Malware Analysis Report

2025-06-16 00:52

Sample ID 241105-tfmx4stfmc
Target Ransomware artifact CyberVolk.zip
SHA256 439ff2060a600d666dafcf86f7ef8fea5ee0cca7e39521c986a3181d99ede61d
Tags
execution discovery ransomware credential_access spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

439ff2060a600d666dafcf86f7ef8fea5ee0cca7e39521c986a3181d99ede61d

Threat Level: Known bad

The file Ransomware artifact CyberVolk.zip was found to be: Known bad.

Malicious Activity Summary

execution discovery ransomware credential_access spyware stealer

Renames multiple (2327) files with added filename extension

Renames multiple (877) files with added filename extension

Renames multiple (147) files with added filename extension

Renames multiple (221) files with added filename extension

Credentials from Password Stores: Windows Credential Manager

Drops startup file

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Enumerates connected drives

Sets desktop wallpaper using registry

System Location Discovery: System Language Discovery

Command and Scripting Interpreter: JavaScript

Unsigned PE

Browser Information Discovery

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 16:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-05 16:00

Reported

2024-11-05 16:02

Platform

win7-20241010-en

Max time kernel

120s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ransom\ransom\Cryptographic.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ransom\ransom\Cryptographic.js

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-05 16:00

Reported

2024-11-05 16:02

Platform

win7-20240903-en

Max time kernel

117s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ransom\ransom\ransom.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ransom\ransom\ransom.js

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 16:00

Reported

2024-11-05 16:02

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main.exe

"C:\Users\Admin\AppData\Local\Temp\main.exe"

Network

N/A

Files

memory/352-1-0x0000000000400000-0x00000000004DD000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-05 16:00

Reported

2024-11-05 16:02

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 4576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 5072 wrote to memory of 4576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 5072 wrote to memory of 4576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3012 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 444 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 444 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 444 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3012 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 452 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 452 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 452 wrote to memory of 3628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3012 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 872 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 872 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3012 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 4720 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4720 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4720 wrote to memory of 1344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3012 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3512 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3512 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3012 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4356 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4356 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3012 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 3788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2560 wrote to memory of 3788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2560 wrote to memory of 3788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3012 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2248 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2248 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3012 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 5060 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 5060 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3012 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3532 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe

"C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-05 16:00

Reported

2024-11-05 16:02

Platform

win7-20240903-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ransom\ransom\Crypto\RSA\bigdigits.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ransom\ransom\Crypto\RSA\bigdigits.vbs"

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-05 16:00

Reported

2024-11-05 16:02

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ransom\ransom\Cryptographic.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ransom\ransom\Cryptographic.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-05 16:00

Reported

2024-11-05 16:02

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ransom\ransom\ransom.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ransom\ransom\ransom.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.30.10:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.30.171.150.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-05 16:00

Reported

2024-11-05 16:02

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ransom.exe"

Signatures

Renames multiple (2327) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.cvenc C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CyberVolk_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification \??\f:\$RECYCLE.BIN\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ransom.exe

"C:\Users\Admin\AppData\Local\Temp\ransom.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\CyberVolk_ReadMe.txt

MD5 ce7ff0a9361571a2dcb08f50500ace3f
SHA1 5d8bed459f55a37e2fcb801d04de337a01c5d623
SHA256 894bc59f5227b4d545412b2a2897367d7ac88090c86f5a1728bf733e70bd93ee
SHA512 bba6d46fae5b4099b047b192f7df21fdf01675b09f3da38a365710fc9aa5b126cc6a2c2547be48deecfaa360e1521cf04a9793af083735de4a8cb7be9bd4c52a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\CURRENT.cvenc

MD5 daf7226db8aa259f9c7e65a588533919
SHA1 805b0f5e8b7e02d3b6995ea6a7d98561465b6f04
SHA256 22f295ad9bbd34ffbe8db79fed3743f096e4243affdeb09176fff40f02be80b5
SHA512 88eec47efce9a744c73747640563bf37d4ea63dc7164d54c59dc3854cbee6ca6d4b85508856a13d8784da03d6f10dbff5dd6cbafa999b0e4e0d4302f2d7e03d3

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{A5E73466-E220-8EF4-B956-A582187356D9}.cvenc

MD5 782080dd7036ce7239bce85bc851b5d0
SHA1 018c130569353f51825b558df8f5def69885d9eb
SHA256 a5f601353bf48b520186466a17f9829ce00c6c4c5cfc78d985cd75e3c47c6a49
SHA512 a19f2d1a4e1ee8819b7b76c54119d2248d1cdb0698a59edf253cc5f9dc898257e10422534df86b03a3bcc61d1198b350316da232aef0c83e92bbd352e9f853d9

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_comexp_msc.cvenc

MD5 31d6b465e16897b299a96f2c0ad2bd82
SHA1 554cdd09bd77ade6df8618d6c8e896af35286f15
SHA256 31dc77773e13868ed58752e571c2a921954ab8538fa02a9d2b8fb1e1350750be
SHA512 9ca0d1210587a748fba4bb776f576c1a9eb21d6825b4919414ecf6e8a14ed6ec77fba01f23dab37b386c7ce124e461b0e1aaf2f66fa335e308bc9a511e4c1766

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727662742439442.txt.cvenc

MD5 05d705748ca8886b4a04e7a32311dd55
SHA1 42cc7576e81cb32bbab40decb7a4061e01768605
SHA256 5a28338f4dbd6dfb8fdf92c6e652351d6a68fdf8f4a609b4e6d23ee88df0ccd9
SHA512 098adc6de6adbd3150192430340fcefebd7929b61d6195c35f1b6ca00a244d290664fe91830a6ac06e4fdd7539a6b2db52da9fde634d358cbf98f43d0de6b1ab

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727664412580892.txt.cvenc

MD5 cd9fbd77b4b59fc4618d1f4a430ac57f
SHA1 ab1b21b74be7dc2b2573d3dc810038fcd75cd620
SHA256 70e329ba9a0f385b60c65f03d01a33a0efe3649696638ca982edbff20617774d
SHA512 07b4113eb9e43ffa64a89756013aefd7392e86201836f3a839d0a944dde5354ebc5c6de5a7ea613d176c8a798395ef8e3d6cd0ee60b3ed89cf097c3df06a9d75

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727670038515250.txt.cvenc

MD5 813d44f20f500358738400763ff3bce5
SHA1 e1fad2f9d1ecef8088107c0aefebf33dcccfd5fb
SHA256 5c1d09b49db54ffedd968bd2455df9bac902bba14be1abfa897a3979710ca483
SHA512 ed280ea7f7547e514e4bb42e97b41aff947275f3c0eb75f7f2f0579edca1c87f7352636bd482422693a2db77131a6e3c4265a20b7f1a32b9c9d7ca663444ed73

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.cvenc

MD5 65127e2cb1133c8ca572df0e6e01bf76
SHA1 c860a5618ec87e0bb1c313ff8e210e97e6c9743b
SHA256 1b4e463d3403f985392a2e761e1f3880342af39c5152bca33d9dc2c31e2aef40
SHA512 4c7c0fa9990d26b20275676ed0b6063599ee9fd47ed82e7f5d46cd30dd2879172f45f526a046a0d42959cb63775311af027a0073d08e2475843ef7daede3b997

C:\Users\Admin\AppData\Roaming\time.dat

MD5 e36c72761b575374e7d7e63a0333d93f
SHA1 01b61b9ddd5632f78edb1bc40fdfa6d6aada083f
SHA256 2fa8eba4e72866823c3e963389d1d3a58d1bf10b6bb427b384b914a3629af429
SHA512 12e4fad54c218b0cc59fc1643ef6af1c8c08a74a05f89fc10c9cea53969aad214711086578efa1922c72bdf375cb5753a97fd98bf9bcebd86190a6e9b7b44550

C:\Users\Admin\AppData\Roaming\time.dat

MD5 3dce18d1998152eeb1b5fe47ab64cf1d
SHA1 efad6be58d515eea49e17255c0bcf823af0c32ae
SHA256 d24b87329bb09b449a89676a4e96858c289cdfad521c03fb9ce166a83aceb603
SHA512 18d86fcc385ffb4265e824effb38284bfba6942ee431be2a4505a8b9f6d5715823516d6321a4ae5af0760533e134906394b9fc762550a3013fc57cd0b52fbc1c

C:\Users\Admin\AppData\Roaming\time.dat

MD5 7ce5417e80aef872ba20917011e39416
SHA1 4ce45e74ef4a8701eaaa4e8fb17bab705ebd772c
SHA256 987f32746376de3fa8ff935ec01448a5936c8e222ce383cf89b4dc2ecdc67ea8
SHA512 b9926371eb5022b27b43e08bb30040cb4ed8938e0ab7ec0495a9ee176faae0e9ff6f392d801bf6c610080813568810202364100273883e5057c2ab3bd57887ec

C:\Users\Admin\AppData\Roaming\time.dat

MD5 777066aaeea6e03fbb578ac132b6bf02
SHA1 70e80e691f225404bc21a65e319bf6a1d17985f3
SHA256 7e93bf8ba9708c55865983f7a83a39ac766ee84bccbb1df4d9f9a37e7b3bdb43
SHA512 aa050b12122bf0b0fd2d8282dd70cf83579e00f2afb2df78bef719ded707a9aeb920184f72635b64e79a7cecee6228eadba8a216264f05239689f89ec2a5285a

C:\Users\Admin\AppData\Roaming\time.dat

MD5 a734ad8883f2ce5db79f678149b8d6ed
SHA1 db2f277d3f22707160ecadbc85fdbf36f5e16775
SHA256 4b9647fd16286b9d48f8957d016408d48324837a2dc4726070225737e5764791
SHA512 fbaae4949b92ab773efb546ae8d161e828225c911591853988fc876cfcb1d8436084981285fd6c9e09bc89a95a3da37686d439e3db086ab5d4eb43139270e00a

C:\Users\Admin\AppData\Roaming\time.dat

MD5 db9488b8bd624473f2001f5ca6a1551e
SHA1 7dc1e1a4c76403b5404918eeca098b12f11f7596
SHA256 45c08529fc638c300feeb27a726d997626694ac3793087acc34e51f0a6e170e8
SHA512 2d65e85357dc5a292a7969581ca95ad8551b476501b3311065b29fca333addb2f4d5330720de52196bdf7b6d35a8ed562f43c4091eeb783d2b82eb26decfe445

C:\Users\Admin\AppData\Roaming\time.dat

MD5 e939047fc28d6f8d31c08856543a7367
SHA1 ac6723d395934525f7cedf6eb7fb1dac250e0095
SHA256 23d73ca299f02110f10fe0b18902fd2ea5ad124d3a061f110083353b3899c369
SHA512 14de170f67715706f45c6581f81e33742fac2b197d4760ab868602722984dbcd58ceaf6a653ec4021f6044bd4868df0cce8f05b0cc5fddab01c2397df97fdcee

C:\Users\Admin\AppData\Roaming\time.dat

MD5 a5bb29b6db3cc79d1399321f527a4d3e
SHA1 aa0bb9d708ba1e74de71ebb44f25dfeaa5f74a66
SHA256 c220777a3969d97f8c08265becbb6fcd9bddfab7c48456e450fed01101f16a76
SHA512 7880b3355af9a479bff7ad27e8c76bc145287fcf1127cd9ae043de1953bbf35d8a3b00ba7f3c1d1c833eec7e0a9afae8ca528fd9811f37d55162552142b392c3

C:\Users\Admin\AppData\Roaming\time.dat

MD5 d0dcf063a9c7678ef849da47e7b5c359
SHA1 dd1d3f9db21c852aa5ce97e5a9f64165ecee7ed0
SHA256 d46637522853433efdf1806e2e5336c312d5ba0ff0a32b80468e96b8abf11c04
SHA512 2aca0e320da8db3720328d7fdd400ab23259acff084de43c4a18c702599e40c0286748b7c0cdc5b9cd6081453824b0e3311466c8f3db841ddeb1594b43c1feed

C:\Users\Admin\AppData\Roaming\time.dat

MD5 619d6b6bff9a5152560ae73fb2264006
SHA1 791d6736d22916e74b5f4c1e486aafb9fccb20be
SHA256 5a8bbd7a0887dfcfee9cd1f97e7ba9e568741cb632f3121b5b7d4f3e90e85b79
SHA512 d604b2abc14a450ed963ac334eb0d1fd13cc0e4b08a26f1ef4643824e18f3aaef3c60f616fb344a2f3b53ec4097446827d5a9864acc8d12c30016efc0712c6b5

C:\Users\Admin\AppData\Roaming\time.dat

MD5 81b69a02d9469be08c2426117991d9f0
SHA1 c3ab5823761fe40d6dcd0a01bf4f0a944fa0b628
SHA256 d6e1d9c927753981079ade4b46eb23e9179b89e3b13f06f025b3a798d63b6c0f
SHA512 3e3f7b87217408d6910deb23acbf0ca9246f7bbd61ec0686b1d12a4e4c66795a89886764df8962ce9e3f5d90347614d7883ea60f314be15e34b292ccf808746b

C:\Users\Admin\AppData\Roaming\time.dat

MD5 a52357f1ce8160dee6563b6a3391ffa8
SHA1 b73819a7e2227bda306f42ddd029c72406b1f55a
SHA256 bfed65e0ee3b331187d31bd503dcbad42f17bf749b37c34f64cf8bbc3007073c
SHA512 01d5c13702803762b4e163f6f03c5d5f46b81e4c2badbee0cd2e463f53f26fee98895278061ad078f61e9b28d1057fa3f576c17ec9171ee57a743fcb14fd65db

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.cvenc

MD5 3febc8d798a6ba3005d1b603cea13188
SHA1 33c6833640170f18f9f8cd397ae553bcc379566a
SHA256 98bf08f4d138b4072fdadfeadc620369ac553124f26d8686a52ddd71d3b63b7c
SHA512 71cdbc8691bf2ed8752bd35299f5d4ab31ff8f3d8b65038e3b0002d20e8c62922a9e7415cee5f4490b50b28bd3d09837625bfa6b36e9429198e184b6ef80f8c4

C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi.cvenc

MD5 2e56651c29d480449d751f90bb6a374b
SHA1 2aa3e9df3425c32f26812d10fbdc97555eaf8c8a
SHA256 3d340b6be3e0d6357a8c33a922ce1f0bf7bba6dc4090030152e0607e507dcb55
SHA512 f7c0ba996a2516350b7b7dc08fcfa53384defface7bbaecb473ba1d8e45955c39be38436db7473f7f2c26623ab97116334c07f996dc8a33e80b7807a954649f7

C:\Users\Admin\AppData\Roaming\time.dat

MD5 70625b0985a7b4378d1aa0077176dc3a
SHA1 35710ebc51a11f6d2147aa31501bf8e54ef4b68e
SHA256 fd3422d11e9fdacf030f74df8a97aef973337371c49d6746fa29e06a4e54888b
SHA512 b45318d77adb8bd37d6b39b6e876b65e6fd8b74f06c773b73cd31a3b5df927dec02170789f0000c63f637d85e51212135f27ca3f06e7cea707dd21357f737d58

C:\Users\Admin\AppData\Roaming\time.dat

MD5 f678a3b7005a6251cb0cf3a28f523cb3
SHA1 be95a3f025e6dabeea687e46dec4dbc2dbc56afd
SHA256 bd41cbdc04707f80b319802470a1871b99d36766f9d020cc0f9a569a4d1bb54b
SHA512 f51336743b3de543c0e4954b87046d36e22517cfa35f071b79d86b813177122f63488a809cc323dd86dc831fef90066954666f9388f8bf736c15eda050c9f21c

C:\Users\Admin\AppData\Roaming\time.dat

MD5 d8ac3b01ba19729174a8f1e63c9e937c
SHA1 e40192d86760273f0f1f13bfe0609f2ce38fb56d
SHA256 a5f6e28cca214fb60a873fd4b27ea02bbef08b5bde05f4ba831b790a54a2435c
SHA512 cea558fdb51a2a7d85758b01c834896f49849cd7b018a5080c6213a60e94e89d70b0d92e466e2844828aa6566115ba6e21a6d69d833186a6699d45dc7bb6c9ca

C:\Users\Admin\AppData\Roaming\time.dat

MD5 eb4ab9e8db10f6fd9c9a5085f3a75fdd
SHA1 cababf2bea2f1f0fb553b9d65dc2cde33a225489
SHA256 e20c996edc342b0e8fe4abe8a1b4373ae040e36b367cf6188e43d04950b7f6c6
SHA512 ccf44347376c9d905a5729478d1cf6f94b4f72c9119da4cb91649a57db62746cb874c929603478410397a2317397941626a10399b9e7e294f551240473422c70

C:\Users\Admin\AppData\Roaming\time.dat

MD5 632245ec65eb39b085d24c066adb2729
SHA1 c9a297c7ea13ef7d87a658734126e574a02ee2f2
SHA256 4b9d476385096c42149ad8a1b35edf317f99c9d61ffc348d8950ab0c31cf543f
SHA512 aaf97439bbe7dc9246d33b5e6907e6a74e17cc32642f4863660e99faecc2c65a421466dcd657f454583c2e8971477b6d3deea275ab2e0c0d969196ff38c241cc

C:\Users\Admin\AppData\Roaming\time.dat

MD5 6af4fc014bd8b2c00572f5149fc7f522
SHA1 d99e5cab5b497f41ab721d93fd8645d4948090b9
SHA256 9c1ee8df1c0a91f0259f13024069c7fd8d7601df3b4b305f358bd8ce161aedb2
SHA512 d30482778d27953f1c8dff78eaeb2f4ac14da5eb9149dd3519932293d9e4048a1afbc4ad5ca5c4dd3caf47e658706b07ff8dd25560b0f724e517811b2ba7f35b

C:\Users\Admin\AppData\Roaming\time.dat

MD5 2abbf46f3779778a616848a833a5f1d0
SHA1 eee3f9a3035a5e29734f90f010a4d0412f591ba1
SHA256 438f91a3a02080977006d5b4ee2c29f6e0d0b58e848dc92712f3982a1449f481
SHA512 1b2a34db69b83696cc61bd12cf006d79ba54065adf215877639a9c24fdf6f225ec249a43571039be537be306db3f607eb442f1a522dd5a205df0ee25684716e1

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-05 16:00

Reported

2024-11-05 16:02

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\key_gen\main.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\key_gen\main.exe

"C:\Users\Admin\AppData\Local\Temp\key_gen\main.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.29.10:443 g.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.29.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/4540-1-0x0000000000400000-0x00000000004DD000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-05 16:00

Reported

2024-11-05 16:02

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe"

Signatures

Renames multiple (147) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification \??\f:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3928 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1516 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1516 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3928 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 4544 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4544 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4544 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3928 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1604 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1604 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3928 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3780 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3780 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3780 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3928 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2984 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2984 wrote to memory of 4328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3928 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 1172 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1172 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1172 wrote to memory of 5112 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3928 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4900 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4900 wrote to memory of 4980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3928 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2336 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2336 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3928 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4356 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4356 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3928 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 636 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 636 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 636 wrote to memory of 4020 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3928 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 4948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe

"C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.29.10:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.29.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-05 16:00

Reported

2024-11-05 16:02

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ransom\ransom\Crypto\RSA\bigdigits.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ransom\ransom\Crypto\RSA\bigdigits.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 11.73.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-05 16:00

Reported

2024-11-05 16:02

Platform

win7-20240903-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ransom.exe"

Signatures

Renames multiple (877) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.cvenc C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CyberVolk_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CyberVolk_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CyberVolk_ReadMe.txt C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GKATPXW1\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\L7XNHY48\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GY8QW6M2\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\75GKCLJR\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification \??\f:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\3W44XPEP\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8O71085\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ransom.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ransom.exe

"C:\Users\Admin\AppData\Local\Temp\ransom.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\CyberVolk_ReadMe.txt

MD5 ce7ff0a9361571a2dcb08f50500ace3f
SHA1 5d8bed459f55a37e2fcb801d04de337a01c5d623
SHA256 894bc59f5227b4d545412b2a2897367d7ac88090c86f5a1728bf733e70bd93ee
SHA512 bba6d46fae5b4099b047b192f7df21fdf01675b09f3da38a365710fc9aa5b126cc6a2c2547be48deecfaa360e1521cf04a9793af083735de4a8cb7be9bd4c52a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT.cvenc

MD5 d1de577b1ce56dd27cac494d8b332ad5
SHA1 83911368e58a91c70a11a7018b0f0e4875a81587
SHA256 f2272df51e9c9411bc77d6751bba929062d8650f77c63e6865c066db7a495c59
SHA512 07431f68507cb5e964d86fc6502446d7f7c6797163b729d7704535f0f167257f2587cc5744d5f1d34a50ad5d687fffe3e7a20f0af252b5f3b3fd8503c0f17834

C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.cvenc

MD5 9dbdcf0e653349180f64452a1c29b1ad
SHA1 1a85c4ee7a5e00597919f4efb8035ec49d88590f
SHA256 5c2b723318e8b403db1b9b656c024c5c32eae2c554469071934137711d3df5f2
SHA512 697c2bd4d15a90573deaa5e222fa195dd003a4c097d47322cddf8c5b225046a581dad912e6a5a21e5e29a51426003f219925dc28354c56b737fa8ca7d154e3e5

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\L7XNHY48\desktop.ini.cvenc

MD5 b763cf85bfa70bb63fd762b7afabe7f9
SHA1 05e36ed564729fe06a8f7419f897ac76e6cb9243
SHA256 ea9a76293b195d7a5c859f670ca95ae8a92967408c85f625fcb855e343ec43d9
SHA512 9e263abe914bb6923d079f5e3913c8801531f6b5a92ae784874d2eb49689df3aa6e978e37c3c5c652bb8c0e9f78df1570f6b3b9cc7e68bff18f6cbebe945afa4

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8O71085\desktop.ini.cvenc

MD5 2ec6f979d13d95746b4e63f22da8bd48
SHA1 52ba665e439d7651e0a8938b4687ff97d73859fb
SHA256 4381605bb6547c8e82108526d595118607cc6a31f8be0c7de413a67e5e987e1c
SHA512 ed63e624ee3cf77754aa9a4be2c135e721b8a1efd0680a8f430105c4da1528a7796a358c6f4b55c53a5a1c4e75e84eb48b5055d55bedabee69e034b635893170

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.cvenc

MD5 70b9498e5564a6b4c0e463d238e121aa
SHA1 401bd7da5f3220ccd7d3033ad3e41d762479cf37
SHA256 74bbae7206fbe6e18fda6740d77e0e6266d69f863282e13148c4662baa82595f
SHA512 4a696d5354591f3c56dd14c0be95187a011731fe8eb7741da71b77ff0738457d52352c538ff63834b4f906db994428df1054c51f9c16192d702481d5b0a0d748

C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.cvenc

MD5 9c4fc26dc3347657a018b49089a2e38a
SHA1 0c8bdde7159dba6633154243abeb9af2d7a25481
SHA256 6532d2a6e16c09212c9ed61503f0b4c27a1324c5ac03d602261c604526d30fae
SHA512 ba0a785c4cfb84d0b8e464d043e6ba12b7a95db2e4c92390edbaacab84bc1e289bbf4ae38d0c887103a698505b3859ce493d9026bb248055f37d50168152f161

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-05 16:00

Reported

2024-11-05 16:02

Platform

win7-20240903-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe"

Signatures

Renames multiple (221) files with added filename extension

ransomware

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification \??\f:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2452 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2452 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2452 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2452 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2208 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2568 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2568 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2568 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2208 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1504 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1504 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1504 wrote to memory of 2912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2208 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1456 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1456 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1456 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2208 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2028 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2028 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2028 wrote to memory of 1516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2208 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 568 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 568 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 568 wrote to memory of 2036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2208 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2236 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2236 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2236 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2236 wrote to memory of 1328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2208 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 1096 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1096 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1096 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1096 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe

"C:\Users\Admin\AppData\Local\Temp\key_gen\ransom.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 16:00

Reported

2024-11-05 16:02

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\main.exe

"C:\Users\Admin\AppData\Local\Temp\main.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/5084-1-0x0000000000400000-0x00000000004DD000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-05 16:00

Reported

2024-11-05 16:02

Platform

win7-20240729-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\key_gen\main.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\key_gen\main.exe

"C:\Users\Admin\AppData\Local\Temp\key_gen\main.exe"

Network

N/A

Files

memory/1740-1-0x0000000000400000-0x00000000004DD000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-05 16:00

Reported

2024-11-05 16:02

Platform

win7-20240729-en

Max time kernel

150s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\tmp.bmp" C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2952 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2952 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2952 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2268 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2984 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2984 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2984 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2268 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2972 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2972 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2972 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2268 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2684 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2684 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2684 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2268 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2716 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2716 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2716 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2268 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2724 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2724 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2724 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2268 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2200 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2200 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2200 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2268 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2944 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2944 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2944 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe

"C:\Users\Admin\AppData\Local\Temp\ransom\Release\ransom.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im mmc.exe /t

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im mmc.exe /t

Network

N/A

Files

N/A