lockergoga | 7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26

Analysis

max time kernel
153s
max time network
141s
platform
windows10_x64
resource
win10v20210408
submitted
26-07-2021 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26.sample.exe
Size

1.2MB
MD5

7e3f8b6b7ac0565bfcbf0a1e3e6fcfbc
SHA1

b2a701225c8c7f839be3c5009d52b4421063d93e
SHA256

7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26
SHA512

20e47f1bce3635c43816c806e5ffdf349ed07c2dd65b5f4e025a3a1343121932f6537ecc7028d842775e9cbeef6ba8110dee8ce0b6dc25dc63772cd840d62e59

Score

10^/10

lockergoga banker persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Public\Desktop\README_LOCKED.txt

Ransom Note

Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security To get information on the price of the decoder contact us at: MayarChenot@protonmail.com QicifomuEjijika@o2.pl

Emails

MayarChenot@protonmail.com

QicifomuEjijika@o2.pl

Signatures

LockerGoga
LockerGoga is a ransomware that is primarily used in targeted, disruptive attacks.
trojan banker lockergoga
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Drops desktop.ini file(s) 1 IoCs

Processes:

zzbdrimp2725.exe

description ioc process

File opened for modification C:\Program Files (x86)\desktop.ini zzbdrimp2725.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\desktop.ini	zzbdrimp2725.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe

Drops file in Program Files directory 64 IoCs

Processes:

zzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exeWerFault.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\FA000000050	zzbdrimp2725.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\resources.pri	zzbdrimp2725.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-64_contrast-black.png	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Info2x.png	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-20_contrast-white.png	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\new_icons_retina.png	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\excluded.txt	zzbdrimp2725.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\Sounds\New_shutter.wav	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\da-dk\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll	zzbdrimp2725.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main.css	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\new_icons_retina.png	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\js\plugin.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\desktop\en-GB\doc_offline_accessibility.xml	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\virgo_mycomputer_folder_icon.svg	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-fr\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Graph.exe.manifest	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\PlayStore_icon.svg	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pt-br\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\en-gb\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.16112.11601.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\plugin.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\89.0.4389.114_chrome_installer.exe	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\plugin.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\plugin.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GKWord.dll	zzbdrimp2725.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96.png	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\ZY______.PFB	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nl-nl\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\desktop\en-US\toc.xml	zzbdrimp2725.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\AppxSignature.p7x	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\new_icons_retina.png	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\new_icons.png	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\convertpdf-tool-view.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\checkmark.png	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small2x.png	WerFault.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedMedTile.scale-100.png	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\sat_logo.png	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close2x.png	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\ui-strings.js	zzbdrimp2725.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\logo_retina.png	zzbdrimp2725.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2368 2224 WerFault.exe

pid	pid_target	process	target process
2368	2224	WerFault.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies registry class 30 IoCs

Processes:

explorer.exeSearchUI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002c100000000000002000000e50707004100720067006a006200650078000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000008de95dbe3482d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e50704004600630072006e0078007200650066003a00200036003700250000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000ffffffff73ae2078e323294282c1e41cb67d5b9c000000000000000000000000de3be21b762cd70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e50704004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000f4fe5fd9702cd70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132623575947209929"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

zzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exe

pid	process
3876	zzbdrimp2725.exe
3876	zzbdrimp2725.exe
3780	zzbdrimp2725.exe
3780	zzbdrimp2725.exe
976	zzbdrimp2725.exe
976	zzbdrimp2725.exe
976	zzbdrimp2725.exe
976	zzbdrimp2725.exe
3876	zzbdrimp2725.exe
3876	zzbdrimp2725.exe
976	zzbdrimp2725.exe
976	zzbdrimp2725.exe
3876	zzbdrimp2725.exe
3876	zzbdrimp2725.exe
976	zzbdrimp2725.exe
976	zzbdrimp2725.exe
3876	zzbdrimp2725.exe
3876	zzbdrimp2725.exe
3780	zzbdrimp2725.exe
3780	zzbdrimp2725.exe
976	zzbdrimp2725.exe
976	zzbdrimp2725.exe
3876	zzbdrimp2725.exe
3876	zzbdrimp2725.exe
3876	zzbdrimp2725.exe
3876	zzbdrimp2725.exe
976	zzbdrimp2725.exe
976	zzbdrimp2725.exe
3876	zzbdrimp2725.exe
3876	zzbdrimp2725.exe
3780	zzbdrimp2725.exe
3780	zzbdrimp2725.exe
976	zzbdrimp2725.exe
976	zzbdrimp2725.exe
3780	zzbdrimp2725.exe
3780	zzbdrimp2725.exe
3876	zzbdrimp2725.exe
3876	zzbdrimp2725.exe
976	zzbdrimp2725.exe
976	zzbdrimp2725.exe
3780	zzbdrimp2725.exe
3780	zzbdrimp2725.exe
976	zzbdrimp2725.exe
3876	zzbdrimp2725.exe
976	zzbdrimp2725.exe
3876	zzbdrimp2725.exe
976	zzbdrimp2725.exe
976	zzbdrimp2725.exe
3780	zzbdrimp2725.exe
3780	zzbdrimp2725.exe
3876	zzbdrimp2725.exe
3876	zzbdrimp2725.exe
976	zzbdrimp2725.exe
976	zzbdrimp2725.exe
3780	zzbdrimp2725.exe
3780	zzbdrimp2725.exe
3876	zzbdrimp2725.exe
3876	zzbdrimp2725.exe
3780	zzbdrimp2725.exe
3780	zzbdrimp2725.exe
2764	zzbdrimp2725.exe
2764	zzbdrimp2725.exe
3780	zzbdrimp2725.exe
3780	zzbdrimp2725.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

cmd.exe

pid process

2024 cmd.exe

pid	process
2024	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26.sample.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exezzbdrimp2725.exe

description	pid	process
Token: SeDebugPrivilege	584	7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26.sample.exe
Token: SeBackupPrivilege	584	7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26.sample.exe
Token: SeRestorePrivilege	584	7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26.sample.exe
Token: SeLockMemoryPrivilege	584	7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26.sample.exe
Token: SeCreateGlobalPrivilege	584	7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26.sample.exe
Token: SeDebugPrivilege	2664	zzbdrimp2725.exe
Token: SeBackupPrivilege	2664	zzbdrimp2725.exe
Token: SeRestorePrivilege	2664	zzbdrimp2725.exe
Token: SeLockMemoryPrivilege	2664	zzbdrimp2725.exe
Token: SeCreateGlobalPrivilege	2664	zzbdrimp2725.exe
Token: SeDebugPrivilege	3876	zzbdrimp2725.exe
Token: SeBackupPrivilege	3876	zzbdrimp2725.exe
Token: SeRestorePrivilege	3876	zzbdrimp2725.exe
Token: SeLockMemoryPrivilege	3876	zzbdrimp2725.exe
Token: SeCreateGlobalPrivilege	3876	zzbdrimp2725.exe
Token: SeDebugPrivilege	3780	zzbdrimp2725.exe
Token: SeBackupPrivilege	3780	zzbdrimp2725.exe
Token: SeRestorePrivilege	3780	zzbdrimp2725.exe
Token: SeLockMemoryPrivilege	3780	zzbdrimp2725.exe
Token: SeCreateGlobalPrivilege	3780	zzbdrimp2725.exe
Token: SeDebugPrivilege	976	zzbdrimp2725.exe
Token: SeBackupPrivilege	976	zzbdrimp2725.exe
Token: SeRestorePrivilege	976	zzbdrimp2725.exe
Token: SeLockMemoryPrivilege	976	zzbdrimp2725.exe
Token: SeCreateGlobalPrivilege	976	zzbdrimp2725.exe
Token: SeDebugPrivilege	2764	zzbdrimp2725.exe
Token: SeBackupPrivilege	2764	zzbdrimp2725.exe
Token: SeRestorePrivilege	2764	zzbdrimp2725.exe
Token: SeLockMemoryPrivilege	2764	zzbdrimp2725.exe
Token: SeCreateGlobalPrivilege	2764	zzbdrimp2725.exe
Token: SeDebugPrivilege	2728	zzbdrimp2725.exe
Token: SeBackupPrivilege	2728	zzbdrimp2725.exe
Token: SeRestorePrivilege	2728	zzbdrimp2725.exe
Token: SeLockMemoryPrivilege	2728	zzbdrimp2725.exe
Token: SeCreateGlobalPrivilege	2728	zzbdrimp2725.exe
Token: SeDebugPrivilege	1864	zzbdrimp2725.exe
Token: SeBackupPrivilege	1864	zzbdrimp2725.exe
Token: SeRestorePrivilege	1864	zzbdrimp2725.exe
Token: SeLockMemoryPrivilege	1864	zzbdrimp2725.exe
Token: SeCreateGlobalPrivilege	1864	zzbdrimp2725.exe
Token: SeDebugPrivilege	1252	zzbdrimp2725.exe
Token: SeBackupPrivilege	1252	zzbdrimp2725.exe
Token: SeRestorePrivilege	1252	zzbdrimp2725.exe
Token: SeLockMemoryPrivilege	1252	zzbdrimp2725.exe
Token: SeCreateGlobalPrivilege	1252	zzbdrimp2725.exe
Token: SeDebugPrivilege	1264	zzbdrimp2725.exe
Token: SeBackupPrivilege	1264	zzbdrimp2725.exe
Token: SeRestorePrivilege	1264	zzbdrimp2725.exe
Token: SeLockMemoryPrivilege	1264	zzbdrimp2725.exe
Token: SeCreateGlobalPrivilege	1264	zzbdrimp2725.exe
Token: SeDebugPrivilege	3952	zzbdrimp2725.exe
Token: SeBackupPrivilege	3952	zzbdrimp2725.exe
Token: SeRestorePrivilege	3952	zzbdrimp2725.exe
Token: SeLockMemoryPrivilege	3952	zzbdrimp2725.exe
Token: SeCreateGlobalPrivilege	3952	zzbdrimp2725.exe
Token: SeDebugPrivilege	2200	zzbdrimp2725.exe
Token: SeBackupPrivilege	2200	zzbdrimp2725.exe
Token: SeRestorePrivilege	2200	zzbdrimp2725.exe
Token: SeLockMemoryPrivilege	2200	zzbdrimp2725.exe
Token: SeCreateGlobalPrivilege	2200	zzbdrimp2725.exe
Token: SeDebugPrivilege	744	zzbdrimp2725.exe
Token: SeBackupPrivilege	744	zzbdrimp2725.exe
Token: SeRestorePrivilege	744	zzbdrimp2725.exe
Token: SeLockMemoryPrivilege	744	zzbdrimp2725.exe

Suspicious use of FindShellTrayWindow 43 IoCs

Processes:

explorer.exe

pid	process
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

explorer.exe

pid	process
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe
192	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

ShellExperienceHost.exeSearchUI.exe

pid process

3852 ShellExperienceHost.exe
2212 SearchUI.exe
3852 ShellExperienceHost.exe

pid	process
3852	ShellExperienceHost.exe
2212	SearchUI.exe
3852	ShellExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26.sample.exezzbdrimp2725.exe

description	pid	process	target process
PID 584 wrote to memory of 2024	584	7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26.sample.exe	cmd.exe
PID 584 wrote to memory of 2024	584	7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26.sample.exe	cmd.exe
PID 584 wrote to memory of 2664	584	7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26.sample.exe	zzbdrimp2725.exe
PID 584 wrote to memory of 2664	584	7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26.sample.exe	zzbdrimp2725.exe
PID 584 wrote to memory of 2664	584	7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26.sample.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 3780	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 3780	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 3780	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 3876	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 3876	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 3876	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 976	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 976	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 976	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 2764	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 2764	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 2764	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 2728	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 2728	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 2728	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 1864	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 1864	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 1864	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 1252	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 1252	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 1252	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 1264	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 1264	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 1264	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 3952	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 3952	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 3952	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 2200	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 2200	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 2200	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 744	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 744	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 744	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 636	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 636	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 636	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 912	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 912	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 912	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 696	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 696	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 696	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 3960	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 3960	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 3960	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 2212	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 2212	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 2212	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 2576	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 2576	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 2576	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 2400	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 2400	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 2400	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 2552	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 2552	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 2552	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 3572	2664	zzbdrimp2725.exe	zzbdrimp2725.exe
PID 2664 wrote to memory of 3572	2664	zzbdrimp2725.exe	zzbdrimp2725.exe

C:\Users\Admin\AppData\Local\Temp\7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26.sample.exe
"C:\Users\Admin\AppData\Local\Temp\7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26.sample.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c move /y C:\Users\Admin\AppData\Local\Temp\7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26.sample.exe C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
2⤵
- Suspicious behavior: RenamesItself
PID:2024

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -m
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:636

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:696

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:2212

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:2576

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:3572

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:2116

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:204

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:1784

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:2236

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:3984

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:2180

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:1268

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:2052

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:68

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:2540

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:3596

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:3028

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:1224

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:1640

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:2744

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:2904

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:976

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:3848

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:2764

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:2728

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:4000

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2216

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:3976

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:2144

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:496

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:636

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:2008

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:2572

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:2400

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:3596

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:1920

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:2488

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:2708

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:3592

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:196

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:2856

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2580

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:2216

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:2532

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2404

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
- Drops file in Program Files directory
PID:1784

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:3372

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe
C:\Users\Admin\AppData\Local\Temp\zzbdrimp2725.exe -i SM-zzbdrimp -s
3⤵
PID:1004

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2224 -s 2752
1⤵
- Drops file in Program Files directory
- Program crash
PID:2368

C:\Windows\explorer.exe
explorer.exe
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:192

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1428

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3852

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2212

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2344

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
C:\Users\Public\Desktop\README_LOCKED.txt
MD5
cf3282d6ad1dce954e472722979f3bde

SHA1
a2a9501fe1c525702ec428b8c4aa35be954424b6

SHA256
b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7

SHA512
b35109a8bfe004fee8b609438f1d77d72737f7da98a3a39f9401a1766e6c9d81bf2d5d8d9d356a4e3963610d25336290fef8e4d4ca9ee41c1f2b50d4418ccc9c

Download Submit
memory/68-186-0x0000000000000000-mapping.dmp

Download
memory/192-242-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/204-158-0x0000000000000000-mapping.dmp

Download
memory/636-136-0x0000000000000000-mapping.dmp

Download
memory/696-140-0x0000000000000000-mapping.dmp

Download
memory/744-134-0x0000000000000000-mapping.dmp

Download
memory/912-138-0x0000000000000000-mapping.dmp

Download
memory/976-214-0x0000000000000000-mapping.dmp

Download
memory/976-118-0x0000000000000000-mapping.dmp

Download
memory/1184-188-0x0000000000000000-mapping.dmp

Download
memory/1224-204-0x0000000000000000-mapping.dmp

Download
memory/1252-126-0x0000000000000000-mapping.dmp

Download
memory/1264-128-0x0000000000000000-mapping.dmp

Download
memory/1268-180-0x0000000000000000-mapping.dmp

Download
memory/1428-226-0x0000000000000000-mapping.dmp

Download
memory/1640-208-0x0000000000000000-mapping.dmp

Download
memory/1648-162-0x0000000000000000-mapping.dmp

Download
memory/1652-190-0x0000000000000000-mapping.dmp

Download
memory/1784-160-0x0000000000000000-mapping.dmp

Download
memory/1864-124-0x0000000000000000-mapping.dmp

Download
memory/1864-172-0x0000000000000000-mapping.dmp

Download
memory/2008-196-0x0000000000000000-mapping.dmp

Download
memory/2024-114-0x0000000000000000-mapping.dmp

Download
memory/2052-182-0x0000000000000000-mapping.dmp

Download
memory/2116-156-0x0000000000000000-mapping.dmp

Download
memory/2132-228-0x0000000000000000-mapping.dmp

Download
memory/2144-236-0x0000000000000000-mapping.dmp

Download
memory/2180-178-0x0000000000000000-mapping.dmp

Download
memory/2200-132-0x0000000000000000-mapping.dmp

Download
memory/2208-166-0x0000000000000000-mapping.dmp

Download
memory/2212-144-0x0000000000000000-mapping.dmp

Download
memory/2216-232-0x0000000000000000-mapping.dmp

Download
memory/2236-174-0x0000000000000000-mapping.dmp

Download
memory/2400-148-0x0000000000000000-mapping.dmp

Download
memory/2408-198-0x0000000000000000-mapping.dmp

Download
memory/2532-192-0x0000000000000000-mapping.dmp

Download
memory/2540-194-0x0000000000000000-mapping.dmp

Download
memory/2552-150-0x0000000000000000-mapping.dmp

Download
memory/2576-146-0x0000000000000000-mapping.dmp

Download
memory/2664-115-0x0000000000000000-mapping.dmp

Download
memory/2728-122-0x0000000000000000-mapping.dmp

Download
memory/2728-222-0x0000000000000000-mapping.dmp

Download
memory/2744-210-0x0000000000000000-mapping.dmp

Download
memory/2764-170-0x0000000000000000-mapping.dmp

Download
memory/2764-120-0x0000000000000000-mapping.dmp

Download
memory/2764-220-0x0000000000000000-mapping.dmp

Download
memory/2836-164-0x0000000000000000-mapping.dmp

Download
memory/2856-216-0x0000000000000000-mapping.dmp

Download
memory/2904-212-0x0000000000000000-mapping.dmp

Download
memory/2916-154-0x0000000000000000-mapping.dmp

Download
memory/3028-202-0x0000000000000000-mapping.dmp

Download
memory/3572-152-0x0000000000000000-mapping.dmp

Download
memory/3592-206-0x0000000000000000-mapping.dmp

Download
memory/3596-200-0x0000000000000000-mapping.dmp

Download
memory/3780-168-0x0000000000000000-mapping.dmp

Download
memory/3780-116-0x0000000000000000-mapping.dmp

Download
memory/3848-218-0x0000000000000000-mapping.dmp

Download
memory/3876-117-0x0000000000000000-mapping.dmp

Download
memory/3888-230-0x0000000000000000-mapping.dmp

Download
memory/3952-130-0x0000000000000000-mapping.dmp

Download
memory/3960-142-0x0000000000000000-mapping.dmp

Download
memory/3976-234-0x0000000000000000-mapping.dmp

Download
memory/3984-176-0x0000000000000000-mapping.dmp

Download
memory/4000-224-0x0000000000000000-mapping.dmp

Download
memory/4048-184-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads