45438e0d6a47a90beea24d4bb1d0a4387032a12a9b7d64b2e08986cbfb264406

Resubmissions

11-03-2023 15:20

230311-sqvv2abh7w 7

11-03-2023 13:56

230311-q8tpksbf8y 10

Analysis

max time kernel
269s
max time network
244s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-03-2023 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

conti/locker.exe
Size

1.4MB
MD5

f9f2b0dca4ff4365b98599afb5c1e14e
SHA1

9cac04b31f29b81c89cfd840e160a1185768c699
SHA256

2b19e130390bf1a65c40a909a3dc5ce2af96d921d2bb4949724be9085e0abbe7
SHA512

52d586efaeea2e3350e08ce53b3b8fef63c4cd22eab757aa7d42a6534011d505ad14c39b59d70f45a17ed0035bc234fd0dffef209739a81cae8841b214d1308a
SSDEEP

12288:GZH7AAO2VRbDEsLC3L79iiauuxJ8QahIha4B7ByfdoiUriupSezaVm:GZH7Hc3L7yJGhIha4B1yfui8b2m

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Drops file in Program Files directory 64 IoCs

Processes:

locker.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\locale\bg\R3ADM3.txt	locker.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\R3ADM3.txt	locker.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\R3ADM3.txt	locker.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\R3ADM3.txt	locker.exe
File created	C:\Program Files\Microsoft Games\Purble Place\es-ES\R3ADM3.txt	locker.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\R3ADM3.txt	locker.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\R3ADM3.txt	locker.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lg\R3ADM3.txt	locker.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\R3ADM3.txt	locker.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\R3ADM3.txt	locker.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\R3ADM3.txt	locker.exe
File created	C:\Program Files\Microsoft Games\FreeCell\it-IT\R3ADM3.txt	locker.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\R3ADM3.txt	locker.exe
File created	C:\Program Files\Java\jre7\lib\amd64\R3ADM3.txt	locker.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\R3ADM3.txt	locker.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\R3ADM3.txt	locker.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\R3ADM3.txt	locker.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\R3ADM3.txt	locker.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\R3ADM3.txt	locker.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\R3ADM3.txt	locker.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\R3ADM3.txt	locker.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\R3ADM3.txt	locker.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\R3ADM3.txt	locker.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\R3ADM3.txt	locker.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\R3ADM3.txt	locker.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\R3ADM3.txt	locker.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\R3ADM3.txt	locker.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1036\R3ADM3.txt	locker.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\R3ADM3.txt	locker.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\R3ADM3.txt	locker.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\R3ADM3.txt	locker.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\R3ADM3.txt	locker.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\R3ADM3.txt	locker.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\R3ADM3.txt	locker.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\R3ADM3.txt	locker.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\R3ADM3.txt	locker.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\R3ADM3.txt	locker.exe
File created	C:\Program Files\Common Files\System\de-DE\R3ADM3.txt	locker.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\R3ADM3.txt	locker.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\R3ADM3.txt	locker.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\R3ADM3.txt	locker.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\R3ADM3.txt	locker.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\R3ADM3.txt	locker.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\R3ADM3.txt	locker.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\R3ADM3.txt	locker.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.en-us\R3ADM3.txt	locker.exe
File created	C:\Program Files\VideoLAN\VLC\locale\az\R3ADM3.txt	locker.exe
File created	C:\Program Files\Mozilla Firefox\defaults\R3ADM3.txt	locker.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\R3ADM3.txt	locker.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\R3ADM3.txt	locker.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\R3ADM3.txt	locker.exe
File created	C:\Program Files\Microsoft Games\Purble Place\R3ADM3.txt	locker.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\R3ADM3.txt	locker.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\R3ADM3.txt	locker.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\R3ADM3.txt	locker.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\R3ADM3.txt	locker.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\R3ADM3.txt	locker.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\R3ADM3.txt	locker.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\R3ADM3.txt	locker.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\R3ADM3.txt	locker.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\R3ADM3.txt	locker.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\R3ADM3.txt	locker.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\R3ADM3.txt	locker.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\R3ADM3.txt	locker.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

1892 NOTEPAD.EXE
556 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2208 WINWORD.EXE

pid	process
1892	NOTEPAD.EXE
556	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

locker.exetaskmgr.exechrome.exe

pid	process
2004	locker.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
1636	chrome.exe
1636	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

544 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	1408	vssvc.exe
Token: SeRestorePrivilege	1408	vssvc.exe
Token: SeAuditPrivilege	1408	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1492	WMIC.exe
Token: SeSecurityPrivilege	1492	WMIC.exe
Token: SeTakeOwnershipPrivilege	1492	WMIC.exe
Token: SeLoadDriverPrivilege	1492	WMIC.exe
Token: SeSystemProfilePrivilege	1492	WMIC.exe
Token: SeSystemtimePrivilege	1492	WMIC.exe
Token: SeProfSingleProcessPrivilege	1492	WMIC.exe
Token: SeIncBasePriorityPrivilege	1492	WMIC.exe
Token: SeCreatePagefilePrivilege	1492	WMIC.exe
Token: SeBackupPrivilege	1492	WMIC.exe
Token: SeRestorePrivilege	1492	WMIC.exe
Token: SeShutdownPrivilege	1492	WMIC.exe
Token: SeDebugPrivilege	1492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1492	WMIC.exe
Token: SeRemoteShutdownPrivilege	1492	WMIC.exe
Token: SeUndockPrivilege	1492	WMIC.exe
Token: SeManageVolumePrivilege	1492	WMIC.exe
Token: 33	1492	WMIC.exe
Token: 34	1492	WMIC.exe
Token: 35	1492	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1492	WMIC.exe
Token: SeSecurityPrivilege	1492	WMIC.exe
Token: SeTakeOwnershipPrivilege	1492	WMIC.exe
Token: SeLoadDriverPrivilege	1492	WMIC.exe
Token: SeSystemProfilePrivilege	1492	WMIC.exe
Token: SeSystemtimePrivilege	1492	WMIC.exe
Token: SeProfSingleProcessPrivilege	1492	WMIC.exe
Token: SeIncBasePriorityPrivilege	1492	WMIC.exe
Token: SeCreatePagefilePrivilege	1492	WMIC.exe
Token: SeBackupPrivilege	1492	WMIC.exe
Token: SeRestorePrivilege	1492	WMIC.exe
Token: SeShutdownPrivilege	1492	WMIC.exe
Token: SeDebugPrivilege	1492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1492	WMIC.exe
Token: SeRemoteShutdownPrivilege	1492	WMIC.exe
Token: SeUndockPrivilege	1492	WMIC.exe
Token: SeManageVolumePrivilege	1492	WMIC.exe
Token: 33	1492	WMIC.exe
Token: 34	1492	WMIC.exe
Token: 35	1492	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1824	WMIC.exe
Token: SeSecurityPrivilege	1824	WMIC.exe
Token: SeTakeOwnershipPrivilege	1824	WMIC.exe
Token: SeLoadDriverPrivilege	1824	WMIC.exe
Token: SeSystemProfilePrivilege	1824	WMIC.exe
Token: SeSystemtimePrivilege	1824	WMIC.exe
Token: SeProfSingleProcessPrivilege	1824	WMIC.exe
Token: SeIncBasePriorityPrivilege	1824	WMIC.exe
Token: SeCreatePagefilePrivilege	1824	WMIC.exe
Token: SeBackupPrivilege	1824	WMIC.exe
Token: SeRestorePrivilege	1824	WMIC.exe
Token: SeShutdownPrivilege	1824	WMIC.exe
Token: SeDebugPrivilege	1824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1824	WMIC.exe
Token: SeRemoteShutdownPrivilege	1824	WMIC.exe
Token: SeUndockPrivilege	1824	WMIC.exe
Token: SeManageVolumePrivilege	1824	WMIC.exe
Token: 33	1824	WMIC.exe
Token: 34	1824	WMIC.exe
Token: 35	1824	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1824	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

NOTEPAD.EXENOTEPAD.EXEtaskmgr.exe

pid	process
556	NOTEPAD.EXE
1612	NOTEPAD.EXE
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe
544	taskmgr.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

WINWORD.EXE

pid	process
2208	WINWORD.EXE
2208	WINWORD.EXE
2208	WINWORD.EXE
2208	WINWORD.EXE
2208	WINWORD.EXE
2208	WINWORD.EXE
2208	WINWORD.EXE
2208	WINWORD.EXE
2208	WINWORD.EXE
2208	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

locker.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2004 wrote to memory of 1100	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 1100	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 1100	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 1100	2004	locker.exe	cmd.exe
PID 1100 wrote to memory of 1492	1100	cmd.exe	WMIC.exe
PID 1100 wrote to memory of 1492	1100	cmd.exe	WMIC.exe
PID 1100 wrote to memory of 1492	1100	cmd.exe	WMIC.exe
PID 2004 wrote to memory of 1360	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 1360	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 1360	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 1360	2004	locker.exe	cmd.exe
PID 1360 wrote to memory of 1824	1360	cmd.exe	WMIC.exe
PID 1360 wrote to memory of 1824	1360	cmd.exe	WMIC.exe
PID 1360 wrote to memory of 1824	1360	cmd.exe	WMIC.exe
PID 2004 wrote to memory of 1072	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 1072	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 1072	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 1072	2004	locker.exe	cmd.exe
PID 1072 wrote to memory of 1536	1072	cmd.exe	WMIC.exe
PID 1072 wrote to memory of 1536	1072	cmd.exe	WMIC.exe
PID 1072 wrote to memory of 1536	1072	cmd.exe	WMIC.exe
PID 2004 wrote to memory of 1456	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 1456	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 1456	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 1456	2004	locker.exe	cmd.exe
PID 1456 wrote to memory of 1092	1456	cmd.exe	WMIC.exe
PID 1456 wrote to memory of 1092	1456	cmd.exe	WMIC.exe
PID 1456 wrote to memory of 1092	1456	cmd.exe	WMIC.exe
PID 2004 wrote to memory of 940	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 940	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 940	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 940	2004	locker.exe	cmd.exe
PID 940 wrote to memory of 1068	940	cmd.exe	WMIC.exe
PID 940 wrote to memory of 1068	940	cmd.exe	WMIC.exe
PID 940 wrote to memory of 1068	940	cmd.exe	WMIC.exe
PID 2004 wrote to memory of 780	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 780	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 780	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 780	2004	locker.exe	cmd.exe
PID 780 wrote to memory of 1608	780	cmd.exe	WMIC.exe
PID 780 wrote to memory of 1608	780	cmd.exe	WMIC.exe
PID 780 wrote to memory of 1608	780	cmd.exe	WMIC.exe
PID 2004 wrote to memory of 1596	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 1596	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 1596	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 1596	2004	locker.exe	cmd.exe
PID 1596 wrote to memory of 2016	1596	cmd.exe	WMIC.exe
PID 1596 wrote to memory of 2016	1596	cmd.exe	WMIC.exe
PID 1596 wrote to memory of 2016	1596	cmd.exe	WMIC.exe
PID 2004 wrote to memory of 1760	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 1760	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 1760	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 1760	2004	locker.exe	cmd.exe
PID 1760 wrote to memory of 368	1760	cmd.exe	WMIC.exe
PID 1760 wrote to memory of 368	1760	cmd.exe	WMIC.exe
PID 1760 wrote to memory of 368	1760	cmd.exe	WMIC.exe
PID 2004 wrote to memory of 1668	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 1668	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 1668	2004	locker.exe	cmd.exe
PID 2004 wrote to memory of 1668	2004	locker.exe	cmd.exe
PID 1668 wrote to memory of 396	1668	cmd.exe	WMIC.exe
PID 1668 wrote to memory of 396	1668	cmd.exe	WMIC.exe
PID 1668 wrote to memory of 396	1668	cmd.exe	WMIC.exe
PID 2004 wrote to memory of 1312	2004	locker.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\conti\locker.exe
"C:\Users\Admin\AppData\Local\Temp\conti\locker.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40530E52-D859-4288-8535-7A1E7BF38742}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{40530E52-D859-4288-8535-7A1E7BF38742}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{362F9380-A10B-4293-BDFE-E2ABDECA2DAF}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{362F9380-A10B-4293-BDFE-E2ABDECA2DAF}'" delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BD5FDCA8-7209-40FA-9A5C-CEDEDC37256E}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BD5FDCA8-7209-40FA-9A5C-CEDEDC37256E}'" delete
3⤵
PID:1536

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{93FAE12C-833C-441A-939F-52258540534E}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{93FAE12C-833C-441A-939F-52258540534E}'" delete
3⤵
PID:1092

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4AC7E78B-CB66-4825-B5F5-1F514EAB0111}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4AC7E78B-CB66-4825-B5F5-1F514EAB0111}'" delete
3⤵
PID:1068

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{68742572-A9EF-406D-8825-1474A4A3AE2F}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{68742572-A9EF-406D-8825-1474A4A3AE2F}'" delete
3⤵
PID:1608

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{46A7E154-E116-4937-9D32-DC8C7C02E8A8}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{46A7E154-E116-4937-9D32-DC8C7C02E8A8}'" delete
3⤵
PID:2016

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DE8D6635-6769-4349-B17F-DFC50B9CD9B0}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DE8D6635-6769-4349-B17F-DFC50B9CD9B0}'" delete
3⤵
PID:368

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D8A2D3A5-A46A-4D2A-9520-2932D9ABB035}'" delete
2⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D8A2D3A5-A46A-4D2A-9520-2932D9ABB035}'" delete
3⤵
PID:396

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{86B65306-46B3-4B33-A700-490BDE2E46FC}'" delete
2⤵
PID:1312

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{86B65306-46B3-4B33-A700-490BDE2E46FC}'" delete
3⤵
PID:1816

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7BF24B04-491E-47A4-A279-BD67AC36C7EF}'" delete
2⤵
PID:1360

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7BF24B04-491E-47A4-A279-BD67AC36C7EF}'" delete
3⤵
PID:1336

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{93A01BCD-1CE1-4859-8D37-BA4FEA28BD2D}'" delete
2⤵
PID:1556

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{93A01BCD-1CE1-4859-8D37-BA4FEA28BD2D}'" delete
3⤵
PID:1924

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3C8D665A-144E-455D-9C50-3B972749B177}'" delete
2⤵
PID:844

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3C8D665A-144E-455D-9C50-3B972749B177}'" delete
3⤵
PID:1636

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{06A0C767-A751-4562-9A96-8A6BDBB5178D}'" delete
2⤵
PID:1544

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{06A0C767-A751-4562-9A96-8A6BDBB5178D}'" delete
3⤵
PID:1572

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94367333-C515-4BAD-8EDC-5D79B53C5D0E}'" delete
2⤵
PID:780

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{94367333-C515-4BAD-8EDC-5D79B53C5D0E}'" delete
3⤵
PID:756

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AA386E9-758B-4161-A1B6-15ED24FC93BB}'" delete
2⤵
PID:1748

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{3AA386E9-758B-4161-A1B6-15ED24FC93BB}'" delete
3⤵
PID:1616

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BF94CE8D-CB56-45BC-9D93-B88CC180A09F}'" delete
2⤵
PID:1760

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{BF94CE8D-CB56-45BC-9D93-B88CC180A09F}'" delete
3⤵
PID:568

C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A6C9FDDD-2105-402F-B9BD-770535EDBE41}'" delete
2⤵
PID:1476

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A6C9FDDD-2105-402F-B9BD-770535EDBE41}'" delete
3⤵
PID:1344

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:388

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\R3ADM3.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1892

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1a4
1⤵
PID:1292

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\R3ADM3.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:556

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\Common Files\R3ADM3.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:1612

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6b29758,0x7fef6b29768,0x7fef6b29778
2⤵
PID:464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1200 --field-trial-handle=1264,i,11490431614372674743,6677986001752631353,131072 /prefetch:2
2⤵
PID:940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1552 --field-trial-handle=1264,i,11490431614372674743,6677986001752631353,131072 /prefetch:8
2⤵
PID:996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1676 --field-trial-handle=1264,i,11490431614372674743,6677986001752631353,131072 /prefetch:8
2⤵
PID:1064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2260 --field-trial-handle=1264,i,11490431614372674743,6677986001752631353,131072 /prefetch:1
2⤵
PID:332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2232 --field-trial-handle=1264,i,11490431614372674743,6677986001752631353,131072 /prefetch:1
2⤵
PID:700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1416 --field-trial-handle=1264,i,11490431614372674743,6677986001752631353,131072 /prefetch:2
2⤵
PID:2296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1308 --field-trial-handle=1264,i,11490431614372674743,6677986001752631353,131072 /prefetch:1
2⤵
PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3904 --field-trial-handle=1264,i,11490431614372674743,6677986001752631353,131072 /prefetch:8
2⤵
PID:2440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4076 --field-trial-handle=1264,i,11490431614372674743,6677986001752631353,131072 /prefetch:8
2⤵
PID:2456

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:212

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\MountDebug.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\R3ADM3.txt
Filesize
16B

MD5
c8a54401701d688fe98cdcddded2cfd7

SHA1
a0edc8f3d7478982def3b3ccd68ee5deba023d00

SHA256
9d780d55213a7d38022a3a2431f69192724606f32ebe27e181989f4ee1cafa4f

SHA512
7e5caedbc912f7c677c700a83566025841e1665b70da99e9031f533f2b346f0b8a7ceb51704803ea761bb95374d4cfc9ae296659fd11b42ce0027c0092fbf41e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\R3ADM3.txt
Filesize
16B

MD5
c8a54401701d688fe98cdcddded2cfd7

SHA1
a0edc8f3d7478982def3b3ccd68ee5deba023d00

SHA256
9d780d55213a7d38022a3a2431f69192724606f32ebe27e181989f4ee1cafa4f

SHA512
7e5caedbc912f7c677c700a83566025841e1665b70da99e9031f533f2b346f0b8a7ceb51704803ea761bb95374d4cfc9ae296659fd11b42ce0027c0092fbf41e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\R3ADM3.txt
Filesize
16B

MD5
c8a54401701d688fe98cdcddded2cfd7

SHA1
a0edc8f3d7478982def3b3ccd68ee5deba023d00

SHA256
9d780d55213a7d38022a3a2431f69192724606f32ebe27e181989f4ee1cafa4f

SHA512
7e5caedbc912f7c677c700a83566025841e1665b70da99e9031f533f2b346f0b8a7ceb51704803ea761bb95374d4cfc9ae296659fd11b42ce0027c0092fbf41e

Download Submit
C:\Program Files (x86)\R3ADM3.txt
Filesize
16B

MD5
c8a54401701d688fe98cdcddded2cfd7

SHA1
a0edc8f3d7478982def3b3ccd68ee5deba023d00

SHA256
9d780d55213a7d38022a3a2431f69192724606f32ebe27e181989f4ee1cafa4f

SHA512
7e5caedbc912f7c677c700a83566025841e1665b70da99e9031f533f2b346f0b8a7ceb51704803ea761bb95374d4cfc9ae296659fd11b42ce0027c0092fbf41e

Download Submit
C:\Program Files\Common Files\R3ADM3.txt
Filesize
16B

MD5
c8a54401701d688fe98cdcddded2cfd7

SHA1
a0edc8f3d7478982def3b3ccd68ee5deba023d00

SHA256
9d780d55213a7d38022a3a2431f69192724606f32ebe27e181989f4ee1cafa4f

SHA512
7e5caedbc912f7c677c700a83566025841e1665b70da99e9031f533f2b346f0b8a7ceb51704803ea761bb95374d4cfc9ae296659fd11b42ce0027c0092fbf41e

Download Submit
C:\R3ADM3.txt
Filesize
16B

MD5
c8a54401701d688fe98cdcddded2cfd7

SHA1
a0edc8f3d7478982def3b3ccd68ee5deba023d00

SHA256
9d780d55213a7d38022a3a2431f69192724606f32ebe27e181989f4ee1cafa4f

SHA512
7e5caedbc912f7c677c700a83566025841e1665b70da99e9031f533f2b346f0b8a7ceb51704803ea761bb95374d4cfc9ae296659fd11b42ce0027c0092fbf41e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\R3ADM3.txt
Filesize
16B

MD5
c8a54401701d688fe98cdcddded2cfd7

SHA1
a0edc8f3d7478982def3b3ccd68ee5deba023d00

SHA256
9d780d55213a7d38022a3a2431f69192724606f32ebe27e181989f4ee1cafa4f

SHA512
7e5caedbc912f7c677c700a83566025841e1665b70da99e9031f533f2b346f0b8a7ceb51704803ea761bb95374d4cfc9ae296659fd11b42ce0027c0092fbf41e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\R3ADM3.txt
Filesize
16B

MD5
c8a54401701d688fe98cdcddded2cfd7

SHA1
a0edc8f3d7478982def3b3ccd68ee5deba023d00

SHA256
9d780d55213a7d38022a3a2431f69192724606f32ebe27e181989f4ee1cafa4f

SHA512
7e5caedbc912f7c677c700a83566025841e1665b70da99e9031f533f2b346f0b8a7ceb51704803ea761bb95374d4cfc9ae296659fd11b42ce0027c0092fbf41e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
4ca6ea90f4885e904bc4cccc192e8c7c

SHA1
1ffbe4ce98f7d415f192482009c9b1545ea2582b

SHA256
e022c2a0c1e1c75752a51fa45a140809a588715c4e2143c551c8c2c119abbf38

SHA512
9638566aac03743fdcb927caf1402e3ed4387675e50560151fffa09622bc1d92193002beb8da28891d7127e1cc0e41cbba639597a2d4d806bef92f81b15bfa6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000004.dbtmp
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\blob_storage\9c7e4f13-0827-4ad7-842f-3d0dc1b028ef\R3ADM3.txt
Filesize
16B

MD5
c8a54401701d688fe98cdcddded2cfd7

SHA1
a0edc8f3d7478982def3b3ccd68ee5deba023d00

SHA256
9d780d55213a7d38022a3a2431f69192724606f32ebe27e181989f4ee1cafa4f

SHA512
7e5caedbc912f7c677c700a83566025841e1665b70da99e9031f533f2b346f0b8a7ceb51704803ea761bb95374d4cfc9ae296659fd11b42ce0027c0092fbf41e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
143KB

MD5
3e454b241c9bedc3ed88a377399d4608

SHA1
54a5d8f6460eec99f4b68789bd4851e876a33ebe

SHA256
44ab282727578d7a3b132bcaa70f495ff4b03552ec07d9cee17dcb698680d339

SHA512
ef9bba27987a936a4f63049867b6045d3c4910ab1a233b41e8efe534cb8ceb0f5c1c2c33f6d5b82fc2ffa8b0c311637db9199fc567f34f52fdec7222a4750538

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\a2841f73-d2a9-49d9-ad3a-b5a755b90209.tmp
Filesize
143KB

MD5
b3dcf68cddc00e57c1d4b2bbf89b6de0

SHA1
58c225ad0d4414cddaad105a8832e31df0529ad4

SHA256
fd7214c9e12e820622ad45f52dedb6209f6294dc74b5c0b4d1574d70b2b36d23

SHA512
ca94d95cbab4759a0b1a7d914d10c092c6167ec785495e59f507143e363fddad2fa76ec6d854573e189e8e2e64431044e547dfbe284471225dd3065ae64ac1b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0002.doc
Filesize
3.1MB

MD5
0465252e1e2e3ae8c73c055dde7bc8ad

SHA1
5609cc9aadb8f5164544892af5800504d5af844f

SHA256
84a29002895419007da8f0e20f2b4303bc97fd4a42ccd0deb0b5e130c786d110

SHA512
1499727f895dc21e2d694e308b8798c4beef220578e721186e05a0be505545d0ad452d03652dea5600eb9cd0bdfdba1404ca1044d308944e8d1240c1f6ec68ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\R3ADM3.txt
Filesize
16B

MD5
c8a54401701d688fe98cdcddded2cfd7

SHA1
a0edc8f3d7478982def3b3ccd68ee5deba023d00

SHA256
9d780d55213a7d38022a3a2431f69192724606f32ebe27e181989f4ee1cafa4f

SHA512
7e5caedbc912f7c677c700a83566025841e1665b70da99e9031f533f2b346f0b8a7ceb51704803ea761bb95374d4cfc9ae296659fd11b42ce0027c0092fbf41e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\R3ADM3.txt
Filesize
16B

MD5
c8a54401701d688fe98cdcddded2cfd7

SHA1
a0edc8f3d7478982def3b3ccd68ee5deba023d00

SHA256
9d780d55213a7d38022a3a2431f69192724606f32ebe27e181989f4ee1cafa4f

SHA512
7e5caedbc912f7c677c700a83566025841e1665b70da99e9031f533f2b346f0b8a7ceb51704803ea761bb95374d4cfc9ae296659fd11b42ce0027c0092fbf41e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\R3ADM3.txt
Filesize
16B

MD5
c8a54401701d688fe98cdcddded2cfd7

SHA1
a0edc8f3d7478982def3b3ccd68ee5deba023d00

SHA256
9d780d55213a7d38022a3a2431f69192724606f32ebe27e181989f4ee1cafa4f

SHA512
7e5caedbc912f7c677c700a83566025841e1665b70da99e9031f533f2b346f0b8a7ceb51704803ea761bb95374d4cfc9ae296659fd11b42ce0027c0092fbf41e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
1a48b658b42d1df7e83f73dffbdccceb

SHA1
7d73840306f2eb82c4d8f8b49bcec2e612036c33

SHA256
8e8f358a575adf454f0489f0cd06c8829a4a9ee18f5d2745248bd956b8301c94

SHA512
371df9452c87083f206106d7df7c3f95ca83648e1b507a7b04bbbcd7c36012d8090d12661496051399704e34ab246b21c66a206fe70713a376cfa3fb9eef542c

Download Submit
C:\Users\Admin\Desktop\R3ADM3.txt
Filesize
16B

MD5
c8a54401701d688fe98cdcddded2cfd7

SHA1
a0edc8f3d7478982def3b3ccd68ee5deba023d00

SHA256
9d780d55213a7d38022a3a2431f69192724606f32ebe27e181989f4ee1cafa4f

SHA512
7e5caedbc912f7c677c700a83566025841e1665b70da99e9031f533f2b346f0b8a7ceb51704803ea761bb95374d4cfc9ae296659fd11b42ce0027c0092fbf41e

Download Submit
\??\pipe\crashpad_1636_RYLOWEDDTDPWIAIY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/544-1731-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/544-1730-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/544-1729-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2004-54-0x0000000000DC0000-0x0000000000FCB000-memory.dmp

Filesize
2.0MB

Download
memory/2004-1727-0x0000000000DC0000-0x0000000000FCB000-memory.dmp

Filesize
2.0MB

Download
memory/2004-1724-0x0000000000DC0000-0x0000000000FCB000-memory.dmp

Filesize
2.0MB

Download
memory/2208-1901-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2208-1952-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download