapping.dmp
-
memory/692-76-0x0000000000000000-mapping.dmp
-
memory/692-106-0x0000000000000000-mapping.dmp
-
memory/808-60-0x0000000000000000-mapping.dmp
-
memory/824-82-0x0000000000000000-mapping.dmp
-
memory/836-102-0x0000000000000000-mapping.dmp
-
memory/864-90-0x0000000000000000-mapping.dmp
-
memory/864-61-0x0000000000000000-mapping.dmp
-
memory/896-97-0x0000000000000000-mapping.dmp
-
memory/952-86-0x0000000000000000-mapping.dmp
-
memory/960-72-0x0000000000000000-mapping.dmp
-
memory/976-77-0x0000000000000000-mapping.dmp
-
memory/992-115-0x0000000000000000-mapping.dmp
-
memory/992-85-0x0000000000000000-mapping.dmp
-
memory/1000-74-0x0000000000000000-mapping.dmp
-
memory/1020-104-0x0000000000000000-mapping.dmp
-
memory/1168-62-0x0000000000000000-mapping.dmp
-
memory/1196-71-0x0000000000000000-mapping.dmp
-
memory/1252-119-0x000007FEFB5E1000-0x000007FEFB5E3000-memory.dmpFilesize
8KB
-
memory/1252-103-0x0000000000000000-mapping.dmp
-
memory/1252-73-0x0000000000000000-mapping.dmp
-
memory/1320-112-0x0000000000000000-mapping.dmp
-
memory/1328-55-0x0000000000000000-mapping.dmp
-
memory/1372-87-0x0000000000000000-mapping.dmp
-
memory/1376-59-0x0000000000000000-mapping.dmp
-
memory/1376-84-0x0000000000000000-mapping.dmp
-
memory/1476-67-0x0000000000000000-mapping.dmp
-
memory/1504-101-0x0000000000000000-mapping.dmp
-
memory/1508-105-0x0000000000000000-mapping.dmp
-
memory/1508-121-0x0000000003690000-0x00000000036A0000-memory.dmpFilesize
64KB
-
memory/1528-81-0x0000000000000000-mapping.dmp
-
memory/1576-91-0x0000000000000000-mapping.dmp
-
memory/1584-66-0x0000000000000000-mapping.dmp
-
memory/1592-109-0x0000000000000000-mapping.dmp
-
memory/1592-79-0x0000000000000000-mapping.dmp
-
memory/1600-92-0x0000000000000000-mapping.dmp
-
memory/1656-107-0x0000000000000000-mapping.dmp
-
memory/1684-54-0x0000000000000000-mapping.dmp
-
memory/1720-98-0x0000000000000000-mapping.dmp
-
memory/1752-68-0x0000000000000000-mapping.dmp
-
memory/1768-110-0x0000000000000000-mapping.dmp
-
memory/1772-100-0x0000000000000000-mapping.dmp
-
memory/1772-70-0x0000000000000000-mapping.dmp
-
memory/1828-63-0x0000000000000000-mapping.dmp
-
memory/1836-65-0x0000000000000000-mapping.dmp
-
memory/1840-64-0x0000000000000000-mapping.dmp
-
memory/1940-94-0x0000000000000000-mapping.dmp
-
memory/1956-96-0x0000000000000000-mapping.dmp
-
memory/1964-93-0x0000000000000000-mapping.dmp
-
memory/1984-108-0x0000000000000000-mapping.dmp
-
memory/2004-83-0x0000000000000000-mapping.dmp
-
memory/2004-113-0x0000000000000000-mapping.dmp
-
memory/2012-80-0x0000000000000000-mapping.dmp
-
memory/2024-88-0x0000000000000000-mapping.dmp
-
memory/2024-56-0x0000000000000000-mapping.dmp
-
memory/2032-69-0x0000000000000000-mapping.dmp
-
memory/2040-99-0x0000000000000000-mapping.dmp