f11ce7bb0448619dd5488c2bb4a5e44e3e123f9276919bf69f8cd6471dacdcc5

Resubmissions

17/05/2024, 15:35

240517-s1lp4sec9s 8

01/04/2023, 00:40

230401-a1eyfseg62 8

Analysis

max time kernel
34s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 15:35

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

C.L[]LZ.bat
Size

18KB
MD5

e8587d513e54e911f058af7494b80e78
SHA1

5005f14b178a18334fa794f2aa21e790fd42f8a7
SHA256

f11ce7bb0448619dd5488c2bb4a5e44e3e123f9276919bf69f8cd6471dacdcc5
SHA512

ba9f48f9d9b39ff4c617f62867874166595543b04b017c623efe8fbe3f418eab88e423642b485eba74eafbb5cd57a2e942500d21580261b5738fe0751830e7cf
SSDEEP

192:dMJOA2222222222222222222222222222222222222222222222222222222222+:dgOl

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 8 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4904	attrib.exe
4588	attrib.exe
3500	attrib.exe
64	attrib.exe
1940	attrib.exe
3924	attrib.exe
3980	attrib.exe
3640	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Msg.txt	cmd.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "197"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1412	reg.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2116	NOTEPAD.EXE
5808	NOTEPAD.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5836	PING.EXE
5884	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4388	msedge.exe
4388	msedge.exe
3036	msedge.exe
3036	msedge.exe
1352	identity_helper.exe
1352	identity_helper.exe
5464	mspaint.exe
5464	mspaint.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe
3036	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5464	mspaint.exe
5464	mspaint.exe
5464	mspaint.exe
5464	mspaint.exe
6116	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 3036	2312	cmd.exe	84
PID 2312 wrote to memory of 3036	2312	cmd.exe	84
PID 3036 wrote to memory of 1780	3036	msedge.exe	86
PID 3036 wrote to memory of 1780	3036	msedge.exe	86
PID 2312 wrote to memory of 3500	2312	cmd.exe	87
PID 2312 wrote to memory of 3500	2312	cmd.exe	87
PID 2312 wrote to memory of 64	2312	cmd.exe	88
PID 2312 wrote to memory of 64	2312	cmd.exe	88
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 2064	3036	msedge.exe	89
PID 3036 wrote to memory of 4388	3036	msedge.exe	90
PID 3036 wrote to memory of 4388	3036	msedge.exe	90
PID 3036 wrote to memory of 2292	3036	msedge.exe	91
PID 3036 wrote to memory of 2292	3036	msedge.exe	91
PID 3036 wrote to memory of 2292	3036	msedge.exe	91
PID 3036 wrote to memory of 2292	3036	msedge.exe	91
PID 3036 wrote to memory of 2292	3036	msedge.exe	91
PID 3036 wrote to memory of 2292	3036	msedge.exe	91
PID 3036 wrote to memory of 2292	3036	msedge.exe	91
PID 3036 wrote to memory of 2292	3036	msedge.exe	91
PID 3036 wrote to memory of 2292	3036	msedge.exe	91
PID 3036 wrote to memory of 2292	3036	msedge.exe	91
PID 3036 wrote to memory of 2292	3036	msedge.exe	91
PID 3036 wrote to memory of 2292	3036	msedge.exe	91
PID 3036 wrote to memory of 2292	3036	msedge.exe	91
PID 3036 wrote to memory of 2292	3036	msedge.exe	91

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3980	attrib.exe
3640	attrib.exe
4904	attrib.exe
4588	attrib.exe
3500	attrib.exe
64	attrib.exe
1940	attrib.exe
3924	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C.L[]LZ.bat"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://images-wixmp-ed30a86b8c4ca887773594c2.wixmp.com/f/d4df22f5-f97e-4d19-82c4-7ba440bd6903/d8wf1qg-5b17d7fe-6146-4e23-85e1-14fc7376fb91.jpg?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJ1cm46YXBwOjdlMGQxODg5ODIyNjQzNzNhNWYwZDQxNWVhMGQyNmUwIiwic3ViIjoidXJuOmFwcDo3ZTBkMTg4OTgyMjY0MzczYTVmMGQ0MTVlYTBkMjZlMCIsImF1ZCI6WyJ1cm46c2VydmljZTpmaWxlLmRvd25sb2FkIl0sIm9iaiI6W1t7InBhdGgiOiIvZi9kNGRmMjJmNS1mOTdlLTRkMTktODJjNC03YmE0NDBiZDY5MDMvZDh3ZjFxZy01YjE3ZDdmZS02MTQ2LTRlMjMtODVlMS0xNGZjNzM3NmZiOTEuanBnIn1dXX0.Iz7s1FOZA3-C89uMtE345VyKQybZheIRusE-0u1e6P4
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc9c246f8,0x7ffcc9c24708,0x7ffcc9c24718
    3⤵
    PID:1780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,947691528570617129,14191922921391504462,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
    3⤵
    PID:2064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,947691528570617129,14191922921391504462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,947691528570617129,14191922921391504462,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
    3⤵
    PID:2292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,947691528570617129,14191922921391504462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
    3⤵
    PID:4592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,947691528570617129,14191922921391504462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
    3⤵
    PID:3332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,947691528570617129,14191922921391504462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2252 /prefetch:1
    3⤵
    PID:4224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,947691528570617129,14191922921391504462,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
    3⤵
    PID:3276
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,947691528570617129,14191922921391504462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
    3⤵
    PID:2272
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,947691528570617129,14191922921391504462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,947691528570617129,14191922921391504462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
    3⤵
    PID:5496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,947691528570617129,14191922921391504462,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
    3⤵
    PID:5504
- C:\Windows\system32\attrib.exe
  attrib +s +h *.vbs*
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:3500
- C:\Windows\system32\attrib.exe
  Attrib +S +H *Control*
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:64
- C:\Windows\system32\attrib.exe
  attrib +s +h *.vbs*
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1940
- C:\Windows\system32\attrib.exe
  Attrib +S +H *Control*
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:3924
- C:\Windows\system32\attrib.exe
  attrib +s +h *.vbs*
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:3980
- C:\Windows\system32\attrib.exe
  Attrib +S +H *Control*
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:3640
- C:\Windows\system32\reg.exe
  reg add HKLM\SYSTEM\ControlSet001\Policies /v _PM_Allow_Startup_Config /t REG_DWORD /D 01
  2⤵
  - Modifies registry key
  PID:1412
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\dyk.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2116
- C:\Windows\system32\attrib.exe
  attrib +s +h *.vbs*
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:4904
- C:\Windows\system32\attrib.exe
  Attrib +S +H *Control*
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:4588
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 3484.vbs 1000
  2⤵
  PID:3664
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 16056.vbs 1000
  2⤵
  PID:1968
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 5439.vbs 1000
  2⤵
  PID:2192
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 6727.vbs 1000
  2⤵
  PID:4020
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 24265.vbs 1000
  2⤵
  PID:4936
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 3619.vbs 1000
  2⤵
  PID:1948
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 25184.vbs 1000
  2⤵
  PID:4128
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 29686.vbs 1000
  2⤵
  PID:1040
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 13500.vbs 1000
  2⤵
  PID:232
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 28803.vbs 1000
  2⤵
  PID:1200
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 26326.vbs 1000
  2⤵
  PID:4224
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 23319.vbs 1000
  2⤵
  PID:872
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 15381.vbs 1000
  2⤵
  PID:3136
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 21895.vbs 1000
  2⤵
  PID:1136
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 13025.vbs 1000
  2⤵
  PID:3960
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 16629.vbs 1000
  2⤵
  PID:4484
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 31423.vbs 1000
  2⤵
  PID:4532
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 24060.vbs 1000
  2⤵
  PID:4776
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 3175.vbs 1000
  2⤵
  PID:1444
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 6893.vbs 1000
  2⤵
  PID:4624
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 31605.vbs 1000
  2⤵
  PID:4348
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 26947.vbs 1000
  2⤵
  PID:1912
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 5785.vbs 1000
  2⤵
  PID:4852
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 31616.vbs 1000
  2⤵
  PID:3636
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 21124.vbs 1000
  2⤵
  PID:4980
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 5891.vbs 1000
  2⤵
  PID:2820
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 7380.vbs 1000
  2⤵
  PID:1700
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 16806.vbs 1000
  2⤵
  PID:4844
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 24530.vbs 1000
  2⤵
  PID:2836
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 4379.vbs 1000
  2⤵
  PID:4516
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 1221.vbs 1000
  2⤵
  PID:1692
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 21092.vbs 1000
  2⤵
  PID:3512
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 29215.vbs 1000
  2⤵
  PID:528
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 12763.vbs 1000
  2⤵
  PID:2468
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 11217.vbs 1000
  2⤵
  PID:3792
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 4256.vbs 1000
  2⤵
  PID:3988
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 12171.vbs 1000
  2⤵
  PID:4936
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 23155.vbs 1000
  2⤵
  PID:2688
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 13236.vbs 1000
  2⤵
  PID:224
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 1845.vbs 1000
  2⤵
  PID:232
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 26456.vbs 1000
  2⤵
  PID:1224
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 3499.vbs 1000
  2⤵
  PID:4224
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 616.vbs 1000
  2⤵
  PID:872
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 31043.vbs 1000
  2⤵
  PID:3136
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 12530.vbs 1000
  2⤵
  PID:4176
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 8917.vbs 1000
  2⤵
  PID:2872
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 31048.vbs 1000
  2⤵
  PID:3896
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 19656.vbs 1000
  2⤵
  PID:4776
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 31788.vbs 1000
  2⤵
  PID:4560
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 9472.vbs 1000
  2⤵
  PID:4316
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 10101.vbs 1000
  2⤵
  PID:3456
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 885.vbs 1000
  2⤵
  PID:4348
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 30413.vbs 1000
  2⤵
  PID:3192
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 12911.vbs 1000
  2⤵
  PID:4752
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 31609.vbs 1000
  2⤵
  PID:4852
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 13754.vbs 1000
  2⤵
  PID:2020
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 27467.vbs 1000
  2⤵
  PID:1436
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 28746.vbs 1000
  2⤵
  PID:4980
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 14378.vbs 1000
  2⤵
  PID:1412
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 17444.vbs 1000
  2⤵
  PID:1700
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 31958.vbs 1000
  2⤵
  PID:4844
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 26258.vbs 1000
  2⤵
  PID:2836
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 12497.vbs 1000
  2⤵
  PID:3876
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 13032.vbs 1000
  2⤵
  PID:4588
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 25752.vbs 1000
  2⤵
  PID:1244
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 22618.vbs 1000
  2⤵
  PID:4148
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 4236.vbs 1000
  2⤵
  PID:4856
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 25536.vbs 1000
  2⤵
  PID:2656
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 5180.vbs 1000
  2⤵
  PID:1352
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 27701.vbs 1000
  2⤵
  PID:3192
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 12529.vbs 1000
  2⤵
  PID:3456
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 8693.vbs 1000
  2⤵
  PID:3636
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 25005.vbs 1000
  2⤵
  PID:2132
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 14571.vbs 1000
  2⤵
  PID:852
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 17396.vbs 1000
  2⤵
  PID:1528
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 13501.vbs 1000
  2⤵
  PID:2668
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 8224.vbs 1000
  2⤵
  PID:4956
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 2672.vbs 1000
  2⤵
  PID:5112
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 21771.vbs 1000
  2⤵
  PID:4948
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 27592.vbs 1000
  2⤵
  PID:4588
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 19028.vbs 1000
  2⤵
  PID:1244
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 29462.vbs 1000
  2⤵
  PID:748
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 26000.vbs 1000
  2⤵
  PID:224
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 23062.vbs 1000
  2⤵
  PID:2656
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 8728.vbs 1000
  2⤵
  PID:1352
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 32001.vbs 1000
  2⤵
  PID:3192
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 10342.vbs 1000
  2⤵
  PID:3456
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 13067.vbs 1000
  2⤵
  PID:672
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 26895.vbs 1000
  2⤵
  PID:1412
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 4059.vbs 1000
  2⤵
  PID:4956
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 8415.vbs 1000
  2⤵
  PID:3876
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 32197.vbs 1000
  2⤵
  PID:3076
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 5808.vbs 1000
  2⤵
  PID:4588
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 24266.vbs 1000
  2⤵
  PID:1244
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 10461.vbs 1000
  2⤵
  PID:748
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 4781.vbs 1000
  2⤵
  PID:1224
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 12176.vbs 1000
  2⤵
  PID:3660
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 29343.vbs 1000
  2⤵
  PID:4852
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 8760.vbs 1000
  2⤵
  PID:5112
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 5964.vbs 1000
  2⤵
  PID:4948
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 8676.vbs 1000
  2⤵
  PID:2452
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 9297.vbs 1000
  2⤵
  PID:5104
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 22368.vbs 1000
  2⤵
  PID:1352
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 27745.vbs 1000
  2⤵
  PID:1480
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 19265.vbs 1000
  2⤵
  PID:3348
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 7081.vbs 1000
  2⤵
  PID:2020
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 20292.vbs 1000
  2⤵
  PID:5116
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 16944.vbs 1000
  2⤵
  PID:2528
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 2983.vbs 1000
  2⤵
  PID:4872
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 9790.vbs 1000
  2⤵
  PID:956
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 6258.vbs 1000
  2⤵
  PID:3652
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 18204.vbs 1000
  2⤵
  PID:5104
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 2494.vbs 1000
  2⤵
  PID:3660
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 31396.vbs 1000
  2⤵
  PID:3192
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 20351.vbs 1000
  2⤵
  PID:3348
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 9336.vbs 1000
  2⤵
  PID:2020
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 3167.vbs 1000
  2⤵
  PID:3876
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 15329.vbs 1000
  2⤵
  PID:4872
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 25769.vbs 1000
  2⤵
  PID:1200
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 15771.vbs 1000
  2⤵
  PID:4620
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 3414.vbs 1000
  2⤵
  PID:5104
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 20768.vbs 1000
  2⤵
  PID:3660
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 25787.vbs 1000
  2⤵
  PID:3192
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 25906.vbs 1000
  2⤵
  PID:2452
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 26983.vbs 1000
  2⤵
  PID:4588
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 26026.vbs 1000
  2⤵
  PID:3652
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 18737.vbs 1000
  2⤵
  PID:224
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 31963.vbs 1000
  2⤵
  PID:2952
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 20879.vbs 1000
  2⤵
  PID:5112
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 9489.vbs 1000
  2⤵
  PID:3192
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 5021.vbs 1000
  2⤵
  PID:2452
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 13039.vbs 1000
  2⤵
  PID:4588
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 24971.vbs 1000
  2⤵
  PID:3652
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 1966.vbs 1000
  2⤵
  PID:4620
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 14409.vbs 1000
  2⤵
  PID:5132
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 21150.vbs 1000
  2⤵
  PID:5144
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 32671.vbs 1000
  2⤵
  PID:5160
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 17230.vbs 1000
  2⤵
  PID:5172
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 7198.vbs 1000
  2⤵
  PID:5192
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 23106.vbs 1000
  2⤵
  PID:5216
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 27024.vbs 1000
  2⤵
  PID:5232
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 13353.vbs 1000
  2⤵
  PID:5252
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 10692.vbs 1000
  2⤵
  PID:5272
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 19437.vbs 1000
  2⤵
  PID:5320
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 4850.vbs 1000
  2⤵
  PID:5340
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 21012.vbs 1000
  2⤵
  PID:5408
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 16907.vbs 1000
  2⤵
  PID:5424
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 27716.vbs 1000
  2⤵
  PID:5440
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 14506.vbs 1000
  2⤵
  PID:5456
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 1527.vbs 1000
  2⤵
  PID:5476
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 2954.vbs 1000
  2⤵
  PID:5596
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 25489.vbs 1000
  2⤵
  PID:5636
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 19883.vbs 1000
  2⤵
  PID:5664
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 29568.vbs 1000
  2⤵
  PID:5688
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 25990.vbs 1000
  2⤵
  PID:5704
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 29971.vbs 1000
  2⤵
  PID:5728
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 9475.vbs 1000
  2⤵
  PID:5744
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 2841.vbs 1000
  2⤵
  PID:5756
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 533.vbs 1000
  2⤵
  PID:5792
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 16537.vbs 1000
  2⤵
  PID:5824
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 32027.vbs 1000
  2⤵
  PID:5860
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 30744.vbs 1000
  2⤵
  PID:5876
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 27522.vbs 1000
  2⤵
  PID:5900
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 16975.vbs 1000
  2⤵
  PID:5916
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 20538.vbs 1000
  2⤵
  PID:5932
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 16182.vbs 1000
  2⤵
  PID:5948
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 30964.vbs 1000
  2⤵
  PID:5964
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 1239.vbs 1000
  2⤵
  PID:5980
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 3660.vbs 1000
  2⤵
  PID:5996
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 8515.vbs 1000
  2⤵
  PID:6012
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 30283.vbs 1000
  2⤵
  PID:6028
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 14747.vbs 1000
  2⤵
  PID:6044
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 9186.vbs 1000
  2⤵
  PID:6060
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 5656.vbs 1000
  2⤵
  PID:6076
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 843.vbs 1000
  2⤵
  PID:6092
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 11106.vbs 1000
  2⤵
  PID:6108
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 29305.vbs 1000
  2⤵
  PID:6124
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 29644.vbs 1000
  2⤵
  PID:6140
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 28156.vbs 1000
  2⤵
  PID:5136
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 16162.vbs 1000
  2⤵
  PID:5152
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 7679.vbs 1000
  2⤵
  PID:5168
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 5675.vbs 1000
  2⤵
  PID:5172
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 3152.vbs 1000
  2⤵
  PID:5160
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 30485.vbs 1000
  2⤵
  PID:5216
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 21395.vbs 1000
  2⤵
  PID:5256
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 6755.vbs 1000
  2⤵
  PID:5276
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 22791.vbs 1000
  2⤵
  PID:5324
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 11279.vbs 1000
  2⤵
  PID:5344
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 28045.vbs 1000
  2⤵
  PID:5420
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 769.vbs 1000
  2⤵
  PID:5432
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 22480.vbs 1000
  2⤵
  PID:5448
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 28943.vbs 1000
  2⤵
  PID:5464
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 6334.vbs 1000
  2⤵
  PID:5492
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 22556.vbs 1000
  2⤵
  PID:5592
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 1201.vbs 1000
  2⤵
  PID:3844
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 21780.vbs 1000
  2⤵
  PID:1172
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 24313.vbs 1000
  2⤵
  PID:5640
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 6096.vbs 1000
  2⤵
  PID:5636
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 21160.vbs 1000
  2⤵
  PID:5664
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 30514.vbs 1000
  2⤵
  PID:5696
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 15057.vbs 1000
  2⤵
  PID:5652
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 2799.vbs 1000
  2⤵
  PID:5632
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 32147.vbs 1000
  2⤵
  PID:5676
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 8420.vbs 1000
  2⤵
  PID:5732
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 6309.vbs 1000
  2⤵
  PID:5704
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 20978.vbs 1000
  2⤵
  PID:5744
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 13133.vbs 1000
  2⤵
  PID:5756
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 23204.vbs 1000
  2⤵
  PID:5784
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 26842.vbs 1000
  2⤵
  PID:5772
- C:\Windows\system32\fsutil.exe
  fsutil file createnew 15926.vbs 1000
  2⤵
  PID:5804
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\Msg.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5808
- C:\Windows\system32\PING.EXE
  ping 102.33.46.1 20
  2⤵
  - Runs ping.exe
  PID:5836
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 4
  2⤵
  - Runs ping.exe
  PID:5884
- C:\Windows\system32\mspaint.exe
  mspaint
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5692

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38fa855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:6116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
36f2b8d49e4cb3f3383e7ef82a014313

SHA1
e54cec89df040b536115920e2b79fed5dd873a2e

SHA256
0fa271c5506c8fceba14fdc0ded7772f8f16e0d88a310393a23f94ff37d559a4

SHA512
0a388dd5af2d251a2129aeca057449efab547307fe908c8cbbd54002ce37ffe5ef3cb3274565ce7ba390bc60101a84453e5648c956274b2bedb716dd5b8cebe6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
938e026c3d78088515175d02b5b8770e

SHA1
83b10e42f92445839d0209e968c9d251eb013f5b

SHA256
ae212dc3deac777a4c6a40abe5824c1fbbd6f0115ef979154556c25cddf46f0f

SHA512
a867757ace41bd2203b2a0d049874345ad7d9980b2290b57b8aeecff28c2bb90e234a683d5fec7335decc5c4e809432d1f79c7667adc597d446b02fe283da49c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3246284806c67be0e9fe29be3fb1eef4

SHA1
a9be07acdfb90d26629b955a74f220a4ac2d1633

SHA256
2548eeb88a98aee60ef1ed69470374f1a978be911292d58ab048a2a7eec8557d

SHA512
9133a0b8738c6bd224fa76c928f0af66d67901c8522df900cc014b94272ce3ef7226eec0a5e0d9dbdc88459e5849c8169fc25d868e753b1e7a6c69746282c46e

Download Submit
C:\Users\Admin\dyk.txt

Filesize
40B

MD5
30910cb2ab0c563f5e1701bd9d0cd585

SHA1
83e72309f199259f898a6e7d3a4e7b8fa84ac55f

SHA256
21417870bd4541025c54848cbe6a2957e398bee76cfcd44332f7b38c39cb5141

SHA512
687fc0407d37dd4c0ad89cabc6b4cd39b9920805eb55f1caa83c0769fc13172d87aaaa829300b04f98cfaea4aa34bcd98e10f0bda273616a7d4aebea132138df

Download Submit
C:\Windows\Msg.txt

Filesize
55B

MD5
5c808e1fadc76f558b2de3517369f682

SHA1
287a33918206966ca8c931ce0a266b9f5d1edaf9

SHA256
4e3d1dfb2ee00cdd13b4e20073f21eb077a02f468832cb38bab4f46db4e12eab

SHA512
0c78bb104f1bda4e95b0defd11db5596e1f84ed421068977e6b9e8f08957126cf60ad44a12ae7228b254d0b0e67259fce0c0f9472a76ed538cb00f860aca275b

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads