Analysis

  • max time kernel
    148s
  • max time network
    82s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    05-11-2020 20:58

General

  • Target

    pcnew.exe

  • Size

    20KB

  • MD5

    1f8cef7b1f327e19ec561d1b80583d2d

  • SHA1

    96795527c65711c13aef7f2cda3b5a0ff5779137

  • SHA256

    c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6

  • SHA512

    2bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2

Malware Config

Extracted

Path

C:\22912339014610\Read_Me.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://25xb3kc6azicbbuo.onion/?XNDSIXND 5. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. Alternate communication channel here: http://helpqvrg3cc5mvb3.onion/
URLs

http://25xb3kc6azicbbuo.onion/?XNDSIXND

http://helpqvrg3cc5mvb3.onion/

Signatures

  • Phorphiex Worm

    Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

  • Windows security bypass 2 TTPs
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs
  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Windows security modification 2 TTPs 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 41 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies service 2 TTPs 4 IoCs
  • Drops file in Program Files directory 12052 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry class 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 4542 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of FindShellTrayWindow 67 IoCs
  • Suspicious use of SendNotifyMessage 78 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pcnew.exe
    "C:\Users\Admin\AppData\Local\Temp\pcnew.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:364
    • C:\22912339014610\winsvcs.exe
      C:\22912339014610\winsvcs.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Windows security modification
      • Suspicious use of WriteProcessMemory
      PID:1228
      • C:\Users\Admin\AppData\Local\Temp\1243725229.exe
        C:\Users\Admin\AppData\Local\Temp\1243725229.exe
        3⤵
        • Executes dropped EXE
        • Modifies extensions of user files
        • Loads dropped DLL
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: RenamesItself
        PID:1680
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Drops desktop.ini file(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1648
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x1ac
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1664
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies service
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:608
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies service
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1684

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\22912339014610\winsvcs.exe

    MD5

    1f8cef7b1f327e19ec561d1b80583d2d

    SHA1

    96795527c65711c13aef7f2cda3b5a0ff5779137

    SHA256

    c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6

    SHA512

    2bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2

  • C:\22912339014610\winsvcs.exe

    MD5

    1f8cef7b1f327e19ec561d1b80583d2d

    SHA1

    96795527c65711c13aef7f2cda3b5a0ff5779137

    SHA256

    c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6

    SHA512

    2bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2

  • C:\Users\Admin\AppData\Local\Temp\1243725229.exe

    MD5

    7d52884b375ce8b6182f1c53f0f1c496

    SHA1

    6b70e90b0dada8d93c61caa678e76ce2abcbc76b

    SHA256

    9c48e8a5f83614f685249486a13a8a132660f37d11c5f55581414dbf02091021

    SHA512

    24350255bda3672cce0ff22221e5973cd69f5b8470eb642e9679c3c006716271af8f32a2d4ee5309949c746eb9cb15bba411052fd4935a2a2b436501c7b4a515

  • C:\Users\Admin\AppData\Local\Temp\1243725229.exe

    MD5

    7d52884b375ce8b6182f1c53f0f1c496

    SHA1

    6b70e90b0dada8d93c61caa678e76ce2abcbc76b

    SHA256

    9c48e8a5f83614f685249486a13a8a132660f37d11c5f55581414dbf02091021

    SHA512

    24350255bda3672cce0ff22221e5973cd69f5b8470eb642e9679c3c006716271af8f32a2d4ee5309949c746eb9cb15bba411052fd4935a2a2b436501c7b4a515

  • C:\Users\Admin\AppData\Local\Temp\WPDNSE\Read_Me.txt

    MD5

    5b99a2aa6df6645a5f118fabd8fc163e

    SHA1

    eb066e89ef9323a84327161f56b29ce2ff2cfccb

    SHA256

    db4461baba2c10e24f4af8362e56ef43b03bb9f2e216c59fdc1f07ecabbd0760

    SHA512

    aa5edec040a68420ad2d7f488179a808a5489b264f248bf8b1d969595d4d2b5cda8ac6aa5eed0a1f6b0a32ab6212b00185a906aeda8e9d1f3f9acba3e176efcd

  • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk.ReadMe

    MD5

    b64541a20e043e09ae533f96c60c1887

    SHA1

    3c37f981f0e74faba1675f7cdfbdf9a32ffa3bc6

    SHA256

    451d76cb0fb5c764df48326b302b8f1c44b3c93617d7b02da01dae67267eea77

    SHA512

    08a143cd7f691c0c513000dc27579a407a9bfa959342d765883f93263c2e91728e023fc4810497a651dc5f3456260f62d0993b0b728249106b173d46039cf4e7

  • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk.ReadMe

    MD5

    ce33b65e8df25ff615c89476e393817d

    SHA1

    41192b1b7714db3d30984f5272efaad5a26b4e3d

    SHA256

    dfebb2cfe20f28d9d8a9a4387871dd7c91918a1be9990f980c8312b0a3d34e72

    SHA512

    0269f9939c2a3122eb7ab6b4ee9e43abb4f88b4a86bc2abac7a338ee221ef3672389812060d83956eb443e9bba2be4de2755bfcd75c9ade30576d0012d39f5bc

  • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk.ReadMe

    MD5

    1174b56792af725616da7b789a594e23

    SHA1

    4b206abb4efff8d00d5d2342f6e4043dfa5fe878

    SHA256

    a5d096b650adff3bf7044b0173f339528ff1063750234310658043e93487e591

    SHA512

    b3fd9ba54c47f99a2849b04ca90c1b46469d9ceacd7a00375d410d04291cb696462c316ee521ddba80176519f29c473a890bef5e72f60748e29c715c5a37f34b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk.ReadMe

    MD5

    982cb5475fd7820bf933a7a2872deb10

    SHA1

    bd0229293257f1b3ae2738c78e725e4b7c46f74a

    SHA256

    7b3899740c54f86bab536e09c5a89b50170f8209288d09583a0059b1132913e4

    SHA512

    31d62e8761c5eb40cdcf7517fe0b0726266860878dd60c1e3b3905cbe46f5e98e919d47d069d787ef600c33ce3568677409883ebc890099cebc2011a54dad319

  • C:\Users\Admin\Desktop\ApproveEnter.mpeg3.ReadMe

    MD5

    843d674c8b6b7bc44fa3d41b9c5283a9

    SHA1

    4e70b32000e470dc5e25dd6c5793ecad7a121a5c

    SHA256

    9a9eb9ced362014a69934b4b0a3bd9efde77123ffbcb5f4364b8da363b03210f

    SHA512

    68843ee61860554871b1a9318d97ec89b23c2ed353ad38c73cc396ec50f4150fdd8b0e7c031122bf8d17d75d9a424cf4a085728c6fb8168c97976611ed415e6c

  • C:\Users\Admin\Desktop\ApproveRepair.vssx.ReadMe

    MD5

    04af4639eb4da75a4bbde5c4acc32ca0

    SHA1

    05372a636102dd53f91ece32b8002834789f8e44

    SHA256

    cb4def9a66c079edc6a692e483bf5ca371d65c61ac78aa56be279e94cd6df739

    SHA512

    855709b55a996f642c75b03e75be1d1f49f66883d0c47e5eeeb1a083061d5e99a69e51a10911aa5f45d4889cce811e7a9faf807969ce6a6760590f36b9bce603

  • C:\Users\Admin\Desktop\CheckpointStop.temp.ReadMe

    MD5

    b9ae921d2eab297bfff7544e7e87411b

    SHA1

    e4db292462bda23a7a2d4bed4eb2164b0772e8b0

    SHA256

    4122967024e888c13b049bf5d1776662f13471239123810c9089ac830fb37032

    SHA512

    90c605d6a32362deda322291c0ac2f30263b7e17559fcbe306008bd8dd8d7f4ba51262f2311d9037a8f9d7ca146539bd146eb034c50791e44cf8cae336e3c4a1

  • C:\Users\Admin\Desktop\ConvertFromRedo.potx.ReadMe

    MD5

    4d4a145e5e6cdb8376005215d2f81f35

    SHA1

    55f10365f1fada60bcc489a926b8c9e765eb3537

    SHA256

    f300027e7ad046e2e10e6555c60c08d5c908baa0b60a53869eddcc99c5f61a7c

    SHA512

    c00c185595b310c18a3c9819c0ac90eca008b07bab74f8b6c628431d3140bfb1a570418a18430c8b181b9a0945a9d875442cae50f083a4342eae268f59e4e3e1

  • C:\Users\Admin\Desktop\DismountLimit.kix.ReadMe

    MD5

    12f9280c20fc7e032bbe2e262ea5ef0b

    SHA1

    bd91636aa00ce188e7015a903a5e893bc1e31d92

    SHA256

    ba100da3b37b4055025e48d579290c8edbc91f4c4bad0c9cfb091f7278d5ba89

    SHA512

    d3909d34b19eee0a38e59cb7ffaa271db6245764b42736e0567f86f1e1a0b4e2c43021acc67d4d95b46d37c30b25d4170384076efe3d1173d34bdb265214651d

  • C:\Users\Admin\Desktop\EnterComplete.vssm.ReadMe

    MD5

    9d21fa39a7b81a15a996fb9d89076981

    SHA1

    fb6de402993bcb452b714eb96e28c6566ee2d01e

    SHA256

    41513dd775c8142e56acb9bbdb01bd33d027ce0209b946b93ed01f02040f120c

    SHA512

    738c5206efb55e0954cc177ad0bd802b5c51e38816f3050c87c83d3b893aef16fbbd69d8254060793365cb4a313176012d1fae12c31de5720c9d1f0d4807bf94

  • C:\Users\Admin\Desktop\ExitConfirm.mpeg2.ReadMe

    MD5

    64398d420abf346f6c8452d64259977b

    SHA1

    f4fdede8c23f7d6da1229fc1d8406aaf1af387cf

    SHA256

    f9f4d05ea80a2c8379732a3c63345009d6f5d1e90b0a91750b0091dbe3334f35

    SHA512

    f40061cf0ea5f9cac960a2152c4f92363ee3d7b6364b4255ed3791a796e7c953ec17e7a3811ecc56cb91f9326f06eafbcffa7b486bbc958ec9012c7d2dd58f3f

  • C:\Users\Admin\Desktop\GroupExpand.ico

    MD5

    ab1382902c8316f47be07b3a8a306f84

    SHA1

    a792992dbb346580b66ff8bef427db68217b0a73

    SHA256

    7f81972eea1ec5e99200efa6bc7687540d96500dab268064411fa7fd235d7113

    SHA512

    ec80bf85efb768b3c48b5360c4b95ae1775d57404407148fce81b75dc91c871ea94564d7d5f6fccb0c1fddf1b99433ab467a677f57cf80fc3f46b325e5d80f56

  • C:\Users\Admin\Desktop\LimitApprove.TS.ReadMe

    MD5

    df7980af4fdf1541538b804b03a8ec21

    SHA1

    f926848f152f5d6838d4202b79404602a2187e3a

    SHA256

    69ef5c178edb7bb661a3cdfe6aa522dd7ea79226d49b9d847e824769cec48033

    SHA512

    78b87c93dd6dfc3161f5e78e8db2db1403b871ea140b283b13033376c04ae259576044ca338d3c949039ceed126c1a44af72508ad24683c18c6779ed47ebc09b

  • C:\Users\Admin\Desktop\LimitWait.jfif.ReadMe

    MD5

    ae501970a028cc5ff0cebd2bb7ca5531

    SHA1

    c0bb38a4f306f131351d07cead93070622ebaeab

    SHA256

    e63cc8dd1cf5ae112cda5eb33fcd1b4a9574ed21137a1e1916b8ca45d98dccfa

    SHA512

    9714ea1e33c97ad5beff4f10020521e8291adba7b0655f03d6c3d218c7c5fa47c487a7d3e321792fe7e3217312f1e71f8cc00d6ece3ae52d74771c93fc815933

  • C:\Users\Admin\Desktop\MeasureSend.css.ReadMe

    MD5

    6e6e5d0305237343e04b618bd0bb7964

    SHA1

    3dd991a7f511f41cee36187251f2779656cc353f

    SHA256

    7f42ea8412eab147e388ee88326da5f1868885f6be159e0c393ad4d3377a35f7

    SHA512

    3c584223b5ad3e381a6ff1661d0ed70358f8ebfcb814aec39d1011cc61a6e1bc719c972019dc47a00f85b52ce27d969b82f5c6714f2b988bd3564eeb54ea4115

  • C:\Users\Admin\Desktop\ProtectDisable.dotm.ReadMe

    MD5

    299c9623e4e58f766478f1b0baf110f0

    SHA1

    26af7bf905cb787cd460b19d4e46d3022cc54059

    SHA256

    1f1c39d2811eff63bd27e11e045bdfd9f94495f6b0cd56dccd8322b6b1cd326d

    SHA512

    792d8c601f146b7c5dfc263882bb3f41db2d07bec5c98f49b9200ef94d751cc01fd972f9bb3e1c19b6a1319df922129811b04e0de71c41e352bffcd09de0d689

  • C:\Users\Admin\Desktop\ProtectPush.temp.ReadMe

    MD5

    90158ded4d5a58b9f35d0c2669afee03

    SHA1

    a47025a7e33e93129698137b6a12d820485a92d5

    SHA256

    ce7d2d100fbf5b3fdf74d4a8f0b4fefb097e56a86b55250383b70ff30a1c09f5

    SHA512

    138cd89d11766f7124bff3bd079ed34f75a00568b591f0d14675c5439ab2dbba338390ffed616cc92eae36804f1b948238272153af19179615442c48840f2801

  • C:\Users\Admin\Desktop\Read_Me.txt

    MD5

    5b99a2aa6df6645a5f118fabd8fc163e

    SHA1

    eb066e89ef9323a84327161f56b29ce2ff2cfccb

    SHA256

    db4461baba2c10e24f4af8362e56ef43b03bb9f2e216c59fdc1f07ecabbd0760

    SHA512

    aa5edec040a68420ad2d7f488179a808a5489b264f248bf8b1d969595d4d2b5cda8ac6aa5eed0a1f6b0a32ab6212b00185a906aeda8e9d1f3f9acba3e176efcd

  • C:\Users\Admin\Desktop\ReceiveLimit.wma.ReadMe

    MD5

    eb3a09cd127f3e79537247512722f0e3

    SHA1

    bf4cdec5548ef80d81ea17083ec5ad0a81bc89f1

    SHA256

    3ba9a0f3834369ff50c7f4ab6d63bfc3796b424006a188609c3c7dbb0da3ee91

    SHA512

    c01bc46a979ae4cdc6cdd8d486969b0a4db8e221b6983b823c80d4539d3af15ede2b1d93e8554cd2fb64c309608c396a614cdf6e94ed6ecf7e1e9c302134686e

  • C:\Users\Admin\Desktop\RemoveOpen.DVR.ReadMe

    MD5

    4d62f7facded344776f980ea44b49f4d

    SHA1

    271861c893bcff41fabf2e600e323f394410b0ac

    SHA256

    84bb5de342db149ee2b75857834a6123e0fd40b7b603bfd8fe6650bc45352917

    SHA512

    48fd41b6aa4d376fd8cea64bdb196e96e0b6e3dc98ae577ff28c70b83ed005435b6ca2c21c8684454e89745700d596f58c2b801fa5de6818b8f264a21498137f

  • C:\Users\Admin\Desktop\ResolveUnregister.DVR-MS.ReadMe

    MD5

    2123444ea60679ab4e26ecae984de01a

    SHA1

    db0eee5123c5173eff67d0c736e253d983b25e9e

    SHA256

    7328012352f792ac2f81c591f65ea031b9fddb876156533d7c8cc880364f0faa

    SHA512

    620f7e3e23149ec7b16b8e53cf67bb44759bef3b4534dbe9d13601e897923fe2ff82be4d1ccd7eb141cb569e8433fb69e18451035e9d0e1e9f690e1bb9ae0a81

  • C:\Users\Admin\Desktop\RestartCompare.3gpp.ReadMe

    MD5

    f8d0da99dad3cbbd6ab6d5f79b6927c5

    SHA1

    1429aeeff24b01e30f36a828fefba9734b8c1746

    SHA256

    a8c5c3ca49558ecefec63af1c85227760b29e53c720c16615c6e2ddc61531597

    SHA512

    e8b30457996aba5e9a984334fb1773fb2a948a48806027409dbaa8c24286eba0d6fcb7a167b94d1179309581c26fc2955df5748c29972f94280d6ce2de7158cf

  • C:\Users\Admin\Desktop\RevokePush.jpeg.ReadMe

    MD5

    ed5e31b679d545f66a0d1403383db895

    SHA1

    1a29243fa884aa72a3f4653492796b8d3586363a

    SHA256

    bf528781f42c9dac7d28e6e7a25797f69d18194173b5a85f8b76933866fe4e5b

    SHA512

    f4bc95b38197df5ba715235e9300a6602e6821ad0326b53f7add145b2c978d5a090eeae92ac6feff4c042cb732f09976be10d155bb978100dea908466b87ec25

  • C:\Users\Admin\Desktop\SendRepair.ini.ReadMe

    MD5

    196d7f2eff241262e055b58ce7a2f45b

    SHA1

    41209b7c9f97a27075f8c5fce60b563367ff2fce

    SHA256

    2ebcadc442ae7ced7f508109db5d10e6ed8a935c991b0f112952caba5b1c41f5

    SHA512

    97d85a5cc3a158b344ac04788c4a8bbedf9ff1f0ff776e7b64be64f33f0ca803875c8dc88754254dea70a7d88aba02ec5094102273c89d054132ade24f988c62

  • C:\Users\Admin\Desktop\SkipLock.exe.ReadMe

    MD5

    9bc3afe9e94ce94d1c4ee2f8b437f9f7

    SHA1

    11e3dca105b1cb082ef8f8b1c2e61f4de3bc2e2a

    SHA256

    c81995ad1ea78fd53fec7a624aee167df3cd4f6c59278ff73f366d032d0d0142

    SHA512

    41a1583b34586eaaacf24dfcdf1a2da7d6873acee34d1a4e4237be03e19b08ca35dfb159e62138c4e462b375b366aac2554a7f94f49ea4f46f3d05a23033688f

  • C:\Users\Admin\Desktop\desktop.ini.ReadMe

    MD5

    f4ef8c2d40f7d0dcc12d5b2904d57f86

    SHA1

    b8a64ef322661b5cdfc9ea539ad9508cc03eece5

    SHA256

    a7b843be2bcfaa78c3caf7f9a81b73cdeb40a690787b0766249cee7e6503ab77

    SHA512

    0d6830346991a23a6ccc7be2b7ec7db4313d2d1cb333f51cf49de7c016ff3d3d054c959bed7a442f89b477b3ca51070ccf480cb0f1c1b4e1e85f1c4a0fd98544

  • C:\Users\Public\Desktop\Adobe Reader 9.lnk.ReadMe

    MD5

    2347b0052b33a209942e50f75ee4d87e

    SHA1

    b0de7961f71e2b2768c7b9a4a144db2b0f750316

    SHA256

    19b986b0233dc802e6b42ca357e44eda19e96ae416886df05cb1794fafefb0d4

    SHA512

    4f14c30e61ff63d95d6fe98f408cb5413330eef2f0637d8cc91683a6f569174bc8d691187ac4cd9d9fb9c9d97f4cfc663256035ca5daed54ea27d734b517b7dc

  • C:\Users\Public\Desktop\Firefox.lnk.ReadMe

    MD5

    3e530afe435b96b421872c8070d1e68e

    SHA1

    623c90cf5eb34f0041170286f472956416184e55

    SHA256

    5fb3277c2c7a402a92bfda125a8dbc9590ec714770fd166a84033ddb591cacfa

    SHA512

    beb74778b1e2d6efe45095164037bb300a0574ff22cc0a7b10f03f143ed817d5a86f9709e9d1bb899838bdade51c65c1fbe6413441cc4b89f8264b807c4c75ef

  • C:\Users\Public\Desktop\Google Chrome.lnk.ReadMe

    MD5

    981e49d25715539e2c9ea766c9ddbf7c

    SHA1

    de67b624a14e4aa344bcb6611542eec07e32ef60

    SHA256

    bf44f8bf0d5239728f597da61da80a9f1eee09b65fde5e15972479bf7fa464ed

    SHA512

    5a8055a984466719609891b81efaa66ab49165e63c56f1d937b4c06893cd9c7a33ad95615f6c01309e7590730e6b95dba4033512bbcdd029c6b11a51f4e8a169

  • C:\Users\Public\Desktop\Read_Me.txt

    MD5

    5b99a2aa6df6645a5f118fabd8fc163e

    SHA1

    eb066e89ef9323a84327161f56b29ce2ff2cfccb

    SHA256

    db4461baba2c10e24f4af8362e56ef43b03bb9f2e216c59fdc1f07ecabbd0760

    SHA512

    aa5edec040a68420ad2d7f488179a808a5489b264f248bf8b1d969595d4d2b5cda8ac6aa5eed0a1f6b0a32ab6212b00185a906aeda8e9d1f3f9acba3e176efcd

  • C:\Users\Public\Desktop\VLC media player.lnk.ReadMe

    MD5

    c5fe20c5180e204b396f840dc0c2d6a7

    SHA1

    13aca24f36bd36d76238a661d0f98438ed8e5026

    SHA256

    96a508dec1b58a40f135a591ac7492a196ed243ae58d5a3c3a9296f4f2ee1426

    SHA512

    a476e7da0d857a2198b6643ff90b6c838b5f9f61af6266b6bfeb5d966117560828ff5b4e64ea9dda247abf858c692ec0c552ac731f7b8a59b2aa6c95ceec677f

  • C:\Users\Public\Desktop\desktop.ini.ReadMe

    MD5

    1de1e161c11aad610d1366ba6d623184

    SHA1

    315d3336f3d7d12d312cce208788d5648faf649d

    SHA256

    eb24f34611549ade676e31e9b25a5d8bd80a69c54ef3a7fa9939d568ff6292c4

    SHA512

    22917b8cdc69314d86f6f687a3f6424c093bbe7a3ea2f7b87f634d9e6ff6a733778d8f728fe6446293c0ce9a2d37ce9d878c9d6be70a72a61a232b193c513674

  • \22912339014610\winsvcs.exe

    MD5

    1f8cef7b1f327e19ec561d1b80583d2d

    SHA1

    96795527c65711c13aef7f2cda3b5a0ff5779137

    SHA256

    c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6

    SHA512

    2bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2

  • \22912339014610\winsvcs.exe

    MD5

    1f8cef7b1f327e19ec561d1b80583d2d

    SHA1

    96795527c65711c13aef7f2cda3b5a0ff5779137

    SHA256

    c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6

    SHA512

    2bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2

  • \22912339014610\winsvcs.exe

    MD5

    1f8cef7b1f327e19ec561d1b80583d2d

    SHA1

    96795527c65711c13aef7f2cda3b5a0ff5779137

    SHA256

    c6ee0c5549619ebf81f7878da18a6e29ff315be7d0fb3d9b79b84717405c87f6

    SHA512

    2bdb59b8ca921b7def3547c622a4357398566c475ed1c77aad4fe91f1171ddee1b0d3524463ead12a10bba19fb5e23dcad3b00e948c8bde585d315906fd782e2

  • \??\M:\$RECYCLE.BIN\S-1-5-21-293278959-2699126792-324916226-1000\desktop.ini

    MD5

    a526b9e7c716b3489d8cc062fbce4005

    SHA1

    2df502a944ff721241be20a9e449d2acd07e0312

    SHA256

    e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

    SHA512

    d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

  • \Users\Admin\AppData\Local\Temp\1243725229.exe

    MD5

    7d52884b375ce8b6182f1c53f0f1c496

    SHA1

    6b70e90b0dada8d93c61caa678e76ce2abcbc76b

    SHA256

    9c48e8a5f83614f685249486a13a8a132660f37d11c5f55581414dbf02091021

    SHA512

    24350255bda3672cce0ff22221e5973cd69f5b8470eb642e9679c3c006716271af8f32a2d4ee5309949c746eb9cb15bba411052fd4935a2a2b436501c7b4a515

  • \Users\Admin\AppData\Local\Temp\1243725229.exe

    MD5

    7d52884b375ce8b6182f1c53f0f1c496

    SHA1

    6b70e90b0dada8d93c61caa678e76ce2abcbc76b

    SHA256

    9c48e8a5f83614f685249486a13a8a132660f37d11c5f55581414dbf02091021

    SHA512

    24350255bda3672cce0ff22221e5973cd69f5b8470eb642e9679c3c006716271af8f32a2d4ee5309949c746eb9cb15bba411052fd4935a2a2b436501c7b4a515

  • memory/1228-1-0x0000000000000000-mapping.dmp

  • memory/1312-4-0x000007FEF6EA0000-0x000007FEF711A000-memory.dmp

    Filesize

    2.5MB

  • memory/1680-7-0x0000000000000000-mapping.dmp

  • memory/1684-14-0x0000000003730000-0x0000000003731000-memory.dmp

    Filesize

    4KB

  • memory/1684-15-0x0000000003730000-0x0000000003731000-memory.dmp

    Filesize

    4KB

  • memory/1684-16-0x0000000003730000-0x0000000003731000-memory.dmp

    Filesize

    4KB

  • memory/1684-50-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

    Filesize

    4KB