Analysis Overview
SHA256
143aa60d44f38ae8a99ce6b5dbdb80412e2c32fcf8f50b5bd1aee46a3f5a4b40
Threat Level: Known bad
The file 9779776776.zip was found to be: Known bad.
Malicious Activity Summary
Blackmatter family
Blackbasta family
Black Basta payload
Modifies extensions of user files
Drops startup file
Reads user/profile data of web browsers
Drops file in Program Files directory
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-30 12:29
Signatures
Black Basta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blackbasta family
Blackmatter family
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-30 12:29
Reported
2023-03-30 12:35
Platform
win7-20230220-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Modifies extensions of user files
| Description | Indicator | Process | Target |
| File renamed | C:\Users\Admin\Pictures\SubmitUnpublish.raw => C:\Users\Admin\Pictures\SubmitUnpublish.raw.CRYPT | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnblockClose.raw => C:\Users\Admin\Pictures\UnblockClose.raw.CRYPT | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\UnregisterOpen.raw => C:\Users\Admin\Pictures\UnregisterOpen.raw.CRYPT | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\HideGroup.tiff | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\HideGroup.tiff => C:\Users\Admin\Pictures\HideGroup.tiff.CRYPT | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\PublishGrant.tif => C:\Users\Admin\Pictures\PublishGrant.tif.CRYPT | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File renamed | C:\Users\Admin\Pictures\ResumeUnregister.tif => C:\Users\Admin\Pictures\ResumeUnregister.tif.CRYPT | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\LATIN1.SHP | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00668_.WMF | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00723_.WMF | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FORMCTL.POC | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\README.TXT | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ml\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB00760L.GIF | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\classlist | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217872.WMF | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBCAL.XML | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\jfr\default.jfc | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21320_.GIF | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME27.CSS | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Elemental.thmx | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push.png | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\PREVIEW.GIF | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00042_.WMF | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\ONGuide.onepkg | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\Xlate_Complete.xsn | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\include\jni.h | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\sa-jdi.jar | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185818.WMF | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196364.WMF | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293570.WMF | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7EN.LEX | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\grvschema.xsd | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\oledbvbs.inc | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183168.WMF | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME49.CSS | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\THMBNAIL.PNG | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0160590.WMF | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_K_COL.HXK | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PG_INDEX.XML | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239943.WMF | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMainMask_PAL.wmv | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR48F.GIF | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESN.CFG | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21365_.GIF | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLIST.CFG | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\VC\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00157_.GIF | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00726_.WMF | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop.wmv | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\sr\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\System\de-DE\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\te\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN02559_.WMF | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00531_.WMF | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files\Common Files\System\msadc\en-US\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\THMBNAIL.PNG | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "386951790" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c8a3886e844ee04ca528537b5bc458990000000002000000000010660000000100002000000051d0c4115c6e6eb35f5d2e54d264f69472a092a182634396a37e0b1bfe42fe52000000000e80000000020000200000006bbc6199d00aa1fa157ee8a43cf0d2e86aca90511a1e79518d0c0a0b2b95718d20000000d19f6b3a8a8deb92ee4135e66b0fb6c37b92b5ebe9ef6879b05a8bd987f2253d400000008421c24531edfb2e7b65179042b7490f1d1c5b8fa9623a5e6a91010c19aab4a8e924edf05e5414cc386e007d0fb16ffd67916badc8ddea38da8aa7df21951bbf | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DA1A5950-CF07-11ED-9BAD-EE84389A6D8F} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a031e29e1463d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Zoom\ZoomFactor = "80000" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DA1A8060-CF07-11ED-9BAD-EE84389A6D8F} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
"C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{71E86241-2765-4C20-80B2-DE05DB4A88EB}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{71E86241-2765-4C20-80B2-DE05DB4A88EB}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A0582194-0728-4E86-B74E-AC7B2A49A925}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A0582194-0728-4E86-B74E-AC7B2A49A925}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1B38E269-6A77-4F2E-922A-42D9ECD27B8F}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1B38E269-6A77-4F2E-922A-42D9ECD27B8F}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C5B4AF2F-29D7-4230-90B5-EBE05B142261}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C5B4AF2F-29D7-4230-90B5-EBE05B142261}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9BFA8521-F926-48D7-9368-48899B3C4649}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9BFA8521-F926-48D7-9368-48899B3C4649}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{100C7593-8D3E-42CE-8990-869523D90275}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{100C7593-8D3E-42CE-8990-869523D90275}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2BF737DA-5DC4-41A4-8B9B-B1E8EB187A49}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{2BF737DA-5DC4-41A4-8B9B-B1E8EB187A49}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{48CCAC03-F2BC-42C0-B260-91638DB4A4B3}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{48CCAC03-F2BC-42C0-B260-91638DB4A4B3}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9FC2EB2C-E23D-485F-9DCD-F3FCA33D80C9}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9FC2EB2C-E23D-485F-9DCD-F3FCA33D80C9}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{509B450B-3924-4908-9573-F78AF252133A}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{509B450B-3924-4908-9573-F78AF252133A}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5A85263D-8120-4B2A-B7F5-28DA165298BC}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5A85263D-8120-4B2A-B7F5-28DA165298BC}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DFA9F72D-BD85-4A82-8D8F-505931E018B8}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DFA9F72D-BD85-4A82-8D8F-505931E018B8}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0519AB4C-0733-40DF-8F5A-A02E31092641}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0519AB4C-0733-40DF-8F5A-A02E31092641}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DC10B30B-16E1-4DE4-A8D6-A11D02CBCBCE}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{DC10B30B-16E1-4DE4-A8D6-A11D02CBCBCE}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{07654680-03CB-4B6E-9474-05ABD536CF21}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{07654680-03CB-4B6E-9474-05ABD536CF21}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{497BA4E2-B6EA-4D9F-91B3-F1389061AF7F}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{497BA4E2-B6EA-4D9F-91B3-F1389061AF7F}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E2F7D8BE-2AF7-4FC2-858B-9A16125DAC7C}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{E2F7D8BE-2AF7-4FC2-858B-9A16125DAC7C}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8554BBEA-BB9C-4577-AA1D-D5A624285AFC}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8554BBEA-BB9C-4577-AA1D-D5A624285AFC}'" delete
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Readme_Instructions.html
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Readme_Instructions.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:544 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:984 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:984 CREDAT:5714946 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.44:445 | tcp | |
| N/A | 10.127.0.23:445 | tcp | |
| N/A | 10.127.0.2:445 | tcp | |
| N/A | 10.127.0.34:445 | tcp | |
| N/A | 10.127.0.16:445 | tcp | |
| N/A | 10.127.0.17:445 | tcp | |
| N/A | 10.127.0.42:445 | tcp | |
| N/A | 10.127.0.29:445 | tcp | |
| N/A | 10.127.0.47:445 | tcp | |
| N/A | 10.127.0.10:445 | tcp | |
| N/A | 10.127.0.187:445 | tcp | |
| N/A | 10.127.0.7:445 | tcp | |
| N/A | 10.127.0.21:445 | tcp | |
| N/A | 10.127.0.65:445 | tcp | |
| N/A | 10.127.0.55:445 | tcp | |
| N/A | 10.127.0.5:445 | tcp | |
| N/A | 10.127.0.26:445 | tcp | |
| N/A | 10.127.0.35:445 | tcp | |
| N/A | 10.127.0.3:445 | tcp | |
| N/A | 10.127.0.12:445 | tcp | |
| N/A | 10.127.0.43:445 | tcp | |
| N/A | 10.127.0.36:445 | tcp | |
| N/A | 10.127.0.46:445 | tcp | |
| N/A | 10.127.0.51:445 | tcp | |
| N/A | 10.127.0.13:445 | tcp | |
| N/A | 10.127.0.249:445 | tcp | |
| N/A | 10.127.0.68:445 | tcp | |
| N/A | 10.127.0.234:445 | tcp | |
| N/A | 10.127.0.53:445 | tcp | |
| N/A | 10.127.0.104:445 | tcp | |
| N/A | 10.127.0.24:445 | tcp | |
| N/A | 10.127.0.28:445 | tcp | |
| N/A | 10.127.0.39:445 | tcp | |
| N/A | 10.127.0.25:445 | tcp | |
| N/A | 10.127.0.37:445 | tcp | |
| N/A | 10.127.0.62:445 | tcp | |
| N/A | 10.127.0.4:445 | tcp | |
| N/A | 10.127.0.32:445 | tcp | |
| N/A | 10.127.0.49:445 | tcp | |
| N/A | 10.127.0.61:445 | tcp | |
| N/A | 10.127.0.64:445 | tcp | |
| N/A | 10.127.0.6:445 | tcp | |
| N/A | 10.127.0.60:445 | tcp | |
| N/A | 10.127.0.40:445 | tcp | |
| N/A | 10.127.0.48:445 | tcp | |
| N/A | 10.127.0.235:445 | tcp | |
| N/A | 10.127.0.11:445 | tcp | |
| N/A | 10.127.0.63:445 | tcp | |
| N/A | 10.127.0.15:445 | tcp | |
| N/A | 10.127.0.56:445 | tcp | |
| N/A | 10.127.0.33:445 | tcp | |
| N/A | 10.127.0.50:445 | tcp | |
| N/A | 10.127.0.112:445 | tcp | |
| N/A | 10.127.0.0:445 | tcp | |
| N/A | 10.127.0.18:445 | tcp | |
| N/A | 10.127.0.45:445 | tcp | |
| N/A | 10.127.0.52:445 | tcp | |
| N/A | 10.127.0.8:445 | tcp | |
| N/A | 10.127.0.9:445 | tcp | |
| N/A | 10.127.0.14:445 | tcp | |
| N/A | 10.127.0.19:445 | tcp | |
| N/A | 10.127.0.20:445 | tcp | |
| N/A | 10.127.0.22:445 | tcp | |
| N/A | 10.127.0.27:445 | tcp | |
| N/A | 10.127.0.30:445 | tcp | |
| N/A | 10.127.0.31:445 | tcp | |
| N/A | 10.127.0.38:445 | tcp | |
| N/A | 10.127.0.41:445 | tcp | |
| N/A | 10.127.0.54:445 | tcp | |
| N/A | 10.127.0.57:445 | tcp | |
| N/A | 10.127.0.58:445 | tcp | |
| N/A | 10.127.0.59:445 | tcp | |
| N/A | 10.127.0.66:445 | tcp | |
| N/A | 10.127.0.67:445 | tcp | |
| N/A | 10.127.0.69:445 | tcp | |
| N/A | 10.127.0.70:445 | tcp | |
| N/A | 10.127.0.71:445 | tcp | |
| N/A | 10.127.0.72:445 | tcp | |
| N/A | 10.127.0.73:445 | tcp | |
| N/A | 10.127.0.74:445 | tcp | |
| N/A | 10.127.0.75:445 | tcp | |
| N/A | 10.127.0.76:445 | tcp | |
| N/A | 10.127.0.77:445 | tcp | |
| N/A | 10.127.0.78:445 | tcp | |
| N/A | 10.127.0.79:445 | tcp | |
| N/A | 10.127.0.80:445 | tcp | |
| N/A | 10.127.0.81:445 | tcp | |
| N/A | 10.127.0.82:445 | tcp | |
| N/A | 10.127.0.83:445 | tcp | |
| N/A | 10.127.0.84:445 | tcp | |
| N/A | 10.127.0.85:445 | tcp | |
| N/A | 10.127.0.86:445 | tcp | |
| N/A | 10.127.0.87:445 | tcp | |
| N/A | 10.127.0.88:445 | tcp | |
| N/A | 10.127.0.89:445 | tcp | |
| N/A | 10.127.0.90:445 | tcp | |
| N/A | 10.127.0.91:445 | tcp | |
| N/A | 10.127.0.92:445 | tcp | |
| N/A | 10.127.0.93:445 | tcp | |
| N/A | 10.127.0.94:445 | tcp | |
| N/A | 10.127.0.95:445 | tcp | |
| N/A | 10.127.0.96:445 | tcp | |
| N/A | 10.127.0.97:445 | tcp | |
| N/A | 10.127.0.98:445 | tcp | |
| N/A | 10.127.0.99:445 | tcp | |
| N/A | 10.127.0.100:445 | tcp | |
| N/A | 10.127.0.101:445 | tcp | |
| N/A | 10.127.0.102:445 | tcp | |
| N/A | 10.127.0.103:445 | tcp | |
| N/A | 10.127.0.105:445 | tcp | |
| N/A | 10.127.0.106:445 | tcp | |
| N/A | 10.127.0.107:445 | tcp | |
| N/A | 10.127.0.108:445 | tcp | |
| N/A | 10.127.0.109:445 | tcp | |
| N/A | 10.127.0.110:445 | tcp | |
| N/A | 10.127.0.111:445 | tcp | |
| N/A | 10.127.0.113:445 | tcp | |
| N/A | 10.127.0.114:445 | tcp | |
| N/A | 10.127.0.115:445 | tcp | |
| N/A | 10.127.0.116:445 | tcp | |
| N/A | 10.127.0.117:445 | tcp | |
| N/A | 10.127.0.118:445 | tcp | |
| N/A | 10.127.0.119:445 | tcp | |
| N/A | 10.127.0.120:445 | tcp | |
| N/A | 10.127.0.121:445 | tcp | |
| N/A | 10.127.0.122:445 | tcp | |
| N/A | 10.127.0.123:445 | tcp | |
| N/A | 10.127.0.124:445 | tcp | |
| N/A | 10.127.0.125:445 | tcp | |
| N/A | 10.127.0.126:445 | tcp | |
| N/A | 10.127.0.127:445 | tcp | |
| N/A | 10.127.0.128:445 | tcp | |
| N/A | 10.127.0.129:445 | tcp | |
| N/A | 10.127.0.130:445 | tcp | |
| N/A | 10.127.0.131:445 | tcp | |
| N/A | 10.127.0.132:445 | tcp | |
| N/A | 10.127.0.133:445 | tcp | |
| N/A | 10.127.0.134:445 | tcp | |
| N/A | 10.127.0.135:445 | tcp | |
| N/A | 10.127.0.136:445 | tcp | |
| N/A | 10.127.0.137:445 | tcp | |
| N/A | 10.127.0.138:445 | tcp | |
| N/A | 10.127.0.139:445 | tcp | |
| N/A | 10.127.0.140:445 | tcp | |
| N/A | 10.127.0.141:445 | tcp | |
| N/A | 10.127.0.142:445 | tcp | |
| N/A | 10.127.0.143:445 | tcp | |
| N/A | 10.127.0.144:445 | tcp | |
| N/A | 10.127.0.145:445 | tcp | |
| N/A | 10.127.0.146:445 | tcp | |
| N/A | 10.127.0.147:445 | tcp | |
| N/A | 10.127.0.148:445 | tcp | |
| N/A | 10.127.0.149:445 | tcp | |
| N/A | 10.127.0.150:445 | tcp | |
| N/A | 10.127.0.151:445 | tcp | |
| N/A | 10.127.0.152:445 | tcp | |
| N/A | 10.127.0.153:445 | tcp | |
| N/A | 10.127.0.154:445 | tcp | |
| N/A | 10.127.0.155:445 | tcp | |
| N/A | 10.127.0.156:445 | tcp | |
| N/A | 10.127.0.157:445 | tcp | |
| N/A | 10.127.0.158:445 | tcp | |
| N/A | 10.127.0.159:445 | tcp | |
| N/A | 10.127.0.160:445 | tcp | |
| N/A | 10.127.0.161:445 | tcp | |
| N/A | 10.127.0.162:445 | tcp | |
| N/A | 10.127.0.163:445 | tcp | |
| N/A | 10.127.0.164:445 | tcp | |
| N/A | 10.127.0.165:445 | tcp | |
| N/A | 10.127.0.166:445 | tcp | |
| N/A | 10.127.0.167:445 | tcp | |
| N/A | 10.127.0.168:445 | tcp | |
| N/A | 10.127.0.169:445 | tcp | |
| N/A | 10.127.0.170:445 | tcp | |
| N/A | 10.127.0.171:445 | tcp | |
| N/A | 10.127.0.172:445 | tcp | |
| N/A | 10.127.0.173:445 | tcp | |
| N/A | 10.127.0.174:445 | tcp | |
| N/A | 10.127.0.175:445 | tcp | |
| N/A | 10.127.0.176:445 | tcp | |
| N/A | 10.127.0.177:445 | tcp | |
| N/A | 10.127.0.178:445 | tcp | |
| N/A | 10.127.0.179:445 | tcp | |
| N/A | 10.127.0.180:445 | tcp | |
| N/A | 10.127.0.181:445 | tcp | |
| N/A | 10.127.0.182:445 | tcp | |
| N/A | 10.127.0.183:445 | tcp | |
| N/A | 10.127.0.184:445 | tcp | |
| N/A | 10.127.0.185:445 | tcp | |
| N/A | 10.127.0.186:445 | tcp | |
| N/A | 10.127.0.188:445 | tcp | |
| N/A | 10.127.0.189:445 | tcp | |
| N/A | 10.127.0.190:445 | tcp | |
| N/A | 10.127.0.191:445 | tcp | |
| N/A | 10.127.0.192:445 | tcp | |
| N/A | 10.127.0.193:445 | tcp | |
| N/A | 10.127.0.194:445 | tcp | |
| N/A | 10.127.0.195:445 | tcp | |
| N/A | 10.127.0.196:445 | tcp | |
| N/A | 10.127.0.197:445 | tcp | |
| N/A | 10.127.0.198:445 | tcp | |
| N/A | 10.127.0.199:445 | tcp | |
| N/A | 10.127.0.200:445 | tcp | |
| N/A | 10.127.0.201:445 | tcp | |
| N/A | 10.127.0.202:445 | tcp | |
| N/A | 10.127.0.203:445 | tcp | |
| N/A | 10.127.0.204:445 | tcp | |
| N/A | 10.127.0.205:445 | tcp | |
| N/A | 10.127.0.206:445 | tcp | |
| N/A | 10.127.0.207:445 | tcp | |
| N/A | 10.127.0.208:445 | tcp | |
| N/A | 10.127.0.209:445 | tcp | |
| N/A | 10.127.0.210:445 | tcp | |
| N/A | 10.127.0.211:445 | tcp | |
| N/A | 10.127.0.212:445 | tcp | |
| N/A | 10.127.0.213:445 | tcp | |
| N/A | 10.127.0.214:445 | tcp | |
| N/A | 10.127.0.215:445 | tcp | |
| N/A | 10.127.0.216:445 | tcp | |
| N/A | 10.127.0.217:445 | tcp | |
| N/A | 10.127.0.218:445 | tcp | |
| N/A | 10.127.0.219:445 | tcp | |
| N/A | 10.127.0.220:445 | tcp | |
| N/A | 10.127.0.221:445 | tcp | |
| N/A | 10.127.0.222:445 | tcp | |
| N/A | 10.127.0.223:445 | tcp | |
| N/A | 10.127.0.224:445 | tcp | |
| N/A | 10.127.0.225:445 | tcp | |
| N/A | 10.127.0.226:445 | tcp | |
| N/A | 10.127.0.227:445 | tcp | |
| N/A | 10.127.0.228:445 | tcp | |
| N/A | 10.127.0.229:445 | tcp | |
| N/A | 10.127.0.230:445 | tcp | |
| N/A | 10.127.0.231:445 | tcp | |
| N/A | 10.127.0.232:445 | tcp | |
| N/A | 10.127.0.233:445 | tcp | |
| N/A | 10.127.0.236:445 | tcp | |
| N/A | 10.127.0.237:445 | tcp | |
| N/A | 10.127.0.238:445 | tcp | |
| N/A | 10.127.0.239:445 | tcp | |
| N/A | 10.127.0.240:445 | tcp | |
| N/A | 10.127.0.241:445 | tcp | |
| N/A | 10.127.0.242:445 | tcp | |
| N/A | 10.127.0.243:445 | tcp | |
| N/A | 10.127.0.244:445 | tcp | |
| N/A | 10.127.0.245:445 | tcp | |
| N/A | 10.127.0.246:445 | tcp | |
| N/A | 10.127.0.247:445 | tcp | |
| N/A | 10.127.0.248:445 | tcp | |
| N/A | 10.127.0.250:445 | tcp | |
| N/A | 10.127.0.251:445 | tcp | |
| N/A | 10.127.0.252:445 | tcp | |
| N/A | 10.127.0.253:445 | tcp | |
| N/A | 10.127.0.254:445 | tcp | |
| N/A | 10.127.255.0:445 | tcp | |
| N/A | 10.127.255.1:445 | tcp | |
| N/A | 10.127.255.2:445 | tcp | |
| N/A | 10.127.255.3:445 | tcp | |
| N/A | 10.127.255.4:445 | tcp | |
| N/A | 10.127.255.5:445 | tcp | |
| N/A | 10.127.255.6:445 | tcp | |
| N/A | 10.127.255.7:445 | tcp | |
| N/A | 10.127.255.8:445 | tcp | |
| N/A | 10.127.255.9:445 | tcp | |
| N/A | 10.127.255.10:445 | tcp | |
| N/A | 10.127.255.11:445 | tcp | |
| N/A | 10.127.255.12:445 | tcp | |
| N/A | 10.127.255.13:445 | tcp | |
| N/A | 10.127.255.14:445 | tcp | |
| N/A | 10.127.255.15:445 | tcp | |
| N/A | 10.127.255.16:445 | tcp | |
| N/A | 10.127.255.17:445 | tcp | |
| N/A | 10.127.255.18:445 | tcp | |
| N/A | 10.127.255.19:445 | tcp | |
| N/A | 10.127.255.20:445 | tcp | |
| N/A | 10.127.255.21:445 | tcp | |
| N/A | 10.127.255.22:445 | tcp | |
| N/A | 10.127.255.23:445 | tcp | |
| N/A | 10.127.255.24:445 | tcp | |
| N/A | 10.127.255.25:445 | tcp | |
| N/A | 10.127.255.26:445 | tcp | |
| N/A | 10.127.255.27:445 | tcp | |
| N/A | 10.127.255.28:445 | tcp | |
| N/A | 10.127.255.29:445 | tcp | |
| N/A | 10.127.255.30:445 | tcp | |
| N/A | 10.127.255.31:445 | tcp | |
| N/A | 10.127.255.32:445 | tcp | |
| N/A | 10.127.255.33:445 | tcp | |
| N/A | 10.127.255.34:445 | tcp | |
| N/A | 10.127.255.35:445 | tcp | |
| N/A | 10.127.255.36:445 | tcp | |
| N/A | 10.127.255.37:445 | tcp | |
| N/A | 10.127.255.38:445 | tcp | |
| N/A | 10.127.255.39:445 | tcp | |
| N/A | 10.127.255.40:445 | tcp | |
| N/A | 10.127.255.41:445 | tcp | |
| N/A | 10.127.255.42:445 | tcp | |
| N/A | 10.127.255.43:445 | tcp | |
| N/A | 10.127.255.44:445 | tcp | |
| N/A | 10.127.255.45:445 | tcp | |
| N/A | 10.127.255.46:445 | tcp | |
| N/A | 10.127.255.47:445 | tcp | |
| N/A | 10.127.255.48:445 | tcp | |
| N/A | 10.127.255.49:445 | tcp | |
| N/A | 10.127.255.50:445 | tcp | |
| N/A | 10.127.255.51:445 | tcp | |
| N/A | 10.127.255.52:445 | tcp | |
| N/A | 10.127.255.53:445 | tcp | |
| N/A | 10.127.255.54:445 | tcp | |
| N/A | 10.127.255.55:445 | tcp | |
| N/A | 10.127.255.56:445 | tcp | |
| N/A | 10.127.255.57:445 | tcp | |
| N/A | 10.127.255.58:445 | tcp | |
| N/A | 10.127.255.59:445 | tcp | |
| N/A | 10.127.255.60:445 | tcp | |
| N/A | 10.127.255.61:445 | tcp | |
| N/A | 10.127.255.62:445 | tcp | |
| N/A | 10.127.255.63:445 | tcp | |
| N/A | 10.127.255.64:445 | tcp | |
| N/A | 10.127.255.65:445 | tcp | |
| N/A | 10.127.255.66:445 | tcp | |
| N/A | 10.127.255.67:445 | tcp | |
| N/A | 10.127.255.68:445 | tcp | |
| N/A | 10.127.255.69:445 | tcp | |
| N/A | 10.127.255.70:445 | tcp | |
| N/A | 10.127.255.71:445 | tcp | |
| N/A | 10.127.255.72:445 | tcp | |
| N/A | 10.127.255.73:445 | tcp | |
| N/A | 10.127.255.74:445 | tcp | |
| N/A | 10.127.255.75:445 | tcp | |
| N/A | 10.127.255.76:445 | tcp | |
| N/A | 10.127.255.77:445 | tcp | |
| N/A | 10.127.255.78:445 | tcp | |
| N/A | 10.127.255.79:445 | tcp | |
| N/A | 10.127.255.80:445 | tcp | |
| N/A | 10.127.255.81:445 | tcp | |
| N/A | 10.127.255.82:445 | tcp | |
| N/A | 10.127.255.83:445 | tcp | |
| N/A | 10.127.255.84:445 | tcp | |
| N/A | 10.127.255.85:445 | tcp | |
| N/A | 10.127.255.86:445 | tcp | |
| N/A | 10.127.255.87:445 | tcp | |
| N/A | 10.127.255.88:445 | tcp | |
| N/A | 10.127.255.89:445 | tcp | |
| N/A | 10.127.255.90:445 | tcp | |
| N/A | 10.127.255.91:445 | tcp | |
| N/A | 10.127.255.92:445 | tcp | |
| N/A | 10.127.255.93:445 | tcp | |
| N/A | 10.127.255.94:445 | tcp | |
| N/A | 10.127.255.95:445 | tcp | |
| N/A | 10.127.255.96:445 | tcp | |
| N/A | 10.127.255.97:445 | tcp | |
| N/A | 10.127.255.98:445 | tcp | |
| N/A | 10.127.255.99:445 | tcp | |
| N/A | 10.127.255.100:445 | tcp | |
| N/A | 10.127.255.101:445 | tcp | |
| N/A | 10.127.255.102:445 | tcp | |
| N/A | 10.127.255.103:445 | tcp | |
| N/A | 10.127.255.104:445 | tcp | |
| N/A | 10.127.255.105:445 | tcp | |
| N/A | 10.127.255.106:445 | tcp | |
| N/A | 10.127.255.107:445 | tcp | |
| N/A | 10.127.255.108:445 | tcp | |
| N/A | 10.127.255.109:445 | tcp | |
| N/A | 10.127.255.110:445 | tcp | |
| N/A | 10.127.255.111:445 | tcp | |
| N/A | 10.127.255.112:445 | tcp | |
| N/A | 10.127.255.113:445 | tcp | |
| N/A | 10.127.255.114:445 | tcp | |
| N/A | 10.127.255.115:445 | tcp | |
| N/A | 10.127.255.116:445 | tcp | |
| N/A | 10.127.255.117:445 | tcp | |
| N/A | 10.127.255.118:445 | tcp | |
| N/A | 10.127.255.119:445 | tcp | |
| N/A | 10.127.255.120:445 | tcp | |
| N/A | 10.127.255.121:445 | tcp | |
| N/A | 10.127.255.122:445 | tcp | |
| N/A | 10.127.255.123:445 | tcp | |
| N/A | 10.127.255.124:445 | tcp | |
| N/A | 10.127.255.125:445 | tcp | |
| N/A | 10.127.255.126:445 | tcp | |
| N/A | 10.127.255.127:445 | tcp | |
| N/A | 10.127.255.128:445 | tcp | |
| N/A | 10.127.255.129:445 | tcp | |
| N/A | 10.127.255.130:445 | tcp | |
| N/A | 10.127.255.131:445 | tcp | |
| N/A | 10.127.255.132:445 | tcp | |
| N/A | 10.127.255.133:445 | tcp | |
| N/A | 10.127.255.134:445 | tcp | |
| N/A | 10.127.255.135:445 | tcp | |
| N/A | 10.127.255.136:445 | tcp | |
| N/A | 10.127.255.137:445 | tcp | |
| N/A | 10.127.255.138:445 | tcp | |
| N/A | 10.127.255.139:445 | tcp | |
| N/A | 10.127.255.140:445 | tcp | |
| N/A | 10.127.255.141:445 | tcp | |
| N/A | 10.127.255.142:445 | tcp | |
| N/A | 10.127.255.143:445 | tcp | |
| N/A | 10.127.255.144:445 | tcp | |
| N/A | 10.127.255.145:445 | tcp | |
| N/A | 10.127.255.146:445 | tcp | |
| N/A | 10.127.255.147:445 | tcp | |
| N/A | 10.127.255.148:445 | tcp | |
| N/A | 10.127.255.149:445 | tcp | |
| N/A | 10.127.255.150:445 | tcp | |
| N/A | 10.127.255.151:445 | tcp | |
| N/A | 10.127.255.152:445 | tcp | |
| N/A | 10.127.255.153:445 | tcp | |
| N/A | 10.127.255.154:445 | tcp | |
| N/A | 10.127.255.155:445 | tcp | |
| N/A | 10.127.255.156:445 | tcp | |
| N/A | 10.127.255.157:445 | tcp | |
| N/A | 10.127.255.158:445 | tcp | |
| N/A | 10.127.255.159:445 | tcp | |
| N/A | 10.127.255.160:445 | tcp | |
| N/A | 10.127.255.161:445 | tcp | |
| N/A | 10.127.255.162:445 | tcp | |
| N/A | 10.127.255.163:445 | tcp | |
| N/A | 10.127.255.164:445 | tcp | |
| N/A | 10.127.255.165:445 | tcp | |
| N/A | 10.127.255.166:445 | tcp | |
| N/A | 10.127.255.167:445 | tcp | |
| N/A | 10.127.255.168:445 | tcp | |
| N/A | 10.127.255.169:445 | tcp | |
| N/A | 10.127.255.170:445 | tcp | |
| N/A | 10.127.255.171:445 | tcp | |
| N/A | 10.127.255.172:445 | tcp | |
| N/A | 10.127.255.173:445 | tcp | |
| N/A | 10.127.255.174:445 | tcp | |
| N/A | 10.127.255.175:445 | tcp | |
| N/A | 10.127.255.176:445 | tcp | |
| N/A | 10.127.255.177:445 | tcp | |
| N/A | 10.127.255.178:445 | tcp | |
| N/A | 10.127.255.179:445 | tcp | |
| N/A | 10.127.255.180:445 | tcp | |
| N/A | 10.127.255.181:445 | tcp | |
| N/A | 10.127.255.182:445 | tcp | |
| N/A | 10.127.255.183:445 | tcp | |
| N/A | 10.127.255.184:445 | tcp | |
| N/A | 10.127.255.185:445 | tcp | |
| N/A | 10.127.255.186:445 | tcp | |
| N/A | 10.127.255.187:445 | tcp | |
| N/A | 10.127.255.188:445 | tcp | |
| N/A | 10.127.255.189:445 | tcp | |
| N/A | 10.127.255.190:445 | tcp | |
| N/A | 10.127.255.191:445 | tcp | |
| N/A | 10.127.255.192:445 | tcp | |
| N/A | 10.127.255.193:445 | tcp | |
| N/A | 10.127.255.194:445 | tcp | |
| N/A | 10.127.255.195:445 | tcp | |
| N/A | 10.127.255.196:445 | tcp | |
| N/A | 10.127.255.197:445 | tcp | |
| N/A | 10.127.255.198:445 | tcp | |
| N/A | 10.127.255.199:445 | tcp | |
| N/A | 10.127.255.200:445 | tcp | |
| N/A | 10.127.255.201:445 | tcp | |
| N/A | 10.127.255.202:445 | tcp | |
| N/A | 10.127.255.203:445 | tcp | |
| N/A | 10.127.255.204:445 | tcp | |
| N/A | 10.127.255.205:445 | tcp | |
| N/A | 10.127.255.206:445 | tcp | |
| N/A | 10.127.255.207:445 | tcp | |
| N/A | 10.127.255.208:445 | tcp | |
| N/A | 10.127.255.209:445 | tcp | |
| N/A | 10.127.255.210:445 | tcp | |
| N/A | 10.127.255.211:445 | tcp | |
| N/A | 10.127.255.212:445 | tcp | |
| N/A | 10.127.255.213:445 | tcp | |
| N/A | 10.127.255.214:445 | tcp | |
| N/A | 10.127.255.215:445 | tcp | |
| N/A | 10.127.255.216:445 | tcp | |
| N/A | 10.127.255.217:445 | tcp | |
| N/A | 10.127.255.218:445 | tcp | |
| N/A | 10.127.255.219:445 | tcp | |
| N/A | 10.127.255.220:445 | tcp | |
| N/A | 10.127.255.221:445 | tcp | |
| N/A | 10.127.255.222:445 | tcp | |
| N/A | 10.127.255.223:445 | tcp | |
| N/A | 10.127.255.224:445 | tcp | |
| N/A | 10.127.255.225:445 | tcp | |
| N/A | 10.127.255.226:445 | tcp | |
| N/A | 10.127.255.227:445 | tcp | |
| N/A | 10.127.255.228:445 | tcp | |
| N/A | 10.127.255.229:445 | tcp | |
| N/A | 10.127.255.230:445 | tcp | |
| N/A | 10.127.255.231:445 | tcp | |
| N/A | 10.127.255.232:445 | tcp | |
| N/A | 10.127.255.233:445 | tcp | |
| N/A | 10.127.255.234:445 | tcp | |
| N/A | 10.127.255.235:445 | tcp | |
| N/A | 10.127.255.236:445 | tcp | |
| N/A | 10.127.255.237:445 | tcp | |
| N/A | 10.127.255.238:445 | tcp | |
| N/A | 10.127.255.239:445 | tcp | |
| N/A | 10.127.255.240:445 | tcp | |
| N/A | 10.127.255.241:445 | tcp | |
| N/A | 10.127.255.242:445 | tcp | |
| N/A | 10.127.255.243:445 | tcp | |
| N/A | 10.127.255.244:445 | tcp | |
| N/A | 10.127.255.245:445 | tcp | |
| N/A | 10.127.255.246:445 | tcp | |
| N/A | 10.127.255.247:445 | tcp | |
| N/A | 10.127.255.248:445 | tcp | |
| N/A | 10.127.255.249:445 | tcp | |
| N/A | 10.127.255.250:445 | tcp | |
| N/A | 10.127.255.251:445 | tcp | |
| N/A | 10.127.255.252:445 | tcp | |
| N/A | 10.127.255.253:445 | tcp | |
| N/A | 10.127.255.254:445 | tcp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\ProgramData\Readme_Instructions.html
| MD5 | 9ae54b4efc9f30245782c6001f69b120 |
| SHA1 | 3de64c5e9732699b76510728e43f408c131a995e |
| SHA256 | cef2395cc2ae718f07b84bdbae435752c0e7049aa6de8488ab045c07f5fd0b37 |
| SHA512 | fbbb0e2bf0d11756dba1d9bf0183a2f0ec94ee729d97740ed3ba47b3f99922188fc04fdbc255f51a3544fa3bfc7ed588d3aabb45de0ed59ed96ce6d15daeed75 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DA1A8060-CF07-11ED-9BAD-EE84389A6D8F}.dat
| MD5 | e98f570883a080c494cbb2d3fb5ff1f8 |
| SHA1 | deb72194f339721bda611168e196660a9da64401 |
| SHA256 | c78c71d6a5e0cafc7b2970e68273366438bad8c4eec6d29ada134f571c6d6ce4 |
| SHA512 | 5f5883ccfa6e91be566ffb2f1d3d612db54bad9f9bdbf44feaf5dd49282df6c370de6b03b50146c5754ec999afdf8d9b0022e4782f66bb8a1bfe7a01ca43a0a8 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DA1A5950-CF07-11ED-9BAD-EE84389A6D8F}.dat
| MD5 | c4ba38bd3d158b119b7f41544a471660 |
| SHA1 | f501ecbfbc7fff4f2610f684e23464d5098fb9ca |
| SHA256 | 9abc0f185a692481a81ba78ee046304f192ebd9a967ec7d24c66653b34bbea2e |
| SHA512 | 3fb6a15092dcaaf61fcd573fa1a245488f73ff099ce18a5b0b8ae9b513b20c1aca055779ada3ceb998a6813a7b87a7cb522eecdb248aa79b0d69a0b8ff3e4028 |
C:\Users\Admin\Desktop\Readme_Instructions.html
| MD5 | 9ae54b4efc9f30245782c6001f69b120 |
| SHA1 | 3de64c5e9732699b76510728e43f408c131a995e |
| SHA256 | cef2395cc2ae718f07b84bdbae435752c0e7049aa6de8488ab045c07f5fd0b37 |
| SHA512 | fbbb0e2bf0d11756dba1d9bf0183a2f0ec94ee729d97740ed3ba47b3f99922188fc04fdbc255f51a3544fa3bfc7ed588d3aabb45de0ed59ed96ce6d15daeed75 |
C:\Users\Admin\AppData\Local\Temp\Cab4425.tmp
| MD5 | fc4666cbca561e864e7fdf883a9e6661 |
| SHA1 | 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5 |
| SHA256 | 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b |
| SHA512 | c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | e71c8443ae0bc2e282c73faead0a6dd3 |
| SHA1 | 0c110c1b01e68edfacaeae64781a37b1995fa94b |
| SHA256 | 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72 |
| SHA512 | b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6 |
C:\Users\Admin\AppData\Local\Temp\Tar45B3.tmp
| MD5 | be2bec6e8c5653136d3e72fe53c98aa3 |
| SHA1 | a8182d6db17c14671c3d5766c72e58d87c0810de |
| SHA256 | 1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd |
| SHA512 | 0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e5a12b871ed9dffd084919ffd2ac32dc |
| SHA1 | 88dc4443e46cbbbbada806a0a8976707145e280d |
| SHA256 | 6a2c8f6c9f17fda9603ec3980d24962cbc3bc61afcc460c7f795ea0326d93604 |
| SHA512 | 81d58567f334fbddb7770ecd2d8989590cb113e1151de7bcd831f0f3ed006c26ccc75bd3540464c4019627d3c95c481bc4dfc4111cc3e4d4863dd1f0529d6fb9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a2335f17c875b92a7248ac63b35dc34c |
| SHA1 | bcfbf99bbcc540b7c4f9a0e0d3409aa7d16bf8c0 |
| SHA256 | 93d7a01b345b6096101e0679ff6e9e556bd918e8b2b86138e1ff72b5b7e982b9 |
| SHA512 | 09e1de064b7eab43da0271f06213a37950edcb70eb40bd6fd36e4f224e6f99158a63a2a4daea8c93bdc77dfb22fa7e10510416a4990af64c1265ed05dffbe501 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0c1f29db9c94e6382ea080cbfaddca1a |
| SHA1 | 00a928b9fd07c08b85778df8555ee887f73fc45f |
| SHA256 | dcace0d38f757354351ed17e4047abbe2e0ae8e30893a48c3216d9480045c959 |
| SHA512 | a2a1c120f9f97c45bdc7dcb27d3ea523b0888c570b18cd13c52a93163503f86ffae40288d1b0bb5e2b4c682019a96099aae9583a6d67294d1a48e36fb0bd624d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1c1b5db2ea8f8e012913430111b5c7cb |
| SHA1 | e895c1618bc843a52d0619e03399ba363f705a8f |
| SHA256 | 06db9c9c5541ff3898b33b70dd39b9a9ab73dcef812919225a154a00a58574b6 |
| SHA512 | e38d7276fbc413098cb7414f3d413dfd1d1a99b6f49e656845b1651b7965236c80864c3810639e6a73044b00713c53980229e85772230aa4cba0f9b586d00dc6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 465addb23b559a0e2040a9b594ec94a2 |
| SHA1 | 10f42415d633e061e200678cfcf66a43ab392eca |
| SHA256 | e5051456902c3886e555d6f4b0b3af0af4681b7a64c33dae53ba428dcd50ef8e |
| SHA512 | 8f7dfa73b9e5e33a1e46e7b8c1405d824ccd71a8e6ef6763edd4bc16c8144257ac794ac45462ea49031602cdf424f1b0d5123b3aeb35c7a7c10bd002b4d74dd2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 14c1c3c9ad80bd73429a95bd2258cff9 |
| SHA1 | 65418ff609c16f8eac96f1e07a3ada11096434f1 |
| SHA256 | 0c2aca099bc618699c520435c983ad6d28123a8970d20b1467ff34aa4afbd290 |
| SHA512 | 2586f0079bad362f78f73d385f8b3c935967b042ed05e73011e2ef0337322757b80a67e6afa2a2a6a21b7b746708a833793733b779fd54afe98195b1ee8667bd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | e71c8443ae0bc2e282c73faead0a6dd3 |
| SHA1 | 0c110c1b01e68edfacaeae64781a37b1995fa94b |
| SHA256 | 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72 |
| SHA512 | b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fbd482ae27c90ed10baff1cfb51b0191 |
| SHA1 | d9fec2fce5e413e3ff73d8614fb134844d8c753d |
| SHA256 | af0157fcb2d510e95abaf88d63d618c8751c6e1ecb3a1228012811d9324137e3 |
| SHA512 | c3ef6cb66497cf493282f5e16a1594cdfde7fda60df583f1c900f3e4aef201345df9e0a9972b2b9354bc97d4e75979b91745d68a5a00dc3c83626603e35cd559 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0622f2bfd4c3fe16e99b3e65e45ac6a0 |
| SHA1 | 81db2570baed0876cdb94ee8ea6191e102572901 |
| SHA256 | 2734c889823d6f37a4fb052df16d277714bba3573bd652a486e47d70e0752631 |
| SHA512 | c4d18a9bbb574fb3ace2b20d5e17c3b6a7e2684407f93c2a70d1d1634ea149b316231be48e9f0e7301cfbcf289f947023cb05677c0d9ed692cc90b1940624ac2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0622f2bfd4c3fe16e99b3e65e45ac6a0 |
| SHA1 | 81db2570baed0876cdb94ee8ea6191e102572901 |
| SHA256 | 2734c889823d6f37a4fb052df16d277714bba3573bd652a486e47d70e0752631 |
| SHA512 | c4d18a9bbb574fb3ace2b20d5e17c3b6a7e2684407f93c2a70d1d1634ea149b316231be48e9f0e7301cfbcf289f947023cb05677c0d9ed692cc90b1940624ac2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8P14B05W.txt
| MD5 | e46eb62c4fd594889285ca4218cfce8b |
| SHA1 | c83113e4ef5f3f5a0c7e50f2b99597aa9fcebc52 |
| SHA256 | c30b436ea610beeb5e1a2a65a171b4ec0aa1115d4bffdadf23c9a6d4c9a8b400 |
| SHA512 | f135efdd579f32dc7eb10c9eec5528c7e5a786278ab3235191b8d521b07dd890addc4bca5b2f0aa14288c32a61ca90b8b67665a45f882111db629775ebc2de54 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 78ac4b892efd31285fd29790b6b58ff2 |
| SHA1 | 156a21fb97df872d0156fdfa084463c22ccfe6e3 |
| SHA256 | fc8c21ca554a2afcb11200fc6fd847ec090383004ff9bfe2a2ae58b90a001cf0 |
| SHA512 | e6b87efb4376e8ed8074ed75cc0a8ad47b8a86953a8fa33b4e2daf3f442d0fb17566d627e8459c7c0cbc97803a81bfd91923e6d4e438ff1040a8d0aea1392321 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 446e652ac251c9efd2bc839a36f11fe5 |
| SHA1 | 0b34b3c3a62e84798520f402dd947225d6455d16 |
| SHA256 | b8eb54932a7307f27c0da662e2e31ebe735bddaa5a9a42ef9297107b235d0e12 |
| SHA512 | b6b463a9e463b41e7169882d47d0f955c769c8ee5f21af0b176694c703c69bdd88aa48edc1b8ddc81ca46c1109c9bca47d57a3941d5234c1479aad3792405514 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-30 12:29
Reported
2023-03-30 12:34
Platform
win10v2004-20230220-en
Max time kernel
102s
Max time network
130s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
Reads user/profile data of web browsers
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\lib\logging.properties | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress-indeterminate.gif | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\optimize_poster.jpg | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\bun.png | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\PREVIEW.GIF | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-phn.xrm-ms | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fil.pak | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-phn.xrm-ms | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\MSIPC\lt\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\pt-BR.pak.DATA | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\FM20.CHM | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\edit-pdf.png | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_100_percent.pak | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicsimple.dotx | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_2x.png | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\hwrenUSlm.dat | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_it.properties | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\tr-tr\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\eu-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\PlayStore_icon.svg | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\lv.txt | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN058.XML | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-awt.xml | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_icons.png | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\Readme_Instructions.html | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\faf_icons.png | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\welcome.png | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4652 wrote to memory of 1412 | N/A | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 4652 wrote to memory of 1412 | N/A | C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 1412 wrote to memory of 3472 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\System32\wbem\WMIC.exe |
| PID 1412 wrote to memory of 3472 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\System32\wbem\WMIC.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe
"C:\Users\Admin\AppData\Local\Temp\134ca8f486c3a509bf3c82b7e41ce1af2a698fb8bf5fd1c9ee267b2ac7f21457.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A0B0B306-6CF5-4165-87A7-82F15E2F8736}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A0B0B306-6CF5-4165-87A7-82F15E2F8736}'" delete
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.22:445 | tcp | |
| N/A | 10.127.0.28:445 | tcp | |
| N/A | 10.127.0.0:445 | tcp | |
| N/A | 10.127.0.33:445 | tcp | |
| N/A | 10.127.0.36:445 | tcp | |
| N/A | 10.127.0.19:445 | tcp | |
| N/A | 10.127.0.38:445 | tcp | |
| N/A | 10.127.0.9:445 | tcp | |
| N/A | 10.127.0.15:445 | tcp | |
| N/A | 10.127.0.20:445 | tcp | |
| N/A | 10.127.0.34:445 | tcp | |
| N/A | 10.127.0.37:445 | tcp | |
| N/A | 10.127.0.49:445 | tcp | |
| N/A | 10.127.0.47:445 | tcp | |
| N/A | 10.127.0.24:445 | tcp | |
| N/A | 10.127.0.25:445 | tcp | |
| N/A | 10.127.0.65:445 | tcp | |
| N/A | 10.127.0.51:445 | tcp | |
| N/A | 10.127.0.13:445 | tcp | |
| N/A | 10.127.0.21:445 | tcp | |
| N/A | 10.127.0.46:445 | tcp | |
| N/A | 10.127.0.62:445 | tcp | |
| N/A | 10.127.0.64:445 | tcp | |
| N/A | 10.127.0.6:445 | tcp | |
| N/A | 10.127.0.17:445 | tcp | |
| N/A | 10.127.0.59:445 | tcp | |
| N/A | 10.127.0.63:445 | tcp | |
| N/A | 10.127.0.53:445 | tcp | |
| N/A | 10.127.0.61:445 | tcp | |
| N/A | 10.127.0.42:445 | tcp | |
| N/A | 10.127.0.43:445 | tcp | |
| N/A | 10.127.0.35:445 | tcp | |
| N/A | 10.127.0.45:445 | tcp | |
| N/A | 10.127.0.55:445 | tcp | |
| N/A | 10.127.0.18:445 | tcp | |
| N/A | 10.127.0.32:445 | tcp | |
| N/A | 10.127.0.30:445 | tcp | |
| N/A | 10.127.0.8:445 | tcp | |
| N/A | 10.127.0.58:445 | tcp | |
| N/A | 10.127.0.27:445 | tcp | |
| N/A | 10.127.0.54:445 | tcp | |
| N/A | 10.127.0.2:445 | tcp | |
| N/A | 10.127.0.5:445 | tcp | |
| N/A | 10.127.0.16:445 | tcp | |
| N/A | 10.127.0.48:445 | tcp | |
| N/A | 10.127.0.14:445 | tcp | |
| N/A | 10.127.0.23:445 | tcp | |
| N/A | 10.127.0.44:445 | tcp | |
| N/A | 10.127.0.50:445 | tcp | |
| N/A | 10.127.0.60:445 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| N/A | 10.127.0.56:445 | tcp | |
| N/A | 10.127.0.12:445 | tcp | |
| N/A | 10.127.0.3:445 | tcp | |
| N/A | 10.127.0.26:445 | tcp | |
| N/A | 10.127.0.4:445 | tcp | |
| N/A | 10.127.0.11:445 | tcp | |
| N/A | 10.127.0.31:445 | tcp | |
| N/A | 10.127.0.52:445 | tcp | |
| N/A | 10.127.0.7:445 | tcp | |
| N/A | 10.127.0.39:445 | tcp | |
| N/A | 10.127.0.57:445 | tcp | |
| N/A | 10.127.0.10:445 | tcp | |
| N/A | 10.127.0.29:445 | tcp | |
| N/A | 10.127.0.40:445 | tcp | |
| N/A | 10.127.0.41:445 | tcp | |
| N/A | 10.127.0.82:445 | tcp | |
| N/A | 10.127.0.116:445 | tcp | |
| N/A | 10.127.0.121:445 | tcp | |
| N/A | 10.127.0.123:445 | tcp | |
| N/A | 10.127.0.92:445 | tcp | |
| N/A | 10.127.0.128:445 | tcp | |
| N/A | 10.127.0.68:445 | tcp | |
| N/A | 10.127.0.75:445 | tcp | |
| N/A | 10.127.0.83:445 | tcp | |
| N/A | 10.127.0.101:445 | tcp | |
| N/A | 10.127.0.228:445 | tcp | |
| N/A | 10.127.0.80:445 | tcp | |
| N/A | 10.127.0.86:445 | tcp | |
| N/A | 10.127.0.96:445 | tcp | |
| N/A | 10.127.0.88:445 | tcp | |
| N/A | 10.127.0.95:445 | tcp | |
| N/A | 10.127.0.69:445 | tcp | |
| N/A | 10.127.0.110:445 | tcp | |
| N/A | 10.127.0.229:445 | tcp | |
| N/A | 10.127.0.118:445 | tcp | |
| N/A | 10.127.0.115:445 | tcp | |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| N/A | 10.127.0.67:445 | tcp | |
| N/A | 10.127.0.87:445 | tcp | |
| N/A | 10.127.0.227:445 | tcp | |
| N/A | 10.127.0.108:445 | tcp | |
| N/A | 10.127.0.102:445 | tcp | |
| N/A | 10.127.0.103:445 | tcp | |
| N/A | 10.127.0.107:445 | tcp | |
| N/A | 10.127.0.66:445 | tcp | |
| N/A | 10.127.0.130:445 | tcp | |
| N/A | 10.127.0.131:445 | tcp | |
| N/A | 10.127.0.230:445 | tcp | |
| N/A | 10.127.0.97:445 | tcp | |
| N/A | 10.127.0.127:445 | tcp | |
| N/A | 10.127.0.74:445 | tcp | |
| N/A | 10.127.0.81:445 | tcp | |
| N/A | 10.127.0.85:445 | tcp | |
| N/A | 10.127.0.70:445 | tcp | |
| N/A | 10.127.0.72:445 | tcp | |
| N/A | 10.127.0.77:445 | tcp | |
| N/A | 10.127.0.114:445 | tcp | |
| N/A | 10.127.0.78:445 | tcp | |
| N/A | 10.127.0.112:445 | tcp | |
| N/A | 10.127.0.111:445 | tcp | |
| N/A | 10.127.0.117:445 | tcp | |
| N/A | 10.127.0.124:445 | tcp | |
| N/A | 10.127.0.93:445 | tcp | |
| N/A | 10.127.0.100:445 | tcp | |
| N/A | 10.127.0.71:445 | tcp | |
| N/A | 10.127.0.73:445 | tcp | |
| N/A | 10.127.0.76:445 | tcp | |
| N/A | 10.127.0.79:445 | tcp | |
| N/A | 10.127.0.84:445 | tcp | |
| N/A | 10.127.0.89:445 | tcp | |
| N/A | 10.127.0.90:445 | tcp | |
| N/A | 10.127.0.91:445 | tcp | |
| N/A | 10.127.0.94:445 | tcp | |
| N/A | 10.127.0.98:445 | tcp | |
| N/A | 10.127.0.99:445 | tcp | |
| N/A | 10.127.0.104:445 | tcp | |
| N/A | 10.127.0.105:445 | tcp | |
| N/A | 10.127.0.106:445 | tcp | |
| N/A | 10.127.0.109:445 | tcp | |
| N/A | 10.127.0.113:445 | tcp | |
| N/A | 10.127.0.119:445 | tcp | |
| N/A | 10.127.0.120:445 | tcp | |
| N/A | 10.127.0.122:445 | tcp | |
| N/A | 10.127.0.125:445 | tcp | |
| N/A | 10.127.0.126:445 | tcp | |
| N/A | 10.127.0.129:445 | tcp | |
| N/A | 10.127.0.132:445 | tcp | |
| N/A | 10.127.0.133:445 | tcp | |
| N/A | 10.127.0.134:445 | tcp | |
| N/A | 10.127.0.135:445 | tcp | |
| N/A | 10.127.0.136:445 | tcp | |
| N/A | 10.127.0.137:445 | tcp | |
| N/A | 10.127.0.138:445 | tcp | |
| N/A | 10.127.0.139:445 | tcp | |
| N/A | 10.127.0.140:445 | tcp | |
| N/A | 10.127.0.141:445 | tcp | |
| N/A | 10.127.0.142:445 | tcp | |
| N/A | 10.127.0.143:445 | tcp | |
| N/A | 10.127.0.144:445 | tcp | |
| N/A | 10.127.0.145:445 | tcp | |
| N/A | 10.127.0.146:445 | tcp | |
| N/A | 10.127.0.147:445 | tcp | |
| N/A | 10.127.0.148:445 | tcp | |
| N/A | 10.127.0.149:445 | tcp | |
| N/A | 10.127.0.150:445 | tcp | |
| N/A | 10.127.0.151:445 | tcp | |
| N/A | 10.127.0.152:445 | tcp | |
| N/A | 10.127.0.153:445 | tcp | |
| N/A | 10.127.0.154:445 | tcp | |
| N/A | 10.127.0.155:445 | tcp | |
| N/A | 10.127.0.156:445 | tcp | |
| N/A | 10.127.0.157:445 | tcp | |
| N/A | 10.127.0.158:445 | tcp | |
| N/A | 10.127.0.159:445 | tcp | |
| N/A | 10.127.0.160:445 | tcp | |
| N/A | 10.127.0.161:445 | tcp | |
| N/A | 10.127.0.162:445 | tcp | |
| N/A | 10.127.0.163:445 | tcp | |
| N/A | 10.127.0.164:445 | tcp | |
| N/A | 10.127.0.165:445 | tcp | |
| N/A | 10.127.0.166:445 | tcp | |
| N/A | 10.127.0.167:445 | tcp | |
| N/A | 10.127.0.168:445 | tcp | |
| N/A | 10.127.0.169:445 | tcp | |
| N/A | 10.127.0.170:445 | tcp | |
| N/A | 10.127.0.171:445 | tcp | |
| N/A | 10.127.0.172:445 | tcp | |
| N/A | 10.127.0.173:445 | tcp | |
| N/A | 10.127.0.174:445 | tcp | |
| N/A | 10.127.0.175:445 | tcp | |
| N/A | 10.127.0.176:445 | tcp | |
| N/A | 10.127.0.177:445 | tcp | |
| N/A | 10.127.0.178:445 | tcp | |
| N/A | 10.127.0.179:445 | tcp | |
| N/A | 10.127.0.180:445 | tcp | |
| N/A | 10.127.0.181:445 | tcp | |
| N/A | 10.127.0.182:445 | tcp | |
| N/A | 10.127.0.183:445 | tcp | |
| N/A | 10.127.0.184:445 | tcp | |
| N/A | 10.127.0.185:445 | tcp | |
| N/A | 10.127.0.186:445 | tcp | |
| N/A | 10.127.0.187:445 | tcp | |
| N/A | 10.127.0.188:445 | tcp | |
| N/A | 10.127.0.189:445 | tcp | |
| N/A | 10.127.0.190:445 | tcp | |
| N/A | 10.127.0.191:445 | tcp | |
| N/A | 10.127.0.192:445 | tcp | |
| N/A | 10.127.0.193:445 | tcp | |
| N/A | 10.127.0.194:445 | tcp | |
| N/A | 10.127.0.195:445 | tcp | |
| N/A | 10.127.0.196:445 | tcp | |
| N/A | 10.127.0.197:445 | tcp | |
| N/A | 10.127.0.198:445 | tcp | |
| N/A | 10.127.0.199:445 | tcp | |
| N/A | 10.127.0.200:445 | tcp | |
| N/A | 10.127.0.201:445 | tcp | |
| N/A | 10.127.0.202:445 | tcp | |
| N/A | 10.127.0.203:445 | tcp | |
| N/A | 10.127.0.204:445 | tcp | |
| N/A | 10.127.0.205:445 | tcp | |
| N/A | 10.127.0.206:445 | tcp | |
| N/A | 10.127.0.207:445 | tcp | |
| N/A | 10.127.0.208:445 | tcp | |
| N/A | 10.127.0.209:445 | tcp | |
| N/A | 10.127.0.210:445 | tcp | |
| N/A | 10.127.0.211:445 | tcp | |
| N/A | 10.127.0.212:445 | tcp | |
| N/A | 10.127.0.213:445 | tcp | |
| N/A | 10.127.0.214:445 | tcp | |
| N/A | 10.127.0.215:445 | tcp | |
| N/A | 10.127.0.216:445 | tcp | |
| N/A | 10.127.0.217:445 | tcp | |
| N/A | 10.127.0.218:445 | tcp | |
| N/A | 10.127.0.219:445 | tcp | |
| N/A | 10.127.0.220:445 | tcp | |
| N/A | 10.127.0.221:445 | tcp | |
| N/A | 10.127.0.222:445 | tcp | |
| N/A | 10.127.0.223:445 | tcp | |
| N/A | 10.127.0.224:445 | tcp | |
| N/A | 10.127.0.225:445 | tcp | |
| N/A | 10.127.0.226:445 | tcp | |
| N/A | 10.127.0.231:445 | tcp | |
| N/A | 10.127.0.232:445 | tcp | |
| N/A | 10.127.0.233:445 | tcp | |
| N/A | 10.127.0.234:445 | tcp | |
| N/A | 10.127.0.235:445 | tcp | |
| N/A | 10.127.0.236:445 | tcp | |
| N/A | 10.127.0.237:445 | tcp | |
| N/A | 10.127.0.238:445 | tcp | |
| N/A | 10.127.0.239:445 | tcp | |
| N/A | 10.127.0.240:445 | tcp | |
| N/A | 10.127.0.241:445 | tcp | |
| N/A | 10.127.0.242:445 | tcp | |
| N/A | 10.127.0.243:445 | tcp | |
| N/A | 10.127.0.244:445 | tcp | |
| N/A | 10.127.0.245:445 | tcp | |
| N/A | 10.127.0.246:445 | tcp | |
| N/A | 10.127.0.247:445 | tcp | |
| N/A | 10.127.0.248:445 | tcp | |
| N/A | 10.127.0.249:445 | tcp | |
| N/A | 10.127.0.250:445 | tcp | |
| N/A | 10.127.0.251:445 | tcp | |
| N/A | 10.127.0.252:445 | tcp | |
| N/A | 10.127.0.253:445 | tcp | |
| N/A | 10.127.0.254:445 | tcp | |
| N/A | 10.127.255.49:445 | tcp | |
| N/A | 10.127.255.54:445 | tcp | |
| N/A | 10.127.255.18:445 | tcp | |
| N/A | 10.127.255.13:445 | tcp | |
| N/A | 10.127.255.43:445 | tcp | |
| N/A | 10.127.255.139:445 | tcp | |
| N/A | 10.127.255.21:445 | tcp | |
| N/A | 10.127.255.30:445 | tcp | |
| N/A | 10.127.255.48:445 | tcp | |
| N/A | 10.127.255.5:445 | tcp | |
| N/A | 10.127.255.14:445 | tcp | |
| N/A | 10.127.255.41:445 | tcp | |
| N/A | 10.127.255.60:445 | tcp | |
| N/A | 10.127.255.61:445 | tcp | |
| N/A | 10.127.255.62:445 | tcp | |
| N/A | 10.127.255.20:445 | tcp | |
| N/A | 10.127.255.40:445 | tcp | |
| N/A | 10.127.255.63:445 | tcp | |
| N/A | 10.127.255.6:445 | tcp | |
| N/A | 10.127.255.11:445 | tcp | |
| N/A | 10.127.255.15:445 | tcp | |
| N/A | 10.127.255.45:445 | tcp | |
| N/A | 10.127.255.1:445 | tcp | |
| N/A | 10.127.255.28:445 | tcp | |
| N/A | 10.127.255.4:445 | tcp | |
| N/A | 10.127.255.55:445 | tcp | |
| N/A | 10.127.255.64:445 | tcp | |
| N/A | 10.127.255.16:445 | tcp | |
| N/A | 10.127.255.2:445 | tcp | |
| N/A | 10.127.255.24:445 | tcp | |
| N/A | 10.127.255.25:445 | tcp | |
| N/A | 10.127.255.58:445 | tcp | |
| N/A | 10.127.255.7:445 | tcp | |
| N/A | 10.127.255.32:445 | tcp | |
| N/A | 10.127.255.42:445 | tcp | |
| N/A | 10.127.255.59:445 | tcp | |
| N/A | 10.127.255.26:445 | tcp | |
| N/A | 10.127.255.10:445 | tcp | |
| N/A | 10.127.255.57:445 | tcp | |
| N/A | 10.127.255.35:445 | tcp | |
| N/A | 10.127.255.17:445 | tcp | |
| N/A | 10.127.255.19:445 | tcp | |
| N/A | 10.127.255.8:445 | tcp | |
| N/A | 10.127.255.23:445 | tcp | |
| N/A | 10.127.255.31:445 | tcp | |
| N/A | 10.127.255.33:445 | tcp | |
| N/A | 10.127.255.217:445 | tcp | |
| N/A | 10.127.255.0:445 | tcp | |
| N/A | 10.127.255.52:445 | tcp | |
| N/A | 10.127.255.53:445 | tcp | |
| N/A | 10.127.255.27:445 | tcp | |
| N/A | 10.127.255.38:445 | tcp | |
| N/A | 10.127.255.51:445 | tcp | |
| N/A | 10.127.255.36:445 | tcp | |
| N/A | 10.127.255.39:445 | tcp | |
| N/A | 10.127.255.34:445 | tcp | |
| N/A | 10.127.255.3:445 | tcp | |
| N/A | 10.127.255.46:445 | tcp | |
| N/A | 10.127.255.47:445 | tcp | |
| N/A | 10.127.255.37:445 | tcp | |
| N/A | 10.127.255.9:445 | tcp | |
| N/A | 10.127.255.50:445 | tcp | |
| N/A | 10.127.255.56:445 | tcp | |
| N/A | 10.127.255.44:445 | tcp | |
| N/A | 10.127.255.12:445 | tcp | |
| N/A | 10.127.255.22:445 | tcp | |
| N/A | 10.127.255.140:445 | tcp | |
| N/A | 10.127.255.29:445 | tcp | |
| N/A | 10.127.255.77:445 | tcp | |
| N/A | 10.127.255.73:445 | tcp | |
| N/A | 10.127.255.94:445 | tcp | |
| N/A | 10.127.255.72:445 | tcp | |
| N/A | 10.127.255.115:445 | tcp | |
| N/A | 10.127.255.107:445 | tcp | |
| N/A | 10.127.255.88:445 | tcp | |
| N/A | 10.127.255.106:445 | tcp | |
| N/A | 10.127.255.74:445 | tcp | |
| N/A | 10.127.255.124:445 | tcp | |
| N/A | 10.127.255.93:445 | tcp | |
| N/A | 10.127.255.97:445 | tcp | |
| N/A | 10.127.255.118:445 | tcp | |
| N/A | 10.127.255.90:445 | tcp | |
| N/A | 10.127.255.116:445 | tcp | |
| N/A | 10.127.255.87:445 | tcp | |
| N/A | 10.127.255.98:445 | tcp | |
| N/A | 10.127.255.110:445 | tcp | |
| N/A | 10.127.255.120:445 | tcp | |
| N/A | 10.127.255.76:445 | tcp | |
| N/A | 10.127.255.102:445 | tcp | |
| N/A | 10.127.255.89:445 | tcp | |
| N/A | 10.127.255.65:445 | tcp | |
| N/A | 10.127.255.66:445 | tcp | |
| N/A | 10.127.255.67:445 | tcp | |
| N/A | 10.127.255.68:445 | tcp | |
| N/A | 10.127.255.69:445 | tcp | |
| N/A | 10.127.255.70:445 | tcp | |
| N/A | 10.127.255.71:445 | tcp | |
| N/A | 10.127.255.75:445 | tcp | |
| N/A | 10.127.255.78:445 | tcp | |
| N/A | 10.127.255.79:445 | tcp | |
| N/A | 10.127.255.80:445 | tcp | |
| N/A | 10.127.255.81:445 | tcp | |
| N/A | 10.127.255.82:445 | tcp | |
| N/A | 10.127.255.83:445 | tcp | |
| N/A | 10.127.255.84:445 | tcp | |
| N/A | 10.127.255.85:445 | tcp | |
| N/A | 10.127.255.86:445 | tcp | |
| N/A | 10.127.255.91:445 | tcp | |
| N/A | 10.127.255.92:445 | tcp | |
| N/A | 10.127.255.95:445 | tcp | |
| N/A | 10.127.255.96:445 | tcp | |
| N/A | 10.127.255.99:445 | tcp | |
| N/A | 10.127.255.100:445 | tcp | |
| N/A | 10.127.255.101:445 | tcp | |
| N/A | 10.127.255.103:445 | tcp | |
| N/A | 10.127.255.104:445 | tcp | |
| N/A | 10.127.255.105:445 | tcp | |
| N/A | 10.127.255.108:445 | tcp | |
| N/A | 10.127.255.109:445 | tcp | |
| N/A | 10.127.255.111:445 | tcp | |
| N/A | 10.127.255.112:445 | tcp | |
| N/A | 10.127.255.113:445 | tcp | |
| N/A | 10.127.255.114:445 | tcp | |
| N/A | 10.127.255.117:445 | tcp | |
| N/A | 10.127.255.119:445 | tcp | |
| N/A | 10.127.255.121:445 | tcp | |
| N/A | 10.127.255.122:445 | tcp | |
| N/A | 10.127.255.123:445 | tcp | |
| N/A | 10.127.255.125:445 | tcp | |
| N/A | 10.127.255.126:445 | tcp | |
| N/A | 10.127.255.127:445 | tcp | |
| N/A | 10.127.255.128:445 | tcp | |
| N/A | 10.127.255.129:445 | tcp | |
| N/A | 10.127.255.130:445 | tcp | |
| N/A | 10.127.255.131:445 | tcp | |
| N/A | 10.127.255.132:445 | tcp | |
| N/A | 10.127.255.133:445 | tcp | |
| N/A | 10.127.255.134:445 | tcp | |
| N/A | 10.127.255.135:445 | tcp | |
| N/A | 10.127.255.136:445 | tcp | |
| N/A | 10.127.255.137:445 | tcp | |
| N/A | 10.127.255.138:445 | tcp | |
| N/A | 10.127.255.141:445 | tcp | |
| N/A | 10.127.255.142:445 | tcp | |
| N/A | 10.127.255.143:445 | tcp | |
| N/A | 10.127.255.144:445 | tcp | |
| N/A | 10.127.255.145:445 | tcp | |
| N/A | 10.127.255.146:445 | tcp | |
| N/A | 10.127.255.147:445 | tcp | |
| N/A | 10.127.255.148:445 | tcp | |
| N/A | 10.127.255.149:445 | tcp | |
| N/A | 10.127.255.150:445 | tcp | |
| N/A | 10.127.255.151:445 | tcp | |
| N/A | 10.127.255.152:445 | tcp | |
| N/A | 10.127.255.153:445 | tcp | |
| N/A | 10.127.255.154:445 | tcp | |
| N/A | 10.127.255.155:445 | tcp | |
| N/A | 10.127.255.156:445 | tcp | |
| N/A | 10.127.255.157:445 | tcp | |
| N/A | 10.127.255.158:445 | tcp | |
| N/A | 10.127.255.159:445 | tcp | |
| N/A | 10.127.255.160:445 | tcp | |
| N/A | 10.127.255.161:445 | tcp | |
| N/A | 10.127.255.162:445 | tcp | |
| N/A | 10.127.255.163:445 | tcp | |
| N/A | 10.127.255.164:445 | tcp | |
| N/A | 10.127.255.165:445 | tcp | |
| N/A | 10.127.255.166:445 | tcp | |
| N/A | 10.127.255.167:445 | tcp | |
| N/A | 10.127.255.168:445 | tcp | |
| N/A | 10.127.255.169:445 | tcp | |
| N/A | 10.127.255.170:445 | tcp | |
| N/A | 10.127.255.171:445 | tcp | |
| N/A | 10.127.255.172:445 | tcp | |
| N/A | 10.127.255.173:445 | tcp | |
| N/A | 10.127.255.174:445 | tcp | |
| N/A | 10.127.255.175:445 | tcp | |
| N/A | 10.127.255.176:445 | tcp | |
| N/A | 10.127.255.177:445 | tcp | |
| N/A | 10.127.255.178:445 | tcp | |
| N/A | 10.127.255.179:445 | tcp | |
| N/A | 10.127.255.180:445 | tcp | |
| N/A | 10.127.255.181:445 | tcp | |
| N/A | 10.127.255.182:445 | tcp | |
| N/A | 10.127.255.183:445 | tcp | |
| N/A | 10.127.255.184:445 | tcp | |
| N/A | 10.127.255.185:445 | tcp | |
| N/A | 10.127.255.186:445 | tcp | |
| N/A | 10.127.255.187:445 | tcp | |
| N/A | 10.127.255.188:445 | tcp | |
| N/A | 10.127.255.189:445 | tcp | |
| N/A | 10.127.255.190:445 | tcp | |
| N/A | 10.127.255.191:445 | tcp | |
| N/A | 10.127.255.192:445 | tcp | |
| N/A | 10.127.255.193:445 | tcp | |
| N/A | 10.127.255.194:445 | tcp | |
| N/A | 10.127.255.195:445 | tcp | |
| N/A | 10.127.255.196:445 | tcp | |
| N/A | 10.127.255.197:445 | tcp | |
| N/A | 10.127.255.198:445 | tcp | |
| N/A | 10.127.255.199:445 | tcp | |
| N/A | 10.127.255.200:445 | tcp | |
| N/A | 10.127.255.201:445 | tcp | |
| N/A | 10.127.255.202:445 | tcp | |
| N/A | 10.127.255.203:445 | tcp | |
| N/A | 10.127.255.204:445 | tcp | |
| N/A | 10.127.255.205:445 | tcp | |
| N/A | 10.127.255.206:445 | tcp | |
| N/A | 10.127.255.207:445 | tcp | |
| N/A | 10.127.255.208:445 | tcp | |
| N/A | 10.127.255.209:445 | tcp | |
| N/A | 10.127.255.210:445 | tcp | |
| N/A | 10.127.255.211:445 | tcp | |
| N/A | 10.127.255.212:445 | tcp | |
| N/A | 10.127.255.213:445 | tcp | |
| N/A | 10.127.255.214:445 | tcp | |
| N/A | 10.127.255.215:445 | tcp | |
| N/A | 10.127.255.216:445 | tcp | |
| N/A | 10.127.255.218:445 | tcp | |
| N/A | 10.127.255.219:445 | tcp | |
| N/A | 10.127.255.220:445 | tcp | |
| N/A | 10.127.255.221:445 | tcp | |
| N/A | 10.127.255.222:445 | tcp | |
| N/A | 10.127.255.223:445 | tcp | |
| N/A | 10.127.255.224:445 | tcp | |
| N/A | 10.127.255.225:445 | tcp | |
| N/A | 10.127.255.226:445 | tcp | |
| N/A | 10.127.255.227:445 | tcp | |
| N/A | 10.127.255.228:445 | tcp | |
| N/A | 10.127.255.229:445 | tcp | |
| N/A | 10.127.255.230:445 | tcp | |
| N/A | 10.127.255.231:445 | tcp | |
| N/A | 10.127.255.232:445 | tcp | |
| N/A | 10.127.255.233:445 | tcp | |
| N/A | 10.127.255.234:445 | tcp | |
| N/A | 10.127.255.235:445 | tcp | |
| N/A | 10.127.255.236:445 | tcp | |
| N/A | 10.127.255.237:445 | tcp | |
| N/A | 10.127.255.238:445 | tcp | |
| N/A | 10.127.255.239:445 | tcp | |
| N/A | 10.127.255.240:445 | tcp | |
| N/A | 10.127.255.241:445 | tcp | |
| N/A | 10.127.255.242:445 | tcp | |
| N/A | 10.127.255.243:445 | tcp | |
| N/A | 10.127.255.244:445 | tcp | |
| N/A | 10.127.255.245:445 | tcp | |
| N/A | 10.127.255.246:445 | tcp | |
| N/A | 10.127.255.247:445 | tcp | |
| N/A | 10.127.255.248:445 | tcp | |
| N/A | 10.127.255.249:445 | tcp | |
| N/A | 10.127.255.250:445 | tcp | |
| N/A | 10.127.255.251:445 | tcp | |
| N/A | 10.127.255.252:445 | tcp | |
| N/A | 10.127.255.253:445 | tcp | |
| N/A | 10.127.255.254:445 | tcp | |
| US | 13.89.179.9:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 8.8.8.8:53 | 233.141.123.20.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp |
Files
C:\ProgramData\Readme_Instructions.html
| MD5 | 9ae54b4efc9f30245782c6001f69b120 |
| SHA1 | 3de64c5e9732699b76510728e43f408c131a995e |
| SHA256 | cef2395cc2ae718f07b84bdbae435752c0e7049aa6de8488ab045c07f5fd0b37 |
| SHA512 | fbbb0e2bf0d11756dba1d9bf0183a2f0ec94ee729d97740ed3ba47b3f99922188fc04fdbc255f51a3544fa3bfc7ed588d3aabb45de0ed59ed96ce6d15daeed75 |