buran | 49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd

Analysis

max time kernel
153s
max time network
161s
platform
windows10_x64
resource
win10v20210408
submitted
31-08-2021 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe
Size

300KB
MD5

591b93e69671e4091c591f8f9d186b43
SHA1

d497ac1b139d49c7a454c903b5caad3a49765146
SHA256

49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd
SHA512

9536af37e4bf4bba03afb984830eac36bdf56c1ea73c36a7f67a275f2c00345b5f4a04d4ad23316e7cffdd1f6949cbabfbf6172a16ff262b353900fd99e78ac7

Score

10^/10

buran redline smokeloader gop1 backdoor evasion infostealer persistence ransomware themida trojan

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. PAY FAST 500$=0.013 btc or the price will increase tomorrow bitcoin address bc1qqxnp9z0ff8x852dyflp5r9r6rzse8jl5hzmqz8 To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? [email protected] TELEGRAM @ payfast290 Your personal ID: 286-6EA-0C8 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Extracted

Family

smokeloader

Version

2020

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/

rc4.i32

Extracted

Family

redline

Botnet

gop1

185.234.247.197:33071

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 38 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1616-165-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/1616-167-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/1616-180-0x0000000005510000-0x0000000005B16000-memory.dmp	family_redline
behavioral1/memory/508-186-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/1096-198-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/1096-207-0x0000000004F80000-0x0000000005586000-memory.dmp	family_redline
behavioral1/memory/3648-209-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/3648-218-0x0000000004C40000-0x0000000005246000-memory.dmp	family_redline
behavioral1/memory/3172-220-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/3172-229-0x0000000004CE0000-0x00000000052E6000-memory.dmp	family_redline
behavioral1/memory/1652-246-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/1652-255-0x0000000004EE0000-0x00000000054E6000-memory.dmp	family_redline
behavioral1/memory/68-257-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/1620-268-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/1620-277-0x0000000004F20000-0x0000000005526000-memory.dmp	family_redline
behavioral1/memory/3976-279-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/380-290-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/380-299-0x0000000004E30000-0x0000000005436000-memory.dmp	family_redline
behavioral1/memory/3180-301-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/3180-310-0x0000000004D30000-0x0000000005336000-memory.dmp	family_redline
behavioral1/memory/3968-313-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/3968-322-0x00000000057B0000-0x0000000005DB6000-memory.dmp	family_redline
behavioral1/memory/904-326-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/2572-338-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/2572-347-0x0000000005730000-0x0000000005D36000-memory.dmp	family_redline
behavioral1/memory/4152-350-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/4244-362-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/4332-374-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/4356-385-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/4356-394-0x0000000005380000-0x0000000005986000-memory.dmp	family_redline
behavioral1/memory/4428-396-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/4568-415-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/4744-426-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/4800-437-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/4876-448-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/4876-457-0x00000000053F0000-0x00000000059F6000-memory.dmp	family_redline
behavioral1/memory/4948-459-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/4948-468-0x0000000004CE0000-0x00000000052E6000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 41 IoCs

Processes:

159C.exe224F.exesvchost.exe35D8.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exesvchost.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe224F.exe

pid	Process
204	159C.exe
2252	224F.exe
3652	svchost.exe
4076	35D8.exe
3648	224F.exe
1616	224F.exe
508	224F.exe
1096	224F.exe
3648	224F.exe
3172	224F.exe
696	224F.exe
3300	svchost.exe
3840	224F.exe
1652	224F.exe
68	224F.exe
1620	224F.exe
3976	224F.exe
380	224F.exe
3180	224F.exe
3964	224F.exe
3968	224F.exe
3868	224F.exe
2164	224F.exe
904	224F.exe
2164	224F.exe
2572	224F.exe
2516	224F.exe
4152	224F.exe
4180	224F.exe
4244	224F.exe
4268	224F.exe
4332	224F.exe
4356	224F.exe
4428	224F.exe
4500	224F.exe
4568	224F.exe
4744	224F.exe
4800	224F.exe
4876	224F.exe
4948	224F.exe
5020	224F.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

35D8.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	35D8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	35D8.exe

Deletes itself 1 IoCs

Processes:

pid	Process
2536

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/files/0x000300000001561c-143.dat	themida
behavioral1/files/0x000300000001561c-144.dat	themida
behavioral1/memory/4076-149-0x0000000000CE0000-0x0000000000CE1000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

159C.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	159C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\svchost.exe\" -start"	159C.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

35D8.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	35D8.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	Process
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
26	geoiptool.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

35D8.exe

pid	Process
4076	35D8.exe

Suspicious use of SetThreadContext 25 IoCs

Processes:

49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe224F.exe

description	pid	Process	procid_target
PID 764 set thread context of 736	764	49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe	75
PID 2252 set thread context of 1616	2252	224F.exe	88
PID 2252 set thread context of 508	2252	224F.exe	92
PID 2252 set thread context of 1096	2252	224F.exe	95
PID 2252 set thread context of 3648	2252	224F.exe	101
PID 2252 set thread context of 3172	2252	224F.exe	102
PID 2252 set thread context of 1652	2252	224F.exe	124
PID 2252 set thread context of 68	2252	224F.exe	125
PID 2252 set thread context of 1620	2252	224F.exe	126
PID 2252 set thread context of 3976	2252	224F.exe	127
PID 2252 set thread context of 380	2252	224F.exe	128
PID 2252 set thread context of 3180	2252	224F.exe	129
PID 2252 set thread context of 3968	2252	224F.exe	131
PID 2252 set thread context of 904	2252	224F.exe	134
PID 2252 set thread context of 2572	2252	224F.exe	136
PID 2252 set thread context of 4152	2252	224F.exe	138
PID 2252 set thread context of 4244	2252	224F.exe	140
PID 2252 set thread context of 4332	2252	224F.exe	142
PID 2252 set thread context of 4356	2252	224F.exe	143
PID 2252 set thread context of 4428	2252	224F.exe	144
PID 2252 set thread context of 4568	2252	224F.exe	146
PID 2252 set thread context of 4744	2252	224F.exe	148
PID 2252 set thread context of 4800	2252	224F.exe	149
PID 2252 set thread context of 4876	2252	224F.exe	150
PID 2252 set thread context of 4948	2252	224F.exe	151

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	Process
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\MedTile.scale-125.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\7px.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\55.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-pl.xrm-ms.payfast290.286-6EA-0C8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBUI6.CHM.payfast290.286-6EA-0C8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png	svchost.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Western\mask\mask_corners_queen.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jsse.jar	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-pl.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.payfast290.286-6EA-0C8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-oob.xrm-ms.payfast290.286-6EA-0C8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelCtxUIFormulaBarModel.bin	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\SONORA.INF	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\high-contrast.css.payfast290.286-6EA-0C8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.payfast290.286-6EA-0C8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ppd.xrm-ms.payfast290.286-6EA-0C8	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\shadow.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\LargeTile.scale-125.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_altform-unplated_contrast-white.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\PremiumEdition_PopUp2.png	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\TYPE.WAV.payfast290.286-6EA-0C8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui	svchost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png.payfast290.286-6EA-0C8	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubSmallTile.scale-125_contrast-black.png	svchost.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\Tab\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_zh_CN.jar.payfast290.286-6EA-0C8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL.payfast290.286-6EA-0C8	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\AppxManifest.xml	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\202.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\TEE\en-US.Messaging.config	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.payfast290.286-6EA-0C8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\VBUI6.CHM	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.payfast290.286-6EA-0C8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-openide-compat.xml_hidden	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ul-phn.xrm-ms	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms.payfast290.286-6EA-0C8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms.payfast290.286-6EA-0C8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\CASCADE.INF	svchost.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\sunpkcs11.jar	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.HTM.payfast290.286-6EA-0C8	svchost.exe
File created	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\resources.pri	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeCreation\themes_page_menu_button.jpg	svchost.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Livetiles\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker_1.1.200.v20131119-0908.jar.payfast290.286-6EA-0C8	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd.payfast290.286-6EA-0C8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml.payfast290.286-6EA-0C8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms.payfast290.286-6EA-0C8	svchost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL120.XML	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\StopwatchWideTile.scale-125.png	svchost.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W0.png	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2300	508	WerFault.exe	92

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exe

pid	Process
1504	vssadmin.exe
3972	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

159C.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	159C.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	159C.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe

pid	Process
736	49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe
736	49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
2536

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe

pid	Process
736	49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536
2536

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

159C.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeDebugPrivilege	204	159C.exe
Token: SeDebugPrivilege	204	159C.exe
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeShutdownPrivilege	2536
Token: SeCreatePagefilePrivilege	2536
Token: SeIncreaseQuotaPrivilege	4024	WMIC.exe
Token: SeSecurityPrivilege	4024	WMIC.exe
Token: SeTakeOwnershipPrivilege	4024	WMIC.exe
Token: SeLoadDriverPrivilege	4024	WMIC.exe
Token: SeSystemProfilePrivilege	4024	WMIC.exe
Token: SeSystemtimePrivilege	4024	WMIC.exe
Token: SeProfSingleProcessPrivilege	4024	WMIC.exe
Token: SeIncBasePriorityPrivilege	4024	WMIC.exe
Token: SeCreatePagefilePrivilege	4024	WMIC.exe
Token: SeBackupPrivilege	4024	WMIC.exe
Token: SeRestorePrivilege	4024	WMIC.exe
Token: SeShutdownPrivilege	4024	WMIC.exe
Token: SeDebugPrivilege	4024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4024	WMIC.exe
Token: SeRemoteShutdownPrivilege	4024	WMIC.exe
Token: SeUndockPrivilege	4024	WMIC.exe
Token: SeManageVolumePrivilege	4024	WMIC.exe
Token: 33	4024	WMIC.exe
Token: 34	4024	WMIC.exe
Token: 35	4024	WMIC.exe
Token: 36	4024	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3468	WMIC.exe
Token: SeSecurityPrivilege	3468	WMIC.exe
Token: SeTakeOwnershipPrivilege	3468	WMIC.exe
Token: SeLoadDriverPrivilege	3468	WMIC.exe
Token: SeSystemProfilePrivilege	3468	WMIC.exe
Token: SeSystemtimePrivilege	3468	WMIC.exe
Token: SeProfSingleProcessPrivilege	3468	WMIC.exe
Token: SeIncBasePriorityPrivilege	3468	WMIC.exe
Token: SeCreatePagefilePrivilege	3468	WMIC.exe
Token: SeBackupPrivilege	3468	WMIC.exe
Token: SeRestorePrivilege	3468	WMIC.exe
Token: SeShutdownPrivilege	3468	WMIC.exe
Token: SeDebugPrivilege	3468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3468	WMIC.exe
Token: SeRemoteShutdownPrivilege	3468	WMIC.exe
Token: SeUndockPrivilege	3468	WMIC.exe
Token: SeManageVolumePrivilege	3468	WMIC.exe
Token: 33	3468	WMIC.exe
Token: 34	3468	WMIC.exe
Token: 35	3468	WMIC.exe
Token: 36	3468	WMIC.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid	Process
2536

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe224F.exe159C.exe

description	pid	Process	procid_target
PID 764 wrote to memory of 736	764	49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe	75
PID 764 wrote to memory of 736	764	49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe	75
PID 764 wrote to memory of 736	764	49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe	75
PID 764 wrote to memory of 736	764	49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe	75
PID 764 wrote to memory of 736	764	49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe	75
PID 764 wrote to memory of 736	764	49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe	75
PID 2536 wrote to memory of 204	2536		79
PID 2536 wrote to memory of 204	2536		79
PID 2536 wrote to memory of 204	2536		79
PID 2536 wrote to memory of 2252	2536		80
PID 2536 wrote to memory of 2252	2536		80
PID 2536 wrote to memory of 2252	2536		80
PID 2252 wrote to memory of 3648	2252	224F.exe	82
PID 2252 wrote to memory of 3648	2252	224F.exe	82
PID 2252 wrote to memory of 3648	2252	224F.exe	82
PID 204 wrote to memory of 3652	204	159C.exe	83
PID 204 wrote to memory of 3652	204	159C.exe	83
PID 204 wrote to memory of 3652	204	159C.exe	83
PID 204 wrote to memory of 2196	204	159C.exe	84
PID 204 wrote to memory of 2196	204	159C.exe	84
PID 204 wrote to memory of 2196	204	159C.exe	84
PID 204 wrote to memory of 2196	204	159C.exe	84
PID 204 wrote to memory of 2196	204	159C.exe	84
PID 204 wrote to memory of 2196	204	159C.exe	84
PID 2536 wrote to memory of 4076	2536		85
PID 2536 wrote to memory of 4076	2536		85
PID 2536 wrote to memory of 4076	2536		85
PID 2536 wrote to memory of 1832	2536		87
PID 2536 wrote to memory of 1832	2536		87
PID 2536 wrote to memory of 1832	2536		87
PID 2536 wrote to memory of 1832	2536		87
PID 2252 wrote to memory of 1616	2252	224F.exe	88
PID 2252 wrote to memory of 1616	2252	224F.exe	88
PID 2252 wrote to memory of 1616	2252	224F.exe	88
PID 2536 wrote to memory of 3976	2536		89
PID 2536 wrote to memory of 3976	2536		89
PID 2536 wrote to memory of 3976	2536		89
PID 2536 wrote to memory of 1004	2536		90
PID 2536 wrote to memory of 1004	2536		90
PID 2536 wrote to memory of 1004	2536		90
PID 2536 wrote to memory of 1004	2536		90
PID 2536 wrote to memory of 1300	2536		91
PID 2536 wrote to memory of 1300	2536		91
PID 2536 wrote to memory of 1300	2536		91
PID 2252 wrote to memory of 1616	2252	224F.exe	88
PID 2252 wrote to memory of 1616	2252	224F.exe	88
PID 2252 wrote to memory of 1616	2252	224F.exe	88
PID 2252 wrote to memory of 1616	2252	224F.exe	88
PID 2252 wrote to memory of 1616	2252	224F.exe	88
PID 2252 wrote to memory of 508	2252	224F.exe	92
PID 2252 wrote to memory of 508	2252	224F.exe	92
PID 2252 wrote to memory of 508	2252	224F.exe	92
PID 2536 wrote to memory of 1840	2536		93
PID 2536 wrote to memory of 1840	2536		93
PID 2536 wrote to memory of 1840	2536		93
PID 2536 wrote to memory of 1840	2536		93
PID 2536 wrote to memory of 768	2536		94
PID 2536 wrote to memory of 768	2536		94
PID 2536 wrote to memory of 768	2536		94
PID 2252 wrote to memory of 508	2252	224F.exe	92
PID 2252 wrote to memory of 508	2252	224F.exe	92
PID 2252 wrote to memory of 508	2252	224F.exe	92
PID 2252 wrote to memory of 508	2252	224F.exe	92
PID 2252 wrote to memory of 508	2252	224F.exe	92

C:\Users\Admin\AppData\Local\Temp\49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe
"C:\Users\Admin\AppData\Local\Temp\49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:764
- C:\Users\Admin\AppData\Local\Temp\49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe
  "C:\Users\Admin\AppData\Local\Temp\49a44d2ebaf37e4b23896a3630261d7b9f79246fcbad35994159b35983f178dd.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:736

C:\Users\Admin\AppData\Local\Temp\159C.exe
C:\Users\Admin\AppData\Local\Temp\159C.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:204
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -start
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  PID:3652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
    3⤵
    PID:2360
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
    3⤵
    PID:2064
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
    3⤵
    PID:3960
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3468
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3972
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe" -agent 0
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3300
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:2244
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe
  2⤵
  PID:2196

C:\Users\Admin\AppData\Local\Temp\224F.exe
C:\Users\Admin\AppData\Local\Temp\224F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 24
    3⤵
    - Program crash
    PID:2300
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:1096
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:3840
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:68
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:904
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:4180
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Users\Admin\AppData\Local\Temp\224F.exe
  C:\Users\Admin\AppData\Local\Temp\224F.exe
  2⤵
  PID:5100

C:\Users\Admin\AppData\Local\Temp\35D8.exe
C:\Users\Admin\AppData\Local\Temp\35D8.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4076

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1832

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3976

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1004

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1300

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1840

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:768

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3844

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1216

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
bc382383b6c90d20dba3f58aa0f40ade

SHA1
b626e4d049d88702236910b302c955eecc8c7d5f

SHA256
bf25937b534e738f02e5ec01592dd9a72d79e67bc32f3a5e157a0608f5bbd117

SHA512
651e85acf56ec7bffdc10941ba3bcebea5aede44d479e4db5d61160de2b975c484499a95564adaf90f350d6a1bf3aa97774019f1464045114cbb97806fc76c2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
a2981517afbb3ebe48d2168b07274f47

SHA1
78e0fa382ca97436ec5c43209a2e391b41d356ab

SHA256
f5ef795d1577213ce930034afc93387232cc95dfe53db40db0ed65fbb44bcfae

SHA512
4e939a2270036ebf0eaec96ba231eb38cb4e2389064a30e5f3b9e5e5581d363ab934431e69978e015f25f3352d17e3b3242d02357aa034838a94912fa8d6ba15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
0465994d32988b4ff5811340c4905188

SHA1
7b4043cbd9509bc78b08863ad22b720632686785

SHA256
b33b95c79ca7fc2da4e43282f29ec14db42bdafd53c8888de793cea52caa20bb

SHA512
04654263a6391c84e0fd230a992dbd107f905599a066d124055591ce19a9d74b61627bb9d4dc9df89f396b12f795b649f0331e4aad39304a5ad0e0bccc36ad43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB

MD5
551dbc17ee3b7732dc245e2a0be9f7c3

SHA1
4541dcacdf00d7a2393b9d0d17c10afd10d9322e

SHA256
e41208f31e5c2f117ed18adce2ce767b73ceea29976ce4375de0f01ab11991d6

SHA512
d45228116f13930b89ded2a6da5d80bf630a74d4dca2abd2af3508220030d92838a77ddad453fd8fe940b13b8c98a3c099416c59f5794e750242a51d5b48b1d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE

MD5
3a31fbc8532ebadaf6357fbc82a6bd67

SHA1
f4a15a394ae728c71952100394132044013cce06

SHA256
2b33dac3bccf8ddedcc1a18e5e8e28e4771b18f73667f92fdd2e88f5243fbaf4

SHA512
d9da05a9ec2ed8ce1185853e5b95f249ebd647c2d6b36f07a752fe3d44fc447a923f85502515b5ed976147db98cd8e751c325116b83898161192951da05167c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5
3aaee10ca7e4a19166078c0ef1f0f5a6

SHA1
40690757f6eaf15df0f476d949c3ecf30c810a02

SHA256
62178d5bc51e17705037cb06c42d7fe3fadb5cce5d5fe59a498bd52ea20bcd7f

SHA512
2f16a015086c8ed4568539b1eb14da190814d01db10ff8ade75f1f8e3c95a1f1009f1f8deaa95c70cf2ed8c7bbed63d41d426ec73c44a81a5f92e3d3ac2fd66c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\SQ2O3Q9M.htm

MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\XJKWEDFI.htm

MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\159C.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\159C.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\224F.exe

MD5
50a7bfcb37b976a83198d898f84964ea

SHA1
14c5904f2c5bb51b6080601bf65bc596467fadd9

SHA256
64e5603d7ac40429fba169b50ae624af16f9b4590d535c44ce3163bbeaedb516

SHA512
c4b18f701226a90c1e194c335831ad7cf23bcdb9611dba65b14c97c108bbbfb88f95290e2d9c50e18dde917a279acf00b32af8308d2b0fd7e8cf90cf8aa14e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\35D8.exe

MD5
47a68cf6b107308db52aa7335cfe44a4

SHA1
ffcc95c0e88766768e1eb0eed3388f48ce6306f7

SHA256
52d699631ae78b87cc151948a6626394d0a428f8d99004ef5c747c8cc9a56735

SHA512
a46a607a5130b23ed000d585458918e6933f016eb20b916f01e9e3aa065e2ae720ea5922ae2a5b1baf6f890f85c04f69638248e15614815c78355d88c6e61702

Download Submit
C:\Users\Admin\AppData\Local\Temp\35D8.exe

MD5
47a68cf6b107308db52aa7335cfe44a4

SHA1
ffcc95c0e88766768e1eb0eed3388f48ce6306f7

SHA256
52d699631ae78b87cc151948a6626394d0a428f8d99004ef5c747c8cc9a56735

SHA512
a46a607a5130b23ed000d585458918e6933f016eb20b916f01e9e3aa065e2ae720ea5922ae2a5b1baf6f890f85c04f69638248e15614815c78355d88c6e61702

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat

MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost.exe

MD5
bdfde890a781bf135e6eb4339ff9424f

SHA1
a5bfca4601242d3ff52962432efb15ab9202217f

SHA256
b7972505fc2b3b41383bc9022824130ef912145ff1d858555536df477c3a59f5

SHA512
7af519bbda4994a15789520a56b4a961187aa64ef284830a0e8a083cb5257f9606a7e4647278ce9e2c01995f627dc83aa0750b9f7a1273218618f65af0f2a15b

Download Submit
memory/68-257-0x000000000041C5D6-mapping.dmp

Download
memory/68-266-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/204-195-0x0000000002A60000-0x0000000002A65000-memory.dmp

Filesize
20KB

Download
memory/204-194-0x0000000000000000-mapping.dmp

Download
memory/204-196-0x0000000002A50000-0x0000000002A59000-memory.dmp

Filesize
36KB

Download
memory/204-118-0x0000000000000000-mapping.dmp

Download
memory/380-299-0x0000000004E30000-0x0000000005436000-memory.dmp

Filesize
6.0MB

Download
memory/380-290-0x000000000041C5D6-mapping.dmp

Download
memory/508-186-0x000000000041C5D6-mapping.dmp

Download
memory/736-116-0x0000000000402FAB-mapping.dmp

Download
memory/736-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/764-114-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/768-183-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/768-184-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download
memory/768-182-0x0000000000000000-mapping.dmp

Download
memory/904-326-0x000000000041C5D6-mapping.dmp

Download
memory/904-335-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

Filesize
4KB

Download
memory/1004-166-0x00000000002D0000-0x00000000002DB000-memory.dmp

Filesize
44KB

Download
memory/1004-163-0x00000000002E0000-0x00000000002E7000-memory.dmp

Filesize
28KB

Download
memory/1004-160-0x0000000000000000-mapping.dmp

Download
memory/1096-198-0x000000000041C5D6-mapping.dmp

Download
memory/1096-207-0x0000000004F80000-0x0000000005586000-memory.dmp

Filesize
6.0MB

Download
memory/1216-193-0x0000000000C20000-0x0000000000C29000-memory.dmp

Filesize
36KB

Download
memory/1216-192-0x0000000000C30000-0x0000000000C35000-memory.dmp

Filesize
20KB

Download
memory/1216-191-0x0000000000000000-mapping.dmp

Download
memory/1300-164-0x0000000000000000-mapping.dmp

Download
memory/1300-177-0x0000000001020000-0x0000000001029000-memory.dmp

Filesize
36KB

Download
memory/1300-179-0x0000000001010000-0x000000000101F000-memory.dmp

Filesize
60KB

Download
memory/1504-242-0x0000000000000000-mapping.dmp

Download
memory/1616-165-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1616-180-0x0000000005510000-0x0000000005B16000-memory.dmp

Filesize
6.0MB

Download
memory/1616-167-0x000000000041C5D6-mapping.dmp

Download
memory/1620-277-0x0000000004F20000-0x0000000005526000-memory.dmp

Filesize
6.0MB

Download
memory/1620-268-0x000000000041C5D6-mapping.dmp

Download
memory/1652-246-0x000000000041C5D6-mapping.dmp

Download
memory/1652-255-0x0000000004EE0000-0x00000000054E6000-memory.dmp

Filesize
6.0MB

Download
memory/1832-156-0x0000000002C00000-0x0000000002C6B000-memory.dmp

Filesize
428KB

Download
memory/1832-145-0x0000000000000000-mapping.dmp

Download
memory/1832-155-0x0000000002C70000-0x0000000002CE4000-memory.dmp

Filesize
464KB

Download
memory/1840-181-0x0000000002A70000-0x0000000002A79000-memory.dmp

Filesize
36KB

Download
memory/1840-178-0x0000000002A80000-0x0000000002A85000-memory.dmp

Filesize
20KB

Download
memory/1840-176-0x0000000000000000-mapping.dmp

Download
memory/2064-235-0x0000000000000000-mapping.dmp

Download
memory/2196-141-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

Filesize
4KB

Download
memory/2196-132-0x0000000000000000-mapping.dmp

Download
memory/2212-233-0x0000000000000000-mapping.dmp

Download
memory/2244-234-0x0000000000000000-mapping.dmp

Download
memory/2252-128-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/2252-121-0x0000000000000000-mapping.dmp

Download
memory/2252-127-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/2252-126-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/2252-124-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2360-231-0x0000000000000000-mapping.dmp

Download
memory/2536-117-0x0000000000870000-0x0000000000886000-memory.dmp

Filesize
88KB

Download
memory/2572-347-0x0000000005730000-0x0000000005D36000-memory.dmp

Filesize
6.0MB

Download
memory/2572-338-0x000000000041C5D6-mapping.dmp

Download
memory/3172-220-0x000000000041C5D6-mapping.dmp

Download
memory/3172-229-0x0000000004CE0000-0x00000000052E6000-memory.dmp

Filesize
6.0MB

Download
memory/3180-301-0x000000000041C5D6-mapping.dmp

Download
memory/3180-310-0x0000000004D30000-0x0000000005336000-memory.dmp

Filesize
6.0MB

Download
memory/3300-237-0x0000000000000000-mapping.dmp

Download
memory/3468-241-0x0000000000000000-mapping.dmp

Download
memory/3648-209-0x000000000041C5D6-mapping.dmp

Download
memory/3648-218-0x0000000004C40000-0x0000000005246000-memory.dmp

Filesize
6.0MB

Download
memory/3652-129-0x0000000000000000-mapping.dmp

Download
memory/3844-188-0x0000000000000000-mapping.dmp

Download
memory/3844-190-0x0000000002A50000-0x0000000002A59000-memory.dmp

Filesize
36KB

Download
memory/3844-189-0x0000000002A60000-0x0000000002A64000-memory.dmp

Filesize
16KB

Download
memory/3908-232-0x0000000000000000-mapping.dmp

Download
memory/3960-236-0x0000000000000000-mapping.dmp

Download
memory/3968-322-0x00000000057B0000-0x0000000005DB6000-memory.dmp

Filesize
6.0MB

Download
memory/3968-313-0x000000000041C5D6-mapping.dmp

Download
memory/3972-243-0x0000000000000000-mapping.dmp

Download
memory/3976-151-0x0000000000000000-mapping.dmp

Download
memory/3976-157-0x00000000001F0000-0x00000000001F7000-memory.dmp

Filesize
28KB

Download
memory/3976-158-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/3976-279-0x000000000041C5D6-mapping.dmp

Download
memory/3976-288-0x0000000005490000-0x0000000005A96000-memory.dmp

Filesize
6.0MB

Download
memory/4024-240-0x0000000000000000-mapping.dmp

Download
memory/4076-148-0x0000000077D80000-0x0000000077F0E000-memory.dmp

Filesize
1.6MB

Download
memory/4076-162-0x0000000005FE0000-0x0000000005FE1000-memory.dmp

Filesize
4KB

Download
memory/4076-149-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/4076-161-0x0000000003F80000-0x0000000003F81000-memory.dmp

Filesize
4KB

Download
memory/4076-152-0x00000000065B0000-0x00000000065B1000-memory.dmp

Filesize
4KB

Download
memory/4076-142-0x0000000000000000-mapping.dmp

Download
memory/4076-153-0x0000000003F20000-0x0000000003F21000-memory.dmp

Filesize
4KB

Download
memory/4076-154-0x00000000060B0000-0x00000000060B1000-memory.dmp

Filesize
4KB

Download
memory/4076-159-0x0000000005FA0000-0x0000000005FA1000-memory.dmp

Filesize
4KB

Download
memory/4152-350-0x000000000041C5D6-mapping.dmp

Download
memory/4152-359-0x0000000004C80000-0x0000000005286000-memory.dmp

Filesize
6.0MB

Download
memory/4244-370-0x0000000005340000-0x0000000005946000-memory.dmp

Filesize
6.0MB

Download
memory/4244-362-0x000000000041C5D6-mapping.dmp

Download
memory/4332-383-0x00000000056B0000-0x0000000005CB6000-memory.dmp

Filesize
6.0MB

Download
memory/4332-374-0x000000000041C5D6-mapping.dmp

Download
memory/4356-394-0x0000000005380000-0x0000000005986000-memory.dmp

Filesize
6.0MB

Download
memory/4356-385-0x000000000041C5D6-mapping.dmp

Download
memory/4428-396-0x000000000041C5D6-mapping.dmp

Download
memory/4428-405-0x0000000005280000-0x0000000005886000-memory.dmp

Filesize
6.0MB

Download
memory/4568-415-0x000000000041C5D6-mapping.dmp

Download
memory/4568-424-0x0000000004E00000-0x0000000005406000-memory.dmp

Filesize
6.0MB

Download
memory/4744-426-0x000000000041C5D6-mapping.dmp

Download
memory/4744-435-0x0000000004D30000-0x0000000005336000-memory.dmp

Filesize
6.0MB

Download
memory/4800-446-0x00000000054F0000-0x0000000005AF6000-memory.dmp

Filesize
6.0MB

Download
memory/4800-437-0x000000000041C5D6-mapping.dmp

Download
memory/4876-448-0x000000000041C5D6-mapping.dmp

Download
memory/4876-457-0x00000000053F0000-0x00000000059F6000-memory.dmp

Filesize
6.0MB

Download
memory/4948-459-0x000000000041C5D6-mapping.dmp

Download
memory/4948-468-0x0000000004CE0000-0x00000000052E6000-memory.dmp

Filesize
6.0MB

Download