Malware Analysis Report

2025-06-15 20:11

Sample ID 230307-fppamsgd2w
Target 29.04.20TASKMNGR.exe
SHA256 cea3e8a3e541ae4c928c3cd33f6772f1a69746393ac1a5c4575379a09a92d1e1
Tags
lockbit evasion persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cea3e8a3e541ae4c928c3cd33f6772f1a69746393ac1a5c4575379a09a92d1e1

Threat Level: Known bad

The file 29.04.20TASKMNGR.exe was found to be: Known bad.

Malicious Activity Summary

lockbit evasion persistence ransomware

Lockbit

Modifies boot configuration data using bcdedit

Deletes shadow copies

Modifies extensions of user files

Deletes backup catalog

Deletes itself

Checks computer location settings

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Runs ping.exe

Modifies Control Panel

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-07 05:03

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-07 05:03

Reported

2023-03-07 05:05

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe"

Signatures

Lockbit

ransomware lockbit

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\29.04.20TASKMNGR.exe\"" C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_zh_4.4.0.v20140623020002.jar.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\logging.properties.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-ul-oob.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.actionProvider.exsd.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\ext\cldrdata.jar.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ppd.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MTCORSVA.TTF.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_ja_4.4.0.v20140623020002.jar.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\amd64\jvm.cfg.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jar.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f33\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzmappings.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-180.png.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-util-lookup.jar.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\lib\management\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\PRISTINA.TTF.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_KMS_Client_AE-ul.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL077.XML.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription-ppd.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ul-phn.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.properties.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.ja_5.5.0.165303.jar.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\mscss7wre_es.dub.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.engine.nl_ja_4.4.0.v20140623020002.jar.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\wordvisi.ttf.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART9.BDR.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rightnav.gif.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe

"C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

Network

Country Destination Domain Proto
NL 8.253.208.120:80 tcp
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 141.145.190.20.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.40:445 tcp
US 8.8.8.8:53 177.238.32.23.in-addr.arpa udp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.254:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.98:135 tcp
N/A 10.127.0.97:135 tcp
N/A 10.127.0.100:135 tcp
N/A 10.127.0.99:135 tcp
N/A 10.127.0.101:135 tcp
N/A 10.127.0.151:135 tcp
N/A 10.127.0.102:135 tcp
N/A 10.127.0.103:135 tcp
N/A 10.127.0.104:135 tcp
N/A 10.127.0.105:135 tcp
N/A 10.127.0.106:135 tcp
N/A 10.127.0.107:135 tcp
N/A 10.127.0.109:135 tcp
N/A 10.127.0.108:135 tcp
N/A 10.127.0.110:135 tcp
N/A 10.127.0.111:135 tcp
N/A 10.127.0.112:135 tcp
N/A 10.127.0.113:135 tcp
N/A 10.127.0.114:135 tcp
N/A 10.127.0.116:135 tcp
N/A 10.127.0.115:135 tcp
N/A 10.127.0.118:135 tcp
N/A 10.127.0.117:135 tcp
N/A 10.127.0.148:135 tcp
N/A 10.127.0.119:135 tcp
N/A 10.127.0.120:135 tcp
N/A 10.127.0.121:135 tcp
N/A 10.127.0.122:135 tcp
N/A 10.127.0.123:135 tcp
N/A 10.127.0.125:135 tcp
N/A 10.127.0.124:135 tcp
N/A 10.127.0.126:135 tcp
N/A 10.127.0.127:135 tcp
N/A 10.127.0.129:135 tcp
N/A 10.127.0.128:135 tcp
N/A 10.127.0.131:135 tcp
N/A 10.127.0.130:135 tcp
N/A 10.127.0.132:135 tcp
N/A 10.127.0.133:135 tcp
N/A 10.127.0.134:135 tcp
N/A 10.127.0.135:135 tcp
N/A 10.127.0.137:135 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.136:135 tcp
N/A 10.127.0.138:135 tcp
N/A 10.127.0.139:135 tcp
N/A 10.127.0.140:135 tcp
N/A 10.127.0.141:135 tcp
N/A 10.127.0.142:135 tcp
N/A 10.127.0.143:135 tcp
N/A 10.127.0.144:135 tcp
N/A 10.127.0.145:135 tcp
N/A 10.127.0.146:135 tcp
N/A 10.127.0.150:135 tcp
N/A 10.127.0.147:135 tcp
N/A 10.127.0.149:135 tcp
N/A 10.127.0.95:135 tcp
N/A 10.127.0.96:135 tcp
N/A 10.127.0.94:135 tcp
N/A 10.127.0.93:135 tcp
N/A 10.127.0.165:135 tcp
N/A 10.127.0.173:135 tcp
N/A 10.127.0.172:135 tcp
N/A 10.127.0.171:135 tcp
N/A 10.127.0.170:135 tcp
N/A 10.127.0.168:135 tcp
N/A 10.127.0.169:135 tcp
N/A 10.127.0.167:135 tcp
N/A 10.127.0.166:135 tcp
N/A 10.127.0.163:135 tcp
N/A 10.127.0.160:135 tcp
N/A 10.127.0.162:135 tcp
N/A 10.127.0.164:135 tcp
N/A 10.127.0.154:135 tcp
N/A 10.127.0.161:135 tcp
N/A 10.127.0.158:135 tcp
N/A 10.127.0.159:135 tcp
N/A 10.127.0.156:135 tcp
N/A 10.127.0.157:135 tcp
N/A 10.127.0.247:135 tcp
N/A 10.127.0.253:135 tcp
N/A 10.127.0.244:135 tcp
N/A 10.127.0.155:135 tcp
N/A 10.127.0.3:135 tcp
N/A 10.127.0.0:135 tcp
N/A 10.127.0.153:135 tcp
N/A 10.127.0.1:135 tcp
N/A 10.127.0.2:135 tcp
N/A 10.127.0.5:135 tcp
N/A 10.127.0.8:135 tcp
N/A 10.127.0.6:135 tcp
N/A 10.127.0.7:135 tcp
N/A 10.127.0.4:135 tcp
N/A 10.127.0.11:135 tcp
N/A 10.127.0.10:135 tcp
N/A 10.127.0.9:135 tcp
N/A 10.127.0.12:135 tcp
N/A 10.127.0.13:135 tcp
N/A 10.127.0.18:135 tcp
N/A 10.127.0.14:135 tcp
N/A 10.127.0.15:135 tcp
N/A 10.127.0.16:135 tcp
N/A 10.127.0.19:135 tcp
N/A 10.127.0.21:135 tcp
N/A 10.127.0.17:135 tcp
N/A 10.127.0.26:135 tcp
N/A 10.127.0.20:135 tcp
N/A 10.127.0.23:135 tcp
N/A 10.127.0.22:135 tcp
N/A 10.127.0.25:135 tcp
N/A 10.127.0.24:135 tcp
N/A 10.127.0.30:135 tcp
N/A 10.127.0.27:135 tcp
N/A 10.127.0.29:135 tcp
N/A 10.127.0.28:135 tcp
N/A 10.127.0.31:135 tcp
N/A 10.127.0.32:135 tcp
N/A 10.127.0.33:135 tcp
N/A 10.127.0.36:135 tcp
N/A 10.127.0.34:135 tcp
N/A 10.127.0.35:135 tcp
N/A 10.127.0.41:135 tcp
N/A 10.127.0.38:135 tcp
N/A 10.127.0.37:135 tcp
N/A 10.127.0.39:135 tcp
N/A 10.127.0.40:135 tcp
N/A 10.127.0.42:135 tcp
N/A 10.127.0.45:135 tcp
N/A 10.127.0.43:135 tcp
N/A 10.127.0.44:135 tcp
N/A 10.127.0.49:135 tcp
N/A 10.127.0.46:135 tcp
N/A 10.127.0.47:135 tcp
N/A 10.127.0.53:135 tcp
N/A 10.127.0.48:135 tcp
N/A 10.127.0.50:135 tcp
N/A 10.127.0.52:135 tcp
N/A 10.127.0.51:135 tcp
N/A 10.127.0.57:135 tcp
N/A 10.127.0.54:135 tcp
N/A 10.127.0.56:135 tcp
N/A 10.127.0.55:135 tcp
N/A 10.127.0.58:135 tcp
N/A 10.127.0.63:135 tcp
N/A 10.127.0.60:135 tcp
N/A 10.127.0.59:135 tcp
N/A 10.127.0.62:135 tcp
N/A 10.127.0.61:135 tcp
N/A 10.127.0.152:135 tcp
N/A 10.127.0.65:135 tcp
N/A 10.127.0.64:135 tcp
N/A 10.127.0.67:135 tcp
N/A 10.127.0.71:135 tcp
N/A 10.127.0.66:135 tcp
N/A 10.127.0.69:135 tcp
N/A 10.127.0.70:135 tcp
N/A 10.127.0.72:135 tcp
N/A 10.127.0.76:135 tcp
N/A 10.127.0.77:135 tcp
N/A 10.127.0.75:135 tcp
N/A 10.127.0.73:135 tcp
N/A 10.127.0.78:135 tcp
N/A 10.127.0.74:135 tcp
N/A 10.127.0.79:135 tcp
N/A 10.127.0.80:135 tcp
N/A 10.127.0.81:135 tcp
N/A 10.127.0.82:135 tcp
N/A 10.127.0.83:135 tcp
N/A 10.127.0.84:135 tcp
N/A 10.127.0.85:135 tcp
N/A 10.127.0.86:135 tcp
N/A 10.127.0.87:135 tcp
N/A 10.127.0.88:135 tcp
N/A 10.127.0.89:135 tcp
N/A 10.127.0.90:135 tcp
N/A 10.127.0.91:135 tcp
N/A 10.127.0.174:135 tcp
N/A 10.127.0.92:135 tcp
N/A 10.127.0.239:135 tcp
N/A 10.127.0.245:135 tcp
N/A 10.127.0.240:135 tcp
N/A 10.127.0.238:135 tcp
N/A 10.127.0.246:135 tcp
N/A 10.127.0.254:135 tcp
N/A 10.127.0.251:135 tcp
N/A 10.127.0.250:135 tcp
N/A 10.127.0.252:135 tcp
N/A 10.127.0.243:135 tcp
N/A 10.127.0.249:135 tcp
N/A 10.127.0.248:135 tcp
N/A 10.127.0.242:135 tcp
N/A 10.127.0.241:135 tcp
N/A 10.127.0.237:135 tcp
N/A 10.127.0.236:135 tcp
N/A 10.127.0.235:135 tcp
N/A 10.127.0.234:135 tcp
N/A 10.127.0.233:135 tcp
N/A 10.127.0.232:135 tcp
N/A 10.127.0.231:135 tcp
N/A 10.127.0.230:135 tcp
N/A 10.127.0.229:135 tcp
N/A 10.127.0.228:135 tcp
N/A 10.127.0.227:135 tcp
N/A 10.127.0.226:135 tcp
N/A 10.127.0.225:135 tcp
N/A 10.127.0.224:135 tcp
N/A 10.127.0.223:135 tcp
N/A 10.127.0.222:135 tcp
N/A 10.127.0.221:135 tcp
N/A 10.127.0.220:135 tcp
N/A 10.127.0.219:135 tcp
N/A 10.127.0.218:135 tcp
N/A 10.127.0.177:135 tcp
N/A 10.127.0.178:135 tcp
N/A 10.127.0.182:135 tcp
N/A 10.127.0.179:135 tcp
N/A 10.127.0.180:135 tcp
N/A 10.127.0.181:135 tcp
N/A 10.127.0.185:135 tcp
N/A 10.127.0.183:135 tcp
N/A 10.127.0.186:135 tcp
N/A 10.127.0.184:135 tcp
N/A 10.127.0.189:135 tcp
N/A 10.127.0.187:135 tcp
N/A 10.127.0.188:135 tcp
N/A 10.127.0.190:135 tcp
N/A 10.127.0.191:135 tcp
N/A 10.127.0.194:135 tcp
N/A 10.127.0.192:135 tcp
N/A 10.127.0.193:135 tcp
N/A 10.127.0.198:135 tcp
N/A 10.127.0.195:135 tcp
N/A 10.127.0.196:135 tcp
N/A 10.127.0.197:135 tcp
N/A 10.127.0.212:135 tcp
N/A 10.127.0.199:135 tcp
N/A 10.127.0.200:135 tcp
N/A 10.127.0.201:135 tcp
N/A 10.127.0.205:135 tcp
N/A 10.127.0.202:135 tcp
N/A 10.127.0.203:135 tcp
N/A 10.127.0.204:135 tcp
N/A 10.127.0.209:135 tcp
N/A 10.127.0.206:135 tcp
N/A 10.127.0.207:135 tcp
N/A 10.127.0.208:135 tcp
N/A 10.127.0.214:135 tcp
N/A 10.127.0.210:135 tcp
N/A 10.127.0.211:135 tcp
N/A 10.127.0.213:135 tcp
N/A 10.127.0.217:135 tcp
N/A 10.127.0.215:135 tcp
N/A 10.127.0.216:135 tcp
N/A 10.127.0.175:135 tcp
N/A 10.127.0.176:135 tcp
GB 51.105.71.136:443 tcp
NL 8.253.208.120:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

C:\Program Files\Java\jdk1.8.0_66\db\Restore-My-Files.txt

MD5 e9f86d0660d6abaf91473f76bd94c446
SHA1 319524a6b452f39740e983b93830c79055600b1f
SHA256 23190b8ccb516c2b9df0520a5df85caf6081bda884a04dbd775cc559a21492f4
SHA512 21de72237398abe7a0d45adae21620626ff8bbd0230ae30aa0224c1180a2a96dd0147e5f50371ca0a236fc95f1f9a7a5d6d3d11307d7feecd87fe62e48826f6f

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-07 05:03

Reported

2023-03-07 05:05

Platform

win7-20230220-en

Max time kernel

66s

Max time network

32s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe"

Signatures

Lockbit

ransomware lockbit

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ShowUnprotect.crw => C:\Users\Admin\Pictures\ShowUnprotect.crw.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Users\Admin\Pictures\ShowUnprotect.crw.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\29.04.20TASKMNGR.exe\"" C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\205D.tmp.bmp" C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Chagos.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\TestConvertTo.odt.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00092_.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE06450_.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115855.GIF.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_widescreen_Thumbnail.bmp.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Resolute.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_dot.png.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AboutBox.zip.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mr.txt.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Ceuta.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\wmlaunch.exe.mui.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00152_.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\PhotoAcq.dll.mui.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\weather.js.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21400_.GIF.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\Brussels.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_left.png.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\settings.js.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02451_.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALENDAR.XML.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBR.XML.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_rest.png.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Elemental.xml.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14579_.GIF.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\flyout.css.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up.png.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Pyongyang.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\settings.js.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00173_.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR6F.GIF.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiBold.ttf.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_ja.jar.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_up.png.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386485.JPG.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Oral.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Hovd.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02066_.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR49F.GIF.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\COUGH.WAV.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Dawson_Creek.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_zh_4.4.0.v20140623020002.jar.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086420.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\weather.css.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\EST5.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files\SuspendPing.mpg.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212953.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue.css.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00148_.WMF.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_s.png.lockbit C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1600 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe C:\Windows\System32\cmd.exe
PID 1600 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe C:\Windows\System32\cmd.exe
PID 1600 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe C:\Windows\System32\cmd.exe
PID 1600 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe C:\Windows\System32\cmd.exe
PID 1596 wrote to memory of 768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1596 wrote to memory of 768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1596 wrote to memory of 768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1596 wrote to memory of 1948 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1596 wrote to memory of 1948 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1596 wrote to memory of 1948 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1596 wrote to memory of 1684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1596 wrote to memory of 1684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1596 wrote to memory of 1684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1596 wrote to memory of 1084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1596 wrote to memory of 1084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1596 wrote to memory of 1084 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1596 wrote to memory of 1936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1596 wrote to memory of 1936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1596 wrote to memory of 1936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1600 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe C:\Windows\SysWOW64\cmd.exe
PID 1600 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3052 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3052 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3052 wrote to memory of 2828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3052 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe
PID 3052 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe
PID 3052 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe
PID 3052 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe

"C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.7 -n 3

C:\Windows\SysWOW64\fsutil.exe

fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\29.04.20TASKMNGR.exe"

Network

Country Destination Domain Proto
N/A 10.127.0.253:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.254:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.239:135 tcp
N/A 10.127.0.72:135 tcp
N/A 10.127.0.240:135 tcp
N/A 10.127.0.241:135 tcp
N/A 10.127.0.73:135 tcp
N/A 10.127.0.242:135 tcp
N/A 10.127.0.243:135 tcp
N/A 10.127.0.74:135 tcp
N/A 10.127.0.244:135 tcp
N/A 10.127.0.245:135 tcp
N/A 10.127.0.246:135 tcp
N/A 10.127.0.247:135 tcp
N/A 10.127.0.248:135 tcp
N/A 10.127.0.249:135 tcp
N/A 10.127.0.250:135 tcp
N/A 10.127.0.251:135 tcp
N/A 10.127.0.75:135 tcp
N/A 10.127.0.252:135 tcp
N/A 10.127.0.253:135 tcp
N/A 10.127.0.76:135 tcp
N/A 10.127.0.79:135 tcp
N/A 10.127.0.77:135 tcp
N/A 10.127.0.78:135 tcp
N/A 10.127.0.221:135 tcp
N/A 10.127.0.68:135 tcp
N/A 10.127.0.222:135 tcp
N/A 10.127.0.69:135 tcp
N/A 10.127.0.70:135 tcp
N/A 10.127.0.71:135 tcp
N/A 10.127.0.223:135 tcp
N/A 10.127.0.224:135 tcp
N/A 10.127.0.225:135 tcp
N/A 10.127.0.226:135 tcp
N/A 10.127.0.227:135 tcp
N/A 10.127.0.228:135 tcp
N/A 10.127.0.229:135 tcp
N/A 10.127.0.230:135 tcp
N/A 10.127.0.231:135 tcp
N/A 10.127.0.232:135 tcp
N/A 10.127.0.233:135 tcp
N/A 10.127.0.234:135 tcp
N/A 10.127.0.235:135 tcp
N/A 10.127.0.236:135 tcp
N/A 10.127.0.237:135 tcp
N/A 10.127.0.238:135 tcp
N/A 10.127.0.56:135 tcp
N/A 10.127.0.57:135 tcp
N/A 10.127.0.160:135 tcp
N/A 10.127.0.161:135 tcp
N/A 10.127.0.58:135 tcp
N/A 10.127.0.162:135 tcp
N/A 10.127.0.163:135 tcp
N/A 10.127.0.164:135 tcp
N/A 10.127.0.59:135 tcp
N/A 10.127.0.165:135 tcp
N/A 10.127.0.60:135 tcp
N/A 10.127.0.61:135 tcp
N/A 10.127.0.62:135 tcp
N/A 10.127.0.166:135 tcp
N/A 10.127.0.63:135 tcp
N/A 10.127.0.167:135 tcp
N/A 10.127.0.64:135 tcp
N/A 10.127.0.168:135 tcp
N/A 10.127.0.65:135 tcp
N/A 10.127.0.169:135 tcp
N/A 10.127.0.170:135 tcp
N/A 10.127.0.66:135 tcp
N/A 10.127.0.171:135 tcp
N/A 10.127.0.67:135 tcp
N/A 10.127.0.172:135 tcp
N/A 10.127.0.173:135 tcp
N/A 10.127.0.174:135 tcp
N/A 10.127.0.175:135 tcp
N/A 10.127.0.176:135 tcp
N/A 10.127.0.177:135 tcp
N/A 10.127.0.178:135 tcp
N/A 10.127.0.179:135 tcp
N/A 10.127.0.180:135 tcp
N/A 10.127.0.181:135 tcp
N/A 10.127.0.182:135 tcp
N/A 10.127.0.183:135 tcp
N/A 10.127.0.184:135 tcp
N/A 10.127.0.185:135 tcp
N/A 10.127.0.186:135 tcp
N/A 10.127.0.187:135 tcp
N/A 10.127.0.188:135 tcp
N/A 10.127.0.189:135 tcp
N/A 10.127.0.190:135 tcp
N/A 10.127.0.191:135 tcp
N/A 10.127.0.192:135 tcp
N/A 10.127.0.193:135 tcp
N/A 10.127.0.195:135 tcp
N/A 10.127.0.196:135 tcp
N/A 10.127.0.197:135 tcp
N/A 10.127.0.198:135 tcp
N/A 10.127.0.199:135 tcp
N/A 10.127.0.200:135 tcp
N/A 10.127.0.201:135 tcp
N/A 10.127.0.202:135 tcp
N/A 10.127.0.204:135 tcp
N/A 10.127.0.32:135 tcp
N/A 10.127.0.205:135 tcp
N/A 10.127.0.206:135 tcp
N/A 10.127.0.113:135 tcp
N/A 10.127.0.207:135 tcp
N/A 10.127.0.33:135 tcp
N/A 10.127.0.208:135 tcp
N/A 10.127.0.209:135 tcp
N/A 10.127.0.34:135 tcp
N/A 10.127.0.115:135 tcp
N/A 10.127.0.212:135 tcp
N/A 10.127.0.213:135 tcp
N/A 10.127.0.35:135 tcp
N/A 10.127.0.214:135 tcp
N/A 10.127.0.215:135 tcp
N/A 10.127.0.116:135 tcp
N/A 10.127.0.216:135 tcp
N/A 10.127.0.217:135 tcp
N/A 10.127.0.36:135 tcp
N/A 10.127.0.219:135 tcp
N/A 10.127.0.117:135 tcp
N/A 10.127.0.128:135 tcp
N/A 10.127.0.37:135 tcp
N/A 10.127.0.129:135 tcp
N/A 10.127.0.131:135 tcp
N/A 10.127.0.38:135 tcp
N/A 10.127.0.133:135 tcp
N/A 10.127.0.119:135 tcp
N/A 10.127.0.134:135 tcp
N/A 10.127.0.39:135 tcp
N/A 10.127.0.135:135 tcp
N/A 10.127.0.120:135 tcp
N/A 10.127.0.136:135 tcp
N/A 10.127.0.40:135 tcp
N/A 10.127.0.137:135 tcp
N/A 10.127.0.121:135 tcp
N/A 10.127.0.138:135 tcp
N/A 10.127.0.41:135 tcp
N/A 10.127.0.139:135 tcp
N/A 10.127.0.140:135 tcp
N/A 10.127.0.42:135 tcp
N/A 10.127.0.142:135 tcp
N/A 10.127.0.123:135 tcp
N/A 10.127.0.144:135 tcp
N/A 10.127.0.43:135 tcp
N/A 10.127.0.145:135 tcp
N/A 10.127.0.124:135 tcp
N/A 10.127.0.146:135 tcp
N/A 10.127.0.44:135 tcp
N/A 10.127.0.125:135 tcp
N/A 10.127.0.147:135 tcp
N/A 10.127.0.148:135 tcp
N/A 10.127.0.45:135 tcp
N/A 10.127.0.149:135 tcp
N/A 10.127.0.46:135 tcp
N/A 10.127.0.152:135 tcp
N/A 10.127.0.47:135 tcp
N/A 10.127.0.153:135 tcp
N/A 10.127.0.154:135 tcp
N/A 10.127.0.48:135 tcp
N/A 10.127.0.155:135 tcp
N/A 10.127.0.157:135 tcp
N/A 10.127.0.50:135 tcp
N/A 10.127.0.158:135 tcp
N/A 10.127.0.159:135 tcp
N/A 10.127.0.51:135 tcp
N/A 10.127.0.141:135 tcp
N/A 10.127.0.52:135 tcp
N/A 10.127.0.53:135 tcp
N/A 10.127.0.54:135 tcp
N/A 10.127.0.127:135 tcp
N/A 10.127.0.203:135 tcp
N/A 10.127.0.55:135 tcp
N/A 10.127.0.80:135 tcp
N/A 10.127.0.81:135 tcp
N/A 10.127.0.82:135 tcp
N/A 10.127.0.1:135 tcp
N/A 10.127.0.2:135 tcp
N/A 10.127.0.3:135 tcp
N/A 10.127.0.4:135 tcp
N/A 10.127.0.5:135 tcp
N/A 10.127.0.6:135 tcp
N/A 10.127.0.7:135 tcp
N/A 10.127.0.8:135 tcp
N/A 10.127.0.9:135 tcp
N/A 10.127.0.83:135 tcp
N/A 10.127.0.10:135 tcp
N/A 10.127.0.11:135 tcp
N/A 10.127.0.84:135 tcp
N/A 10.127.0.12:135 tcp
N/A 10.127.0.85:135 tcp
N/A 10.127.0.13:135 tcp
N/A 10.127.0.86:135 tcp
N/A 10.127.0.88:135 tcp
N/A 10.127.0.14:135 tcp
N/A 10.127.0.87:135 tcp
N/A 10.127.0.15:135 tcp
N/A 10.127.0.89:135 tcp
N/A 10.127.0.16:135 tcp
N/A 10.127.0.91:135 tcp
N/A 10.127.0.90:135 tcp
N/A 10.127.0.92:135 tcp
N/A 10.127.0.17:135 tcp
N/A 10.127.0.93:135 tcp
N/A 10.127.0.94:135 tcp
N/A 10.127.0.95:135 tcp
N/A 10.127.0.18:135 tcp
N/A 10.127.0.97:135 tcp
N/A 10.127.0.19:135 tcp
N/A 10.127.0.96:135 tcp
N/A 10.127.0.98:135 tcp
N/A 10.127.0.20:135 tcp
N/A 10.127.0.99:135 tcp
N/A 10.127.0.100:135 tcp
N/A 10.127.0.21:135 tcp
N/A 10.127.0.104:135 tcp
N/A 10.127.0.102:135 tcp
N/A 10.127.0.22:135 tcp
N/A 10.127.0.103:135 tcp
N/A 10.127.0.23:135 tcp
N/A 10.127.0.24:135 tcp
N/A 10.127.0.105:135 tcp
N/A 10.127.0.25:135 tcp
N/A 10.127.0.106:135 tcp
N/A 10.127.0.26:135 tcp
N/A 10.127.0.107:135 tcp
N/A 10.127.0.27:135 tcp
N/A 10.127.0.108:135 tcp
N/A 10.127.0.28:135 tcp
N/A 10.127.0.109:135 tcp
N/A 10.127.0.29:135 tcp
N/A 10.127.0.30:135 tcp
N/A 10.127.0.110:135 tcp
N/A 10.127.0.111:135 tcp
N/A 10.127.0.112:135 tcp
N/A 10.127.0.31:135 tcp
N/A 10.127.0.101:135 tcp
N/A 10.127.0.114:135 tcp
N/A 10.127.0.210:135 tcp
N/A 10.127.0.211:135 tcp
N/A 10.127.0.218:135 tcp
N/A 10.127.0.194:135 tcp
N/A 10.127.0.130:135 tcp
N/A 10.127.0.132:135 tcp
N/A 10.127.0.118:135 tcp
N/A 10.127.0.122:135 tcp
N/A 10.127.0.143:135 tcp
N/A 10.127.0.126:135 tcp
N/A 10.127.0.150:135 tcp
N/A 10.127.0.151:135 tcp
N/A 10.127.0.156:135 tcp
N/A 10.127.0.254:135 tcp
N/A 10.127.0.49:135 tcp
N/A 10.127.0.0:135 tcp

Files

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

MD5 a83809c5b900881c286a9ad182ecf2fd
SHA1 087e460e7143977b48ee68505af838af2f1c0df2
SHA256 ceb532e364028013b671bcf6a1f268fdaa10c396a17a02af56aee5834733cbe1
SHA512 0ab60ca638418aa06df5e24d07ba07a123208eb1fb8dd179fca9d51f200be3fbaff5ce1a80d2ecd692758b11df0262b823c79ef630f706308a7579538c22f6c5