agenda | 27f7a332ba10bae9dbc527ea25c787cb1850f0b34295cd49118f040f08f4fe56

Analysis

max time kernel
125s
max time network
129s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21-11-2023 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

forigpatch.exe
Size

3.9MB
MD5

bf45eb9cb4aefcff77e9db878f9c5fb1
SHA1

8e7a95e87cb40c10d019e695bea1ee3612cef247
SHA256

27f7a332ba10bae9dbc527ea25c787cb1850f0b34295cd49118f040f08f4fe56
SHA512

bb0a154ba120c64693f874ed2d670bf1c230bbd2229d2aa461fbbae12756c3d52f7e3825665b68c97067cbe384d8c5728543c941643d5b3908579ff8f2e7feda
SSDEEP

49152:r4XomcoDCd9Vv8+n6/7aWBRogspm541YzoI1DK+GCzJ573cj/ja8Rhe901MxZOp8:rAodd9VE+n6/73BegsSOI1DKFCvLib7

Score

10^/10

agenda ransomware

Malware Config

Extracted

Family

agenda

Attributes

company_id
QTduEqZI6Q
note
-- Qilin Your network/system was encrypted. Encrypted files have new extension. -- Compromising and sensitive data We have downloaded compromising and sensitive data from you system/network If you refuse to communicate with us and we do not come to an agreement, your data will be published. Data includes: - Employees personal data, CVs, DL , SSN. - Complete network map including credentials for local and remote services. - Financial information including clients data, bills, budgets, annual reports, bank statements. - Complete datagrams/schemas/drawings for manufacturing in solidworks format - And more... -- Warning 1) If you modify files - our decrypt software won't able to recover data 2) If you use third party software - you can damage/modify files (see item 1) 3) You need cipher key / our decrypt software to restore you files. 4) The police or authorities will not be able to help you get the cipher key. We encourage you to consider your decisions. -- Recovery 1) Download tor browser: https://www.torproject.org/download/ 2) Go to domain 3) Enter credentials-- Credentials Extension: QTduEqZI6Q Domain: p3q5g2qsq4tglsbyhlghzutwr75uyz47ozasrserev7kann5h7qedxid.onion login: BYxo9FGIiH58sNWWzh967d5fQexHPomf password:

rsa_pubkey.plain

Signatures

Agenda Ransomware
A ransomware with multiple variants written in Golang and Rust first seen in August 2022.
ransomware agenda
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (169) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
2660	cmd.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	forigpatch.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\D:	cipher.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\TEMP\\dAEwtUMc.jpg"	forigpatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\TEMP\\dAEwtUMc.jpg"	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4120	timeout.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2476	vssadmin.exe

Modifies data under HKEY_USERS 49 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 73882dc11e1bf34477fe038eef2c2de35f5be43fb2ea3e13f001110e7a895ef4	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = e1733861db344a75795fd6c7bab89a85020375aeca955b19288315180dcf94ab	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = cd93e056d68321561926319f2237eeb23514b3b607888a4e8dae0ba12ff61497	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d002e0062006c00660000000000	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = fad2bcfbc6bbb9f9c2b626cb1152c43a19d0caddf76ef5ef38765b2920243e8d	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 80416504fb54e87245b4fa9cecd5b4b0aee79aa603af76819678fb3d8aee9014	forigpatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\Windows\\TEMP\\dAEwtUMc.jpg"	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 36acdf5a2abd727dbc0397b4c2654cfc791ff9d724ff7c6beacddbf994ec88fc	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 2df9c178ac49090f2e1269268881c29df1a1f36fb92c71d01e838c053490eba7	forigpatch.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 50f2bd2f281cda01	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700320000000000	forigpatch.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Owner = a40800003097572f281cda01	forigpatch.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 772425b0224727e281e67783a8567033e5818ed92d23a1b76787a871c730da15	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 12ac587ce91e1a7c3156474554c1ebd1c8b5918a849c305829795955ef6c813b	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = e6652596ec9165f571ae6f308393aeaee965ccc31f39de04e045646ec6de19e1	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c006e00740075007300650072002e006400610074002e004c004f004700310000000000	forigpatch.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 2dbf070be28d0a3f7caa58415c0e89f5c17cea723422b20914bf9e05887c41eb	forigpatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop\Wallpaper = "C:\\Windows\\TEMP\\dAEwtUMc.jpg"	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 346115aa8ab55e5f56d72e45c241a90f25ae304fbc93c7f617447b4be83b0c48	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = b2ba4f4fc59177cec6a2b0892fe7b70c2596e7e54cf3268b93cc59cfb3390559	forigpatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\Desktop\Wallpaper = "C:\\Windows\\TEMP\\dAEwtUMc.jpg"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 881676d1ee612a6c709f5301066c461b5769ba7f0cd66c4060acf1a6c26e6e48	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = b7edb96af0b6e06fe113ea2b2851b2ecee6cec4bb629786c9c2c149da5945b92	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300031002e007200650067007400720061006e0073002d006d00730000000000	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 9be776059a323f95ef6d829b7ae507e44c1804c762f4cc4d65523651737f111f	forigpatch.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 436981c10096f1565879b86afae00a44b0eed37c2b5b49076d8d93308858b4c6	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 2f691fa48a9e1b5d4022b26adfd690deb0cfefd53d34b48ab3522aca68b960e8	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 466e982182ae827a3fea8a8034db0b447636852cb772a5591c237e7e2765fa94	forigpatch.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\Sequence = "1"	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 6ea1dbe94aac585cc20cad485adf6cc14732ec702db93cdde814650d3a312e14	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00550073006500720073005c00410064006d0069006e005c004e00540055005300450052002e004400410054007b00300031003600380038003800620064002d0036006300360066002d0031003100640065002d0038006400310064002d003000300031006500300062006300640065003300650063007d002e0054004d0043006f006e007400610069006e0065007200300030003000300030003000300030003000300030003000300030003000300030003000300032002e007200650067007400720061006e0073002d006d00730000000000	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = f5793edb5d8515f5567dfacbc1ff86e1ec55cf3f22f8fe2c11218ae2c9c49ae9	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 1f69c33b5c002eedecc8765479e535d20072b069af2ab6ff36c26179cfb656ae	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 9dc813cfeb4c3c93c62476a1ddfd5ad92644c8b6ab7bba6c367c3fd1f829bfa5	forigpatch.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = b22624943aeffc8ff62f011679f127c2fd10057d3a84405a47c508aea6eb729a	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = d895e4ba8ea418f25ec01fbf4e40fc0aeca882fe685af13c46e34b910308fd61	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 1f1a43a18b018984a6c3043fd7c33f22519709454aed391d442189fdffd08b49	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 08f1ab817788f3cf88611190724fcde853934e82baab3a841e94ac7349537a12	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = 07bddd3959e27bd7f539bfc164d65aa9e48d70fa2a473cf2c7f2b75c18ad99ba	forigpatch.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\Windows\\TEMP\\dAEwtUMc.jpg"	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash = 2669744ab06881dd8391c4d9c22f2ea307b46638236667ae48b6796e15fb3f60	forigpatch.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\RestartManager\Session0000\SessionHash = f9caa3043a6bb25cb187f185129d6476d15da667ef91f9ce942066b026110d50	forigpatch.exe

Modifies registry key 1 TTPs 8 IoCs

Modify Registry

T1112

pid	Process
1976	reg.exe
2296	reg.exe
1152	reg.exe
4020	reg.exe
4084	reg.exe
3908	reg.exe
4076	reg.exe
1076	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1320	forigpatch.exe
2032	powershell.exe
2952	powershell.exe
2744	powershell.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2164	powershell.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe
2212	forigpatch.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	forigpatch.exe
Token: SeImpersonatePrivilege	1320	forigpatch.exe
Token: SeDebugPrivilege	2212	forigpatch.exe
Token: SeImpersonatePrivilege	2212	forigpatch.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1656	WMIC.exe
Token: SeSecurityPrivilege	1656	WMIC.exe
Token: SeTakeOwnershipPrivilege	1656	WMIC.exe
Token: SeLoadDriverPrivilege	1656	WMIC.exe
Token: SeBackupPrivilege	1656	WMIC.exe
Token: SeRestorePrivilege	1656	WMIC.exe
Token: SeShutdownPrivilege	1656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1656	WMIC.exe
Token: SeUndockPrivilege	1656	WMIC.exe
Token: SeManageVolumePrivilege	1656	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1656	WMIC.exe
Token: SeSecurityPrivilege	1656	WMIC.exe
Token: SeTakeOwnershipPrivilege	1656	WMIC.exe
Token: SeLoadDriverPrivilege	1656	WMIC.exe
Token: SeBackupPrivilege	1656	WMIC.exe
Token: SeRestorePrivilege	1656	WMIC.exe
Token: SeShutdownPrivilege	1656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1656	WMIC.exe
Token: SeUndockPrivilege	1656	WMIC.exe
Token: SeManageVolumePrivilege	1656	WMIC.exe
Token: SeBackupPrivilege	2956	vssvc.exe
Token: SeRestorePrivilege	2956	vssvc.exe
Token: SeAuditPrivilege	2956	vssvc.exe
Token: SeAssignPrimaryTokenPrivilege	2284	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2284	WMIC.exe
Token: SeSecurityPrivilege	2284	WMIC.exe
Token: SeTakeOwnershipPrivilege	2284	WMIC.exe
Token: SeLoadDriverPrivilege	2284	WMIC.exe
Token: SeBackupPrivilege	2284	WMIC.exe
Token: SeRestorePrivilege	2284	WMIC.exe
Token: SeShutdownPrivilege	2284	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2284	WMIC.exe
Token: SeUndockPrivilege	2284	WMIC.exe
Token: SeManageVolumePrivilege	2284	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	2284	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2284	WMIC.exe
Token: SeSecurityPrivilege	2284	WMIC.exe
Token: SeTakeOwnershipPrivilege	2284	WMIC.exe
Token: SeLoadDriverPrivilege	2284	WMIC.exe
Token: SeBackupPrivilege	2284	WMIC.exe
Token: SeRestorePrivilege	2284	WMIC.exe
Token: SeShutdownPrivilege	2284	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2284	WMIC.exe
Token: SeUndockPrivilege	2284	WMIC.exe
Token: SeManageVolumePrivilege	2284	WMIC.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeShutdownPrivilege	2212	forigpatch.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeShutdownPrivilege	2212	forigpatch.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2012	2212	forigpatch.exe	31
PID 2212 wrote to memory of 2012	2212	forigpatch.exe	31
PID 2212 wrote to memory of 2012	2212	forigpatch.exe	31
PID 2212 wrote to memory of 2012	2212	forigpatch.exe	31
PID 2212 wrote to memory of 2012	2212	forigpatch.exe	31
PID 2212 wrote to memory of 2012	2212	forigpatch.exe	31
PID 2212 wrote to memory of 2012	2212	forigpatch.exe	31
PID 2212 wrote to memory of 2032	2212	forigpatch.exe	32
PID 2212 wrote to memory of 2032	2212	forigpatch.exe	32
PID 2212 wrote to memory of 2032	2212	forigpatch.exe	32
PID 2212 wrote to memory of 2032	2212	forigpatch.exe	32
PID 2012 wrote to memory of 548	2012	cmd.exe	35
PID 2012 wrote to memory of 548	2012	cmd.exe	35
PID 2012 wrote to memory of 548	2012	cmd.exe	35
PID 2012 wrote to memory of 548	2012	cmd.exe	35
PID 2012 wrote to memory of 548	2012	cmd.exe	35
PID 2012 wrote to memory of 548	2012	cmd.exe	35
PID 2012 wrote to memory of 548	2012	cmd.exe	35
PID 2212 wrote to memory of 964	2212	forigpatch.exe	36
PID 2212 wrote to memory of 964	2212	forigpatch.exe	36
PID 2212 wrote to memory of 964	2212	forigpatch.exe	36
PID 2212 wrote to memory of 964	2212	forigpatch.exe	36
PID 2212 wrote to memory of 964	2212	forigpatch.exe	36
PID 2212 wrote to memory of 964	2212	forigpatch.exe	36
PID 2212 wrote to memory of 964	2212	forigpatch.exe	36
PID 964 wrote to memory of 456	964	cmd.exe	38
PID 964 wrote to memory of 456	964	cmd.exe	38
PID 964 wrote to memory of 456	964	cmd.exe	38
PID 964 wrote to memory of 456	964	cmd.exe	38
PID 964 wrote to memory of 456	964	cmd.exe	38
PID 964 wrote to memory of 456	964	cmd.exe	38
PID 964 wrote to memory of 456	964	cmd.exe	38
PID 2212 wrote to memory of 1740	2212	forigpatch.exe	39
PID 2212 wrote to memory of 1740	2212	forigpatch.exe	39
PID 2212 wrote to memory of 1740	2212	forigpatch.exe	39
PID 2212 wrote to memory of 1740	2212	forigpatch.exe	39
PID 2212 wrote to memory of 1740	2212	forigpatch.exe	39
PID 2212 wrote to memory of 1740	2212	forigpatch.exe	39
PID 2212 wrote to memory of 1740	2212	forigpatch.exe	39
PID 1740 wrote to memory of 940	1740	cmd.exe	41
PID 1740 wrote to memory of 940	1740	cmd.exe	41
PID 1740 wrote to memory of 940	1740	cmd.exe	41
PID 1740 wrote to memory of 940	1740	cmd.exe	41
PID 1740 wrote to memory of 940	1740	cmd.exe	41
PID 1740 wrote to memory of 940	1740	cmd.exe	41
PID 1740 wrote to memory of 940	1740	cmd.exe	41
PID 2212 wrote to memory of 1604	2212	forigpatch.exe	42
PID 2212 wrote to memory of 1604	2212	forigpatch.exe	42
PID 2212 wrote to memory of 1604	2212	forigpatch.exe	42
PID 2212 wrote to memory of 1604	2212	forigpatch.exe	42
PID 2212 wrote to memory of 1604	2212	forigpatch.exe	42
PID 2212 wrote to memory of 1604	2212	forigpatch.exe	42
PID 2212 wrote to memory of 1604	2212	forigpatch.exe	42
PID 1604 wrote to memory of 1656	1604	cmd.exe	44
PID 1604 wrote to memory of 1656	1604	cmd.exe	44
PID 1604 wrote to memory of 1656	1604	cmd.exe	44
PID 1604 wrote to memory of 1656	1604	cmd.exe	44
PID 1604 wrote to memory of 1656	1604	cmd.exe	44
PID 1604 wrote to memory of 1656	1604	cmd.exe	44
PID 1604 wrote to memory of 1656	1604	cmd.exe	44
PID 2212 wrote to memory of 1716	2212	forigpatch.exe	46
PID 2212 wrote to memory of 1716	2212	forigpatch.exe	46
PID 2212 wrote to memory of 1716	2212	forigpatch.exe	46
PID 2212 wrote to memory of 1716	2212	forigpatch.exe	46

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	forigpatch.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\forigpatch.exe
C:\Users\Admin\AppData\Local\Temp\forigpatch.exe --password 123
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320
- C:\Users\Admin\AppData\Local\Temp\forigpatch.exe
  "C:\Users\Admin\AppData\Local\Temp\forigpatch.exe" --password 123 --escalated --parent-sid "S-1-5-21-1154728922-3261336865-3456416385-1000"
  2⤵
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /C fsutil behavior set SymlinkEvaluation R2R:1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\SysWOW64\fsutil.exe
      fsutil behavior set SymlinkEvaluation R2R:1
      4⤵
      PID:548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "Stop-Cluster -Force"
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /C fsutil behavior set SymlinkEvaluation R2L:1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Windows\SysWOW64\fsutil.exe
      fsutil behavior set SymlinkEvaluation R2L:1
      4⤵
      PID:456
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /C net use
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\SysWOW64\net.exe
      net use
      4⤵
      PID:940
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /C wmic service where name='vss' call ChangeStartMode Manual
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic service where name='vss' call ChangeStartMode Manual
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /C net start vss
    3⤵
    PID:1716
  - - C:\Windows\SysWOW64\net.exe
      net start vss
      4⤵
      PID:552
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start vss
        5⤵
        
        PID:816
- - C:\Windows\system32\cmd.exe
    "cmd" /C vssadmin.exe delete shadows /all /quiet
    3⤵
    PID:2440
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /C net stop vss
    3⤵
    PID:2064
  - - C:\Windows\SysWOW64\net.exe
      net stop vss
      4⤵
      PID:892
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vss
        5⤵
        
        PID:612
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /C wmic service where name='vss' call ChangeStartMode Disabled
    3⤵
    PID:2236
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic service where name='vss' call ChangeStartMode Disabled
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2284
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" $logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogName ; ForEach ( $l in $logs | Sort | Get-Unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)}
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" $logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogName ; ForEach ( $l in $logs | Sort | Get-Unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)}
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" $logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogName ; ForEach ( $l in $logs | Sort | Get-Unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)}
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Select-Object -ExpandProperty DNSHostName"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "ServerManagerCmd.exe -i RSAT-AD-PowerShell ; Install-WindowsFeature RSAT-AD-PowerShell ; Add-WindowsCapability -Online -Name 'RSAT.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0'"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Select-Object -ExpandProperty DNSHostName"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" $logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogName ; ForEach ( $l in $logs | Sort | Get-Unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)}
    3⤵
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2360
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Select-Object -ExpandProperty DNSHostName"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "ServerManagerCmd.exe -i RSAT-AD-PowerShell ; Install-WindowsFeature RSAT-AD-PowerShell ; Add-WindowsCapability -Online -Name 'RSAT.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0'"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Select-Object -ExpandProperty DNSHostName"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" $logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogName ; ForEach ( $l in $logs | Sort | Get-Unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)}
    3⤵
    - Drops file in System32 directory
    PID:2532
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Select-Object -ExpandProperty DNSHostName"
    3⤵
    - Drops file in System32 directory
    PID:4380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "ServerManagerCmd.exe -i RSAT-AD-PowerShell ; Install-WindowsFeature RSAT-AD-PowerShell ; Add-WindowsCapability -Online -Name 'RSAT.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0'"
    3⤵
    - Drops file in System32 directory
    PID:5016
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Select-Object -ExpandProperty DNSHostName"
    3⤵
    - Drops file in System32 directory
    PID:1596
- - C:\Windows\SysWOW64\reg.exe
    "reg.exe" QUERY "HKEY_USERS"
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\.DEFAULT\Control Panel\Desktop' -Name Wallpaper -Value 'C:\Windows\TEMP\dAEwtUMc.jpg'"
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:3080
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\S-1-5-19\Control Panel\Desktop' -Name Wallpaper -Value 'C:\Windows\TEMP\dAEwtUMc.jpg'"
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:3620
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\S-1-5-20\Control Panel\Desktop' -Name Wallpaper -Value 'C:\Windows\TEMP\dAEwtUMc.jpg'"
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:3280
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\S-1-5-21-1154728922-3261336865-3456416385-1000\Control Panel\Desktop' -Name Wallpaper -Value 'C:\Windows\TEMP\dAEwtUMc.jpg'"
    3⤵
    - Drops file in System32 directory
    - Sets desktop wallpaper using registry
    PID:3452
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\S-1-5-21-1154728922-3261336865-3456416385-1000_Classes\Control Panel\Desktop' -Name Wallpaper -Value 'C:\Windows\TEMP\dAEwtUMc.jpg'"
    3⤵
    - Drops file in System32 directory
    PID:3588
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "Set-ItemProperty -Path 'Registry::HKEY_USERS\S-1-5-18\Control Panel\Desktop' -Name Wallpaper -Value 'C:\Windows\TEMP\dAEwtUMc.jpg'"
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:3708
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" $logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogName ; ForEach ( $l in $logs | Sort | Get-Unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)}
    3⤵
    - Drops file in System32 directory
    PID:3752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command " REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImagePath /t REG_SZ /d 'C:\Windows\TEMP\dAEwtUMc.jpg' /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImageUrl /t REG_SZ /d 'C:\Windows\TEMP\dAEwtUMc.jpg' /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImageStatus /t REG_DWORD /d 1 /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImagePath /t REG_SZ /d 'C:\Windows\TEMP\dAEwtUMc.jpg' /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageUrl /t REG_SZ /d 'C:\Windows\TEMP\dAEwtUMc.jpg' /f ; REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageStatus /t REG_DWORD /d 1 /f "
    3⤵
    - Drops file in System32 directory
    PID:3828
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /f
      4⤵
      Modifies registry key
      PID:1152
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImagePath /t REG_SZ /d C:\Windows\TEMP\dAEwtUMc.jpg /f
      4⤵
      Modifies registry key
      PID:4020
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImageUrl /t REG_SZ /d C:\Windows\TEMP\dAEwtUMc.jpg /f
      4⤵
      Modifies registry key
      PID:4084
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Personalization /v LockScreenImageStatus /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:3908
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /f
      4⤵
      Modifies registry key
      PID:4076
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImagePath /t REG_SZ /d C:\Windows\TEMP\dAEwtUMc.jpg /f
      4⤵
      Modifies registry key
      PID:1076
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageUrl /t REG_SZ /d C:\Windows\TEMP\dAEwtUMc.jpg /f
      4⤵
      Modifies registry key
      PID:1976
  - - C:\Windows\system32\reg.exe
      "C:\Windows\system32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP /v LockScreenImageStatus /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2296
- - C:\Windows\system32\cmd.exe
    "cmd" /C cipher /w:"C:\"
    3⤵
    PID:2500
  - - C:\Windows\system32\cipher.exe
      cipher /w:"C:\"
      4⤵
      PID:1552
- - C:\Windows\system32\cmd.exe
    "cmd" /C cipher /w:"D:\"
    3⤵
    PID:5052
  - - C:\Windows\system32\cipher.exe
      cipher /w:"D:\"
      4⤵
      Enumerates connected drives
      PID:2256
- - C:\Windows\system32\cmd.exe
    "cmd" /C cipher /w:"F:\"
    3⤵
    PID:2932
  - - C:\Windows\system32\cipher.exe
      cipher /w:"F:\"
      4⤵
      Enumerates connected drives
      PID:484
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" $logs = Get-WinEvent -ListLog * | Where-Object {$_.RecordCount} | Select-Object -ExpandProperty LogName ; ForEach ( $l in $logs | Sort | Get-Unique ) {[System.Diagnostics.Eventing.Reader.EventLogSession]::GlobalSession.ClearLog($l)}
    3⤵
    - Drops file in System32 directory
    PID:1140
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /C timeout /T 10 & Del "C:\Users\Admin\AppData\Local\Temp\forigpatch.exe"
    3⤵
    - Deletes itself
    PID:2660
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10
      4⤵
      Delays execution with timeout.exe
      PID:4120

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QLOG\ThreadId(1).LOG

Filesize
4KB

MD5
a3f8788d1b37e165dbaed7b469a1a163

SHA1
f4114db4ddf405262474c043c0d4d60128436ff3

SHA256
4752cc52c81a6f280a6b414cd100c2a3bfb7c3e712f40561460f379428a9469a

SHA512
a1904af4a0ac3813de27199f4dd895982815f127639d9b6755bb44e87682115e696834bd20aad0d1bdc04cfb1d742d6c00eb8b150aaba5916ad66a9c747764ac

Download Submit
C:\Users\Admin\README-RECOVER-QTduEqZI6Q.txt

Filesize
1KB

MD5
97470255a6601ea674972f54eda22b61

SHA1
0d06b4e74161674011cee5ffd1ef0042c823888c

SHA256
2a59902ffbc5298bc85801475ee0aec2145643fb89508f341541207d632c3b95

SHA512
20898f45cc638d759933805b982cb76d12538e14a93e1156dc95faf7f44159abce4f0c3faedfda116d49595a1f3937f6738f9d688d2e889e9693ce417639e142

Download Submit
C:\Windows\Temp\QLOG\ThreadId(1).LOG

Filesize
4KB

MD5
7698e79e04fa1dd7f2070f33dd8e310b

SHA1
6f4fe64169c32b9b0c9f704de5c30c0b1647a854

SHA256
3d2e53d88f345c0bd8add3eec24ef2640ba9e3d9291f2ff06879a236d678865f

SHA512
0abc7b68c227ed220aa59264b9a7d5a5477b8869ba26d99534f1be07a6484c46b8bc6af49660fd157eb06b8acd1074b2dbcb0e217f0f56ac4b53780765cd3423

Download Submit
C:\Windows\Temp\QLOG\ThreadId(49).LOG

Filesize
4KB

MD5
7a2df1e8222326ff540330d164d4848b

SHA1
4ab2612ed486fa216bde4395310371b18ef5805e

SHA256
0b1cb91552a50f014c08db94b7be71374307bc5969198c68161da6a464125fce

SHA512
59bc3e9e76c8bd61d922c5387669ef7bb4ad148fa26625a8d7ab0e8c490ccae8e338a8aaa24b711883dc97b11e1213296eff7e1f90de4f7095527a65b4572757

Download Submit
C:\Windows\Temp\QLOG\ThreadId(50).LOG

Filesize
4KB

MD5
6ebf9ef0c74046774ed877dca9412c03

SHA1
d18a889b79e6ba69bfd0ab497acc1e95b81d2c30

SHA256
51bbc7207bd16c626095e85fdd4e466165fc98921f00a62c83fb12ed97c758bf

SHA512
fe008d6dd9c49aef7dc0a2636c5897be596e9551bad3f38e88c0cc035979c3ed74e348364e325e947430b3933bb08c35edd1b9547dd21e87596c6ab36c8f54da

Download Submit
C:\Windows\Temp\QLOG\ThreadId(51).LOG

Filesize
4KB

MD5
5645cef3b26da6127ca778591c2cb447

SHA1
05c4fd795ac83be04ab9d31beb3f1777b3cc5049

SHA256
d2e5a2c28ace7071fbc84fc61729ff10676f6a30731b9c58eadaa96c6a789f35

SHA512
5ebae4ce63c0e128147d4921d02561227108f41a0ff715644ec20b9ff7d5ffff0fe991aaea9e09401c012c790ea73b0dd96214a5b59c4dbdc68c5d2ea9e57057

Download Submit
C:\Windows\Temp\QLOG\ThreadId(52).LOG

Filesize
2KB

MD5
c5a576e4a6086b0f5e6539c1d3acc253

SHA1
f4ab59329e82713225b4fc5ea92b183ea936ccf7

SHA256
8f41a30b9d94a5832b5d41ae2ea1f6702fae6320789bfd482aeadba376bd746a

SHA512
bcb52acf750b2908a639703bb55c07540161786f6121ae6c3c81dda12d1e8db4085314043153a2652d777e31c698ade3fc4cdc1a303f4f4c8d23e8460286a70d

Download Submit
C:\Windows\Temp\QLOG\ThreadId(52).LOG

Filesize
4KB

MD5
1b01ade3fda71137223a989085536909

SHA1
70bd8c9f94541a846869de9ffc1dc8cbd45ab01b

SHA256
df9060a920113fb8d85758568623a55f633e13eabac03912dbbf11968e8ac34c

SHA512
d1dbe1524a5fc8e1dfd372f350a94f775afc1663e1b5bac75afe6b2bccd197a677bab563c2d2c423e0b5119617cff0ab68c88b5c47645770bb6e8f41ace56b00

Download Submit
C:\Windows\Temp\QLOG\ThreadId(53).LOG

Filesize
4KB

MD5
ca719dd8e04ffb8938df2f7048074fdd

SHA1
162a3ee92b727f19f3f6c7c139931d8e70218ab9

SHA256
0a4d9ea47d800a1dd89a94797416b128bf25cf7d05f4614b0444906abb4f6e24

SHA512
02857107a22a15db2b0e399b529fa53fdd4bf1e38b91d4315858f3245663dab2f7a006040c004bf679dbcb1b8a2bb7a32e7b673c41416eae1beb41084c9f6202

Download Submit
C:\Windows\Temp\QLOG\ThreadId(54).LOG

Filesize
4KB

MD5
4c33b587df2c14d03efc6433c10c4eb1

SHA1
37b6c2295547e255c68a6e28d1d5b7246a366daf

SHA256
20286da5fb7589780506ecc02b3271bde4e0e8f7ab12f77396e28e2e2c291ac8

SHA512
43db6ac0300ea0ae62c91699bf0cc42d1551947b19b7d9ed824fb8e144411c32236c5fb64e70a64fb5e1b97de2289b2cf2fc7663ecdb3f53e6a2e1a959e3da56

Download Submit
C:\Windows\Temp\QLOG\ThreadId(55).LOG

Filesize
2KB

MD5
9777ff97314eaf758427efd3c32de941

SHA1
add2b9be53e0e03ac833e23f828226a4527cc982

SHA256
e6e62e02ba4382ff88f1bafe10940fa9802fda68a3ae01b3b5b36bc4cff6c615

SHA512
caf1c0ed481ec2f7bce1e8adb25cc1a1cd845a060ec1f9f76ad0ab32d723cb7f5155b6f70a559d99a44cc12bcdd7e2e70374944efbdf0ae3c484775cdf02e190

Download Submit
C:\Windows\Temp\QLOG\ThreadId(55).LOG

Filesize
4KB

MD5
38b2573f34054654c1878361a7d81e33

SHA1
f469eed8c5a6dea6b4a58758ce0ac7560d82027e

SHA256
e89c1424f9d5a0a7f66dc6ececf3e03622a962e73fd3c7e7a68e34bdb3b18983

SHA512
e4cb71d18ae59a56b5cba87b82a6774ac53287556e392bc968a4bee79f98ca132053a858876f929cdd80494e9dc9161a18ac61a4aada47157d2370d5fa439b4d

Download Submit
C:\Windows\Temp\QLOG\ThreadId(59).LOG

Filesize
3KB

MD5
866f4c15f316a1ef874e6e8a31eeb6cd

SHA1
7a9c85c05e71bcd27b20e6a8704ddea902455110

SHA256
46e32b10f987b9f33738ff1609cf3af102174e899f8fa2594070bffd4d013c5d

SHA512
0571645b7948102c35379e9e847b2c6a1668a11be16074488ad9711916eae34d4e701f3db60ecaf56792f09a2039ce1f2dde63a92ab772c2364ecfd7df878015

Download Submit
C:\Windows\Temp\QLOG\ThreadId(59).LOG

Filesize
4KB

MD5
f94ab9803d964d4838dbd4a9e54ff712

SHA1
279ec9b581de458a98992d43f0bb14ed071db511

SHA256
24bb6ffd1235e66d5f9e2d188c2cc90d9a02e3cf0460ea8194eecb685187134b

SHA512
1e6da98eb9345ec82692d5ff39820bc35694bcd1e061ca0bd42437d9e682331af540a69f856d09dcf9ac4241a1b216fac19c8fe5949c2f7b3595a0b720084ab4

Download Submit
C:\Windows\Temp\QLOG\ThreadId(59).LOG

Filesize
4KB

MD5
deea41c8b781a66f2d0417ebb74129f0

SHA1
2b8e3593c1cd6ebaa1528c2555be2440fcb445d6

SHA256
b83f09ab4a82ad40a0d03138ff955d14a387920d646fd526108374de863d2677

SHA512
deb3bb01f79fd67b24cd749954648d4b6935dfe39c8d6d7c287f3bd1a5ead0481444b0ea1b5123f9270cee78deb4acbdf3a899bd444801f2e26822ae74c105a1

Download Submit
C:\Windows\Temp\QLOG\ThreadId(60).LOG

Filesize
4KB

MD5
6c25c96f34d8ce98204eb2f105a746eb

SHA1
a02f06dd20e75e83f49b9842bd3d84bd4ad4a5a1

SHA256
87a969eba072db8f37ea79687aa15d8c7bce2959a3a60e930a2a8781f8f7446d

SHA512
c7f2f7a24eadaaab9aa28d8d9d6373297b1af0b1cf32e11df495cda62c9a42b8dfa974450473538c099be017f040c9de0e890ab026167a9649ae9024e0f5a83d

Download Submit
C:\Windows\Temp\QLOG\ThreadId(64).LOG

Filesize
987B

MD5
a8acb254b92902a8fc09dd049aad6bb2

SHA1
b51fba848a9fc97dcec299aae950e42a7d9a2868

SHA256
307883577e4dcc596cde4ba9d2d8020749a46d937f4cfabb2292da42bfab63a8

SHA512
840727c42f51784b723b650b5a894c711cbdc8fe9cb89aefc183b75601087453493b6745e5b8e21af0152d8daa85bd7f25dafea84d6560db8b50e3769a805c31

Download Submit
C:\Windows\Temp\QLOG\ThreadId(64).LOG

Filesize
3KB

MD5
e43316a0f2d4f4cec48b9afd11b1ac6f

SHA1
39504f2eee2e45d69cf08e08bccdd5b871299a35

SHA256
3ced258a1471d8101cc3cb050e66083b46b55cab8582d83e90c14b333c37a9bd

SHA512
eadc78a8a7371990280ed7a6ef8ad53d9d51e35a96a51c5e76438766365911be69a37f13f4549b3de9038c9991885e7c53802e1cfc766dc8b65c54315efb0442

Download Submit
C:\Windows\Temp\QLOG\ThreadId(66).LOG

Filesize
942B

MD5
efc3b5cbd15a6756f58070721be05ea5

SHA1
e18d92908f5e8adf18aa14899cbe4f29929da3a5

SHA256
b87c57ee3e4e6c4c7183058ea96695ca01bea855f5b7e2b67c89bd91c225d5e5

SHA512
f708b8c6f83808614392088c962487102b44185d2764bde1eaa13645febda14e581a6352bbb00c6b399e2f69b0daa83a7d94d9cb73f2e232377b490bdea82fdf

Download Submit
C:\Windows\Temp\QLOG\ThreadId(66).LOG

Filesize
3KB

MD5
6a6aeb4536c11b58687f436552eedc74

SHA1
94d9538a4bbce6c4f3e74cff123f95c5d3fc319a

SHA256
4925ff699e0f129fb4047074092b35d67671f543152a3ee41a7e8b03c43efc0d

SHA512
ee7184642d645f5a515775ec712a46566c04481a22b37c42ada21161f0c2d1fdfe414de49ade629d4b87056a08f67827a0f120f69d38982c12de1db32cc9e6a5

Download Submit
C:\Windows\Temp\QLOG\ThreadId(68).LOG

Filesize
2KB

MD5
a9d193e62f3f1f0865a844cacdfe8f76

SHA1
bade038fc2cf5df2d1802bd1763cf31b4b042319

SHA256
e4f3b90d975d634b394606b1cb3e7bce686f08342a2c258d6e2908d118efa791

SHA512
fb88af9c43563f5fa9ea14bd26ecd6b88423551cec403d64d51490985e714ab8de50b8d8d533d33a6bf2e7d35bbe6a5f4b0aed4d027e7e9576e850cddc60c877

Download Submit
C:\Windows\Temp\QLOG\ThreadId(69).LOG

Filesize
4KB

MD5
e121490f64689ff58cf4d29922d9c899

SHA1
790ff440e2aadc6e834766ce0a99cffc124c2bf5

SHA256
c4463b6fae49445f46394e0ed41167ddac7f528f80f02185b942545b04992cf7

SHA512
103db061a36f3a5b19f1901423822e568ea468a5765ac39a1001a147c82de0dcb400e4481d56481c2795c2ba991a79fcbb13d36b7979ba22a6990a4545b526a0

Download Submit
C:\Windows\Temp\QLOG\ThreadId(7).LOG

Filesize
14KB

MD5
4df0d9d31661e987b408d257ccbb57fd

SHA1
b8f7856e9e014ae9b1c62934a99dde4e0cf42d2d

SHA256
cdf223b24bd0f5e3178f5d6e79c92f8107bf14bb988c9a73ccb1279f4afdde73

SHA512
8a97a855575044b83ec26031eaf93ae039636b0969d0d6b04385094d2ff46f4a10b9377c0f6ea3580bcd21732c20cfa0747cfd7a05b092aac1d9775f1457a07c

Download Submit
C:\Windows\Temp\QLOG\ThreadId(71).LOG

Filesize
4KB

MD5
6c4a969df30a51adc5be7e4e96c2996a

SHA1
eeb8081c77f1d1a939cd9e6b8fcf790e6b693554

SHA256
9b68909bb86f7879dd15283b493403b3c23db476491112567aae046c40260d32

SHA512
021cad7c6317f6c2c1cad9e8fad31b0e972ed3b41fb9cb89db7c5b31a25818253255f105edda7e61406603aaada5d17db70fb54c1cc150a2cc7b32b0ad571123

Download Submit
C:\Windows\Temp\QLOG\ThreadId(72).LOG

Filesize
4KB

MD5
bed478221c64f7c4f392a1d3ef005ae0

SHA1
d9ea6789c14af3deeea213389971b65a708688c0

SHA256
1736fcc13a0baa8aee911948293433429003b02640c0b94a9d07caeec5a54f7d

SHA512
a96158e2f6d04351c09b9bdb8904b23bb4e385c77fbeabd1bba67d73a4accac9f3a51c1b16817f186d5845d004ed00fb9989ac8830bafa7085d21e51a68d8640

Download Submit
C:\Windows\Temp\QLOG\ThreadId(73).LOG

Filesize
3KB

MD5
7a1a38d5ee285248eb64bef54e7bd8e3

SHA1
776ebfb3de5afeae265583c673d82a6db1dfcf10

SHA256
79e895d9249e1169cac250436f4bba61736716382e020191e0c71f986894beb9

SHA512
8414e0cfb0a769f2338070338745dd1e38f64419b744f247576723c9a82a15a420ba6af3973f65a2cf9da8ec826c7235bb9a953a61aa3832b82a191a82104432

Download Submit
C:\Windows\Temp\QLOG\ThreadId(74).LOG

Filesize
1KB

MD5
3eff115d94507a9c75844d66b8c99a7f

SHA1
74b0c32a906342dfaa589af9955414eda4b45ccc

SHA256
9686ca45e655baa8af5502ffc2774d6b19ede97ddb925d1f9fb44402469f377b

SHA512
45fd1b061b2c6dbf0d5d264d66deb9e7dbb302ac00483763003b965653bd89ffb5d0dd38e80aa479631e1ad7b11c6d1386ef67384fa5422bc5c8c8c4caa33b7d

Download Submit
C:\Windows\Temp\QLOG\ThreadId(75).LOG

Filesize
3KB

MD5
f9572a4edda92b1fe61657c08539afce

SHA1
e0b4f342862ed39ce45aafcd678af6d6b39bd649

SHA256
fe5a48dc39090625c6c39f573ffb1dec67b5dc29a793a36d1d45fe7bd588f3d1

SHA512
dae9c16db4ce7c3dcba6b7676319096d78df89c345262d9f9174c57c834fc445b723061aa32b081a272f24387a0e99eba3dd8495f08546e64f48ddad8e50f675

Download Submit
C:\Windows\Temp\QLOG\ThreadId(75).LOG

Filesize
4KB

MD5
ab67f6aa4f3ce82cb847b8ce3feac89f

SHA1
a0bb65fde5ad9ce32a3691174ee88052bcfa8c1f

SHA256
db8669e0b1783bd6fc547f8023d8d0172c87c799d968dc32b088ee241e13d845

SHA512
2bd356116462a54c8f827e937a3bf49bb4a956587582c260cbdfe4655f5332d1eda2dcf666eb742822dea8da751ea29928e24e85a7de5ee69c51f40f0d240a0e

Download Submit
C:\Windows\Temp\QLOG\ThreadId(76).LOG

Filesize
2KB

MD5
65dfc4767fbb92cee03c21e128b8d64b

SHA1
8b2711ab7059f5029df40d337b95a93d8825ea1f

SHA256
bf6c02adc7dacb139dd4c73a96258ba6368ab8887227de299c9cf0ea8d25fc23

SHA512
c813603e0589f5ca739f1a534266f1b017667fa2726d4a56a5bef1a032e06fdedf8d4e8d3da6d6974fd3f189070e22e591fb0ecb4da080b82b1660ade94ce58a

Download Submit
C:\Windows\Temp\QLOG\ThreadId(79).LOG

Filesize
4KB

MD5
c79d49801d0f0c15432aa6a36b8b98a1

SHA1
e6c0ab52054609ad255945f22818c3d3dcf65eda

SHA256
fe098fe81dbc428054548a99c88c844d10c004b678482248a472a3e43072cdfb

SHA512
43c51fc690977ba0c137d9f403204af0c9ac2acb6ffeeee01d130686ff6d16240722da4308b3fd4fb966c97cf5dc55685959e583095f99d520fbfb3cdcdaeadb

Download Submit
C:\Windows\Temp\QLOG\ThreadId(80).LOG

Filesize
44KB

MD5
1e86c31c9aa7623046ad5528a3650f92

SHA1
b5202be8870b36e1744f0ae8a088ca0b4efc6e5a

SHA256
69d4943d71f1e78c80164251b3dd95234f5378a946c16c215d7bccc9f2213e6b

SHA512
442c498517eae1fed5daa0dd16bed655fab3283841ff90f5856475921c38121a622c9d00fd9d16bec38e94eafd4c05277d4fdf923fb0f64c622bd56ec6a6849b

Download Submit
C:\Windows\Temp\QLOG\ThreadId(89).LOG

Filesize
1KB

MD5
bea39c540987ecbe1542c024ddd24a45

SHA1
cdfdf3dc95d96f5438cef2271f680613713e920a

SHA256
9679793c43242b39bf30efcdf9b1bd317e4534830b941ca5565a06b504927251

SHA512
f5e5dd354d4f937e41b739f8425321a9f7a04cfdb0312587769e06820b132e87395a1577f695d22483da77c7a6c47d917033be7bdf96c2c9f80a0bccf5f76d02

Download Submit
C:\Windows\Temp\QLOG\ThreadId(89).LOG

Filesize
2KB

MD5
24f43ffe1284faf598c69bc60ea78178

SHA1
0e6e41ff8230b05731bcc80cf4f2fa8f3b4d80d1

SHA256
f95e6ad8d4f2def88eb4686a7e54fc8f01cb8f7c6007e63beffb5489183988de

SHA512
39a48258665e174e78d1c33b6d759fdb79d3305bd53a3af0578728832819f853a19362a0aa5b0cc890420b72f1ed4e2a112ad7078cc5bafe6a2175b520a9597a

Download Submit
C:\Windows\Temp\QLOG\ThreadId(89).LOG

Filesize
2KB

MD5
4e676482f77471cee0ab398d1b043b57

SHA1
b6be401674b1e179a40e16cee3db176b30f28cef

SHA256
4c851437289a02420a7fb9a0d063562ef4e12b6f82b2a8909384f92986bb38df

SHA512
8a8a10f6a827ff6a18badb2a49e634377451fc47384e942b9df23324aa6ae2601ac6cc0b18ba4e8d142e218db3519eda5937d2cff6b39f4cacc7661fd7cfd6df

Download Submit
C:\Windows\Temp\QLOG\ThreadId(89).LOG

Filesize
3KB

MD5
7b200aa4926ae782458a045af246f2d8

SHA1
f1668f5165cbaa488492a003d6aaa7667ba43dad

SHA256
e8f4c4722bf60ed509c2acb6d452d6b3fda6ecce1e4e7dbd3717c8ef297728bf

SHA512
ae8f8a42cc955aeabe3ade2346a26bc87bf0639c2e957eeb29f561868faeb34a4895157e53284556c36300819d5b444e7f5534d050ad43bebb1520068c68e189

Download Submit
C:\Windows\Temp\QLOG\ThreadId(89).LOG

Filesize
4KB

MD5
5fdf4a3e0fb5ecb00ce2f308923a6a0a

SHA1
1c9f72fe36503b0417a15d3fadf474620c340d75

SHA256
06124a4deca3ae4cd3f9742721677ce7f55aaef1945790db635123f988485826

SHA512
21c8eb6403e1313402c63c51b26435bb81e778aba4149181dd1081c08a4b13f25ad4a396d7b7ae151d4e22c235717303a12505bf2f0a250277e4a5ebc7412e6e

Download Submit
C:\Windows\Temp\QLOG\ThreadId(90).LOG

Filesize
46KB

MD5
bcc95620d75f0796876f92cb3af9b895

SHA1
8a99edbf34c0a8db44b1fb787a1c394b1e59ac4a

SHA256
a2fcb679cb1052e7f6ead8ec3de15842b7a8cd9c5c6b024a253079f736ea6f84

SHA512
9533027edc7defa42b1dd31844a1b634ceb229b4e0b8f4ec04bb7d3f1b2708bd1bccdd5a174fac9ce903b3655012b342f4c55e9652b57e363300fd6ba70fec5e

Download Submit
C:\Windows\Temp\QLOG\ThreadId(99).LOG

Filesize
1KB

MD5
6c4faefd88e0aac7ea91c5774d0eb1bc

SHA1
dd034b496b238688c1718d49f395d2e2fe192ed5

SHA256
1731718c9e11bd4792a1626c6ae041571e14ab20da48862a68c152e2ac3e8956

SHA512
bf4ed0382d4a8d1289f1aafaf0882618de248eea0e1c3749ef9513845a43d0aeaa0c26f9448c8882cd220c3e416f551bf0ffc51165e4991082dd1804c309923d

Download Submit
C:\Windows\Temp\QLOG\ThreadId(99).LOG

Filesize
3KB

MD5
03db6c7366b15555979b4b4f666de6ac

SHA1
cd10cb90e8d1c63821440f07b72ebc22fb9c20d7

SHA256
5e1d060d56053271b6d84fce804d5f445ab4b99fe4f2fd08bdf5c8aea13e74f5

SHA512
efa1574aec34e5dc01a7e2b095ad7f97bebc1e5964317fcc7c5fe0ea7a64591c21358a22252bf31bb7f7893740956db6384cf200b1bd0bf0135e9695c63c79c5

Download Submit
C:\Windows\Temp\QLOG\ThreadId(99).LOG

Filesize
3KB

MD5
03db6c7366b15555979b4b4f666de6ac

SHA1
cd10cb90e8d1c63821440f07b72ebc22fb9c20d7

SHA256
5e1d060d56053271b6d84fce804d5f445ab4b99fe4f2fd08bdf5c8aea13e74f5

SHA512
efa1574aec34e5dc01a7e2b095ad7f97bebc1e5964317fcc7c5fe0ea7a64591c21358a22252bf31bb7f7893740956db6384cf200b1bd0bf0135e9695c63c79c5

Download Submit
C:\Windows\Temp\QLOG\ThreadId(99).LOG

Filesize
5KB

MD5
b52201e31c49e223ba4aee3743a5f7ca

SHA1
f939abfb5928dc7f33fb6a8b4eb3f544058bdd79

SHA256
b0718777fa7b8593960e6f8121067d82efd9684df685e101b13b9f531bf9a8ff

SHA512
263a1ba59e978134f4e8b574fdc72ffd20e6f078708909b0b22edc0442bfe84e4474a832336c6aeaf47c6c3463122438bff455e8bb256590bd422313cbea85ca

Download Submit
memory/856-1699-0x00000000734D0000-0x0000000073A7B000-memory.dmp

Filesize
5.7MB

Download
memory/856-715-0x00000000734D0000-0x0000000073A7B000-memory.dmp

Filesize
5.7MB

Download
memory/856-717-0x0000000002660000-0x00000000026A0000-memory.dmp

Filesize
256KB

Download
memory/1320-74-0x0000000000ED0000-0x00000000012C5000-memory.dmp

Filesize
4.0MB

Download
memory/1320-0-0x0000000010000000-0x00000000103A3000-memory.dmp

Filesize
3.6MB

Download
memory/1704-2482-0x000007FEF4770000-0x000007FEF510D000-memory.dmp

Filesize
9.6MB

Download
memory/1704-2238-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/1704-2152-0x000000001AFE0000-0x000000001B2C2000-memory.dmp

Filesize
2.9MB

Download
memory/1704-2213-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/1704-2151-0x000007FEF4770000-0x000007FEF510D000-memory.dmp

Filesize
9.6MB

Download
memory/1704-2223-0x00000000021B0000-0x00000000021B8000-memory.dmp

Filesize
32KB

Download
memory/1704-2228-0x000007FEF4770000-0x000007FEF510D000-memory.dmp

Filesize
9.6MB

Download
memory/1704-2481-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/1704-2236-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/2032-162-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/2032-158-0x000007FEF5810000-0x000007FEF61AD000-memory.dmp

Filesize
9.6MB

Download
memory/2032-159-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/2032-150-0x000000001B120000-0x000000001B402000-memory.dmp

Filesize
2.9MB

Download
memory/2032-160-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/2032-161-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/2032-154-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2164-218-0x0000000072F20000-0x00000000734CB000-memory.dmp

Filesize
5.7MB

Download
memory/2164-219-0x00000000026D0000-0x0000000002710000-memory.dmp

Filesize
256KB

Download
memory/2164-220-0x0000000072F20000-0x00000000734CB000-memory.dmp

Filesize
5.7MB

Download
memory/2196-2491-0x0000000072F20000-0x00000000734CB000-memory.dmp

Filesize
5.7MB

Download
memory/2196-2487-0x0000000072F20000-0x00000000734CB000-memory.dmp

Filesize
5.7MB

Download
memory/2196-2488-0x00000000023F0000-0x0000000002430000-memory.dmp

Filesize
256KB

Download
memory/2212-179-0x0000000000ED0000-0x00000000012C5000-memory.dmp

Filesize
4.0MB

Download
memory/2212-7515-0x0000000000ED0000-0x00000000012C5000-memory.dmp

Filesize
4.0MB

Download
memory/2360-2581-0x0000000072F20000-0x00000000734CB000-memory.dmp

Filesize
5.7MB

Download
memory/2360-2490-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/2360-2489-0x0000000072F20000-0x00000000734CB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-3213-0x00000000028D0000-0x0000000002910000-memory.dmp

Filesize
256KB

Download
memory/2492-3212-0x0000000072F20000-0x00000000734CB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-3215-0x0000000072F20000-0x00000000734CB000-memory.dmp

Filesize
5.7MB

Download
memory/2532-5627-0x0000000002900000-0x0000000002940000-memory.dmp

Filesize
256KB

Download
memory/2532-5626-0x0000000072F20000-0x00000000734CB000-memory.dmp

Filesize
5.7MB

Download
memory/2532-5759-0x0000000072F20000-0x00000000734CB000-memory.dmp

Filesize
5.7MB

Download
memory/2744-209-0x00000000734D0000-0x0000000073A7B000-memory.dmp

Filesize
5.7MB

Download
memory/2744-210-0x00000000734D0000-0x0000000073A7B000-memory.dmp

Filesize
5.7MB

Download
memory/2744-211-0x00000000026D0000-0x0000000002710000-memory.dmp

Filesize
256KB

Download
memory/2744-212-0x00000000734D0000-0x0000000073A7B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-3224-0x000000001B0F0000-0x000000001B3D2000-memory.dmp

Filesize
2.9MB

Download
memory/2840-3229-0x0000000001FC0000-0x0000000002040000-memory.dmp

Filesize
512KB

Download
memory/2840-3352-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

Filesize
9.6MB

Download
memory/2840-3228-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

Filesize
9.6MB

Download
memory/2840-3230-0x0000000001FC0000-0x0000000002040000-memory.dmp

Filesize
512KB

Download
memory/2840-3231-0x0000000001FC0000-0x0000000002040000-memory.dmp

Filesize
512KB

Download
memory/2840-3226-0x000007FEF4810000-0x000007FEF51AD000-memory.dmp

Filesize
9.6MB

Download
memory/2840-3227-0x0000000001FC0000-0x0000000002040000-memory.dmp

Filesize
512KB

Download
memory/2952-191-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2952-197-0x0000000073EE0000-0x000000007448B000-memory.dmp

Filesize
5.7MB

Download
memory/2952-190-0x0000000073EE0000-0x000000007448B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-3362-0x00000000734D0000-0x0000000073A7B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-3446-0x00000000734D0000-0x0000000073A7B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-3363-0x0000000002530000-0x0000000002570000-memory.dmp

Filesize
256KB

Download
memory/3040-3361-0x00000000734D0000-0x0000000073A7B000-memory.dmp

Filesize
5.7MB

Download
memory/4380-5724-0x0000000072F20000-0x00000000734CB000-memory.dmp

Filesize
5.7MB

Download
memory/4380-5632-0x0000000072F20000-0x00000000734CB000-memory.dmp

Filesize
5.7MB

Download
memory/4380-5629-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/5016-5769-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/5016-5768-0x000007FEF4420000-0x000007FEF4DBD000-memory.dmp

Filesize
9.6MB

Download
memory/5016-5766-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/5016-5767-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/5016-5762-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/5016-5761-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/5016-5760-0x000007FEF4420000-0x000007FEF4DBD000-memory.dmp

Filesize
9.6MB

Download
memory/5016-5758-0x000000001B090000-0x000000001B372000-memory.dmp

Filesize
2.9MB

Download