buran | 7fc5854433b6ba7716cd9d6b4923869d716fa6580fae0b0c839e698966982b37

Analysis

max time kernel
150s
max time network
131s
platform
windows7_x64
resource
win7-en-20210920
submitted
03-10-2021 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ff6093dab1fcb8aea139a302fa81c7a.exe
Size

266KB
MD5

3ff6093dab1fcb8aea139a302fa81c7a
SHA1

841f9dd1865a74f2b0400f6e117f7e2e58af672a
SHA256

7fc5854433b6ba7716cd9d6b4923869d716fa6580fae0b0c839e698966982b37
SHA512

c28436b5e8429d22949fc0c92333413c1bcb902df5c1bf73bb4620099e666facfcf25a32f7ae3bac53d152a88a6563a896a191251178267dcda90fc6618b9085

Score

10^/10

buran raccoon smokeloader vidar 1031 5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4 �&%>g� _��㢺vyu��a��e:6{k�1�b@�l�/�backdoor discovery evasion persistence ransomware spyware stealer suricata themida trojan

Malware Config

Extracted

Path

C:\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT

Family

buran

Ransom Note

!!! ALL YOUR FILES ARE ENCRYPTED !!! All your files, documents, photos, databases and other important files are encrypted. You are not able to decrypt it by yourself! The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. To be sure we have the decryptor and it works you can send an email: [email protected] and decrypt one file for free. But this file should be of not valuable! Do you really want to restore your files? Write to email: [email protected] Telegram @payransom500 Btc 500$ adress bc1qas8m3c2jv4uyurxacdt99ujj6gp6xt4tqeul8l Your personal ID: 238-B08-B12 Attention! * Do not rename encrypted files. * Do not try to decrypt your data using third party software, it may cause permanent data loss. * Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

[email protected]

Extracted

Family

smokeloader

Version

2020

http://fiskahlilian16.top/

http://paishancho17.top/

http://ydiannetter18.top/

http://azarehanelle19.top/

http://quericeriant20.top/

rc4.i32

Extracted

Family

raccoon

Botnet

5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4

Attributes

url4cnc
https://t.me/agrybirdsgamerept

rc4.plain

Extracted

Family

raccoon

Botnet

�&%>G� _��㢺vyU��A��E:6{k�1�b@�l�/�

Attributes

url4cnc
�cb{K^�WXP�۸��fB:O�۽ԡMw<n'�>�+�d�?�]�e?/s��k�J��6�:��(

rc4.plain

Extracted

Family

vidar

Version

41.1

Botnet

1031

https://mas.to/@bardak1ho

Attributes

profile_id
1031

Signatures

Buran
Ransomware-as-a-service based on the VegaLocker family first identified in 2019.
ransomware buran
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1104-92-0x0000000000220000-0x00000000002F4000-memory.dmp	family_vidar
behavioral1/memory/1104-93-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

A4C.exeC11.exe1508.exe204F.exetaskeng.exetaskeng.exe

pid process

1044 A4C.exe
796 C11.exe
1040 1508.exe
1104 204F.exe
1824 taskeng.exe
1648 taskeng.exe

pid	process
1044	A4C.exe
796	C11.exe
1040	1508.exe
1104	204F.exe
1824	taskeng.exe
1648	taskeng.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskeng.exe1508.exetaskeng.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskeng.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	taskeng.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1508.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1508.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskeng.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	taskeng.exe

Deletes itself 1 IoCs

Processes:

pid process

1212

pid	process
1212

Loads dropped DLL 15 IoCs

Processes:

C11.exe1508.exeWerFault.exe

pid	process
796	C11.exe
796	C11.exe
796	C11.exe
796	C11.exe
796	C11.exe
796	C11.exe
796	C11.exe
1040	1508.exe
792	WerFault.exe
792	WerFault.exe
792	WerFault.exe
792	WerFault.exe
792	WerFault.exe
792	WerFault.exe
792	WerFault.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1508.exe	themida
behavioral1/memory/1040-66-0x0000000000EF0000-0x0000000001545000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\1508.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe	themida
behavioral1/memory/1824-91-0x0000000000360000-0x00000000009B5000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe	themida
behavioral1/memory/1648-131-0x0000000000360000-0x00000000009B5000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1508.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run	1508.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskeng.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\taskeng.exe\" -start"	1508.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

taskeng.exetaskeng.exe1508.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskeng.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskeng.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1508.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskeng.exe

description	ioc	process
File opened (read-only)	\??\F:	taskeng.exe
File opened (read-only)	\??\E:	taskeng.exe
File opened (read-only)	\??\B:	taskeng.exe
File opened (read-only)	\??\A:	taskeng.exe
File opened (read-only)	\??\Z:	taskeng.exe
File opened (read-only)	\??\R:	taskeng.exe
File opened (read-only)	\??\Q:	taskeng.exe
File opened (read-only)	\??\L:	taskeng.exe
File opened (read-only)	\??\I:	taskeng.exe
File opened (read-only)	\??\G:	taskeng.exe
File opened (read-only)	\??\Y:	taskeng.exe
File opened (read-only)	\??\V:	taskeng.exe
File opened (read-only)	\??\S:	taskeng.exe
File opened (read-only)	\??\N:	taskeng.exe
File opened (read-only)	\??\X:	taskeng.exe
File opened (read-only)	\??\P:	taskeng.exe
File opened (read-only)	\??\K:	taskeng.exe
File opened (read-only)	\??\M:	taskeng.exe
File opened (read-only)	\??\J:	taskeng.exe
File opened (read-only)	\??\H:	taskeng.exe
File opened (read-only)	\??\W:	taskeng.exe
File opened (read-only)	\??\U:	taskeng.exe
File opened (read-only)	\??\T:	taskeng.exe
File opened (read-only)	\??\O:	taskeng.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

30 geoiptool.com
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

1508.exetaskeng.exetaskeng.exe

pid process

1040 1508.exe
1824 taskeng.exe
1648 taskeng.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

3ff6093dab1fcb8aea139a302fa81c7a.exe

description pid process target process

PID 612 set thread context of 1456 612 3ff6093dab1fcb8aea139a302fa81c7a.exe 3ff6093dab1fcb8aea139a302fa81c7a.exe

flow	ioc
30	geoiptool.com

pid	process
1040	1508.exe
1824	taskeng.exe
1648	taskeng.exe

description	pid	process	target process
PID 612 set thread context of 1456	612	3ff6093dab1fcb8aea139a302fa81c7a.exe	3ff6093dab1fcb8aea139a302fa81c7a.exe

Drops file in Program Files directory 64 IoCs

Processes:

taskeng.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.HXS	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR16F.GIF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\[email protected]	taskeng.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_specialocc_Thumbnail.bmp	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\[email protected]	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar	taskeng.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748U.BMP	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WNTER_01.MID	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Civic.thmx	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00648_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0150861.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233665.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02124_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\viewSelectionChanged.js	taskeng.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\15x15dot.png	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02444_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01566_.WMF	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\[email protected]	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\[email protected]	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\Lang\[email protected]	taskeng.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN01164_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\[email protected]	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	taskeng.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05869_.WMF	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Rangoon	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	taskeng.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.0.2.jar	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00985_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00389_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASK.CFG	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\[email protected]	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml.@payransom500.238-B08-B12	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\[email protected]	taskeng.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.concurrent_1.1.0.v20130327-1442.jar	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00097_.WMF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10266_.GIF	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\[email protected]	taskeng.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	taskeng.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	taskeng.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\[email protected]	taskeng.exe

Drops file in Windows directory 1 IoCs

Processes:

taskeng.exe

description ioc process

File created C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT taskeng.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

792 1104 WerFault.exe 204F.exe

description	ioc	process
File created	C:\Windows\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT	taskeng.exe

pid	pid_target	process	target process
792	1104	WerFault.exe	204F.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3ff6093dab1fcb8aea139a302fa81c7a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3ff6093dab1fcb8aea139a302fa81c7a.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3ff6093dab1fcb8aea139a302fa81c7a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3ff6093dab1fcb8aea139a302fa81c7a.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1692 timeout.exe
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

392 vssadmin.exe
708 vssadmin.exe

pid	process
1692	timeout.exe

pid	process
392	vssadmin.exe
708	vssadmin.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

1508.exetaskeng.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	1508.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1508.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	1508.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	taskeng.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	taskeng.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3ff6093dab1fcb8aea139a302fa81c7a.exe

pid	process
1456	3ff6093dab1fcb8aea139a302fa81c7a.exe
1456	3ff6093dab1fcb8aea139a302fa81c7a.exe
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

WerFault.exe

pid process

1212
792 WerFault.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3ff6093dab1fcb8aea139a302fa81c7a.exe

pid process

1456 3ff6093dab1fcb8aea139a302fa81c7a.exe

pid	process
1212
792	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1508.exeWerFault.exeWMIC.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1040	1508.exe
Token: SeDebugPrivilege	1040	1508.exe
Token: SeDebugPrivilege	792	WerFault.exe
Token: SeShutdownPrivilege	1212
Token: SeIncreaseQuotaPrivilege	1048	WMIC.exe
Token: SeSecurityPrivilege	1048	WMIC.exe
Token: SeTakeOwnershipPrivilege	1048	WMIC.exe
Token: SeLoadDriverPrivilege	1048	WMIC.exe
Token: SeSystemProfilePrivilege	1048	WMIC.exe
Token: SeSystemtimePrivilege	1048	WMIC.exe
Token: SeProfSingleProcessPrivilege	1048	WMIC.exe
Token: SeIncBasePriorityPrivilege	1048	WMIC.exe
Token: SeCreatePagefilePrivilege	1048	WMIC.exe
Token: SeBackupPrivilege	1048	WMIC.exe
Token: SeRestorePrivilege	1048	WMIC.exe
Token: SeShutdownPrivilege	1048	WMIC.exe
Token: SeDebugPrivilege	1048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1048	WMIC.exe
Token: SeRemoteShutdownPrivilege	1048	WMIC.exe
Token: SeUndockPrivilege	1048	WMIC.exe
Token: SeManageVolumePrivilege	1048	WMIC.exe
Token: 33	1048	WMIC.exe
Token: 34	1048	WMIC.exe
Token: 35	1048	WMIC.exe
Token: SeIncreaseQuotaPrivilege	572	WMIC.exe
Token: SeSecurityPrivilege	572	WMIC.exe
Token: SeTakeOwnershipPrivilege	572	WMIC.exe
Token: SeLoadDriverPrivilege	572	WMIC.exe
Token: SeSystemProfilePrivilege	572	WMIC.exe
Token: SeSystemtimePrivilege	572	WMIC.exe
Token: SeProfSingleProcessPrivilege	572	WMIC.exe
Token: SeIncBasePriorityPrivilege	572	WMIC.exe
Token: SeCreatePagefilePrivilege	572	WMIC.exe
Token: SeBackupPrivilege	572	WMIC.exe
Token: SeRestorePrivilege	572	WMIC.exe
Token: SeShutdownPrivilege	572	WMIC.exe
Token: SeDebugPrivilege	572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	572	WMIC.exe
Token: SeRemoteShutdownPrivilege	572	WMIC.exe
Token: SeUndockPrivilege	572	WMIC.exe
Token: SeManageVolumePrivilege	572	WMIC.exe
Token: 33	572	WMIC.exe
Token: 34	572	WMIC.exe
Token: 35	572	WMIC.exe
Token: SeBackupPrivilege	1792	vssvc.exe
Token: SeRestorePrivilege	1792	vssvc.exe
Token: SeAuditPrivilege	1792	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1048	WMIC.exe
Token: SeSecurityPrivilege	1048	WMIC.exe
Token: SeTakeOwnershipPrivilege	1048	WMIC.exe
Token: SeLoadDriverPrivilege	1048	WMIC.exe
Token: SeSystemProfilePrivilege	1048	WMIC.exe
Token: SeSystemtimePrivilege	1048	WMIC.exe
Token: SeProfSingleProcessPrivilege	1048	WMIC.exe
Token: SeIncBasePriorityPrivilege	1048	WMIC.exe
Token: SeCreatePagefilePrivilege	1048	WMIC.exe
Token: SeBackupPrivilege	1048	WMIC.exe
Token: SeRestorePrivilege	1048	WMIC.exe
Token: SeShutdownPrivilege	1048	WMIC.exe
Token: SeDebugPrivilege	1048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1048	WMIC.exe
Token: SeRemoteShutdownPrivilege	1048	WMIC.exe
Token: SeUndockPrivilege	1048	WMIC.exe
Token: SeManageVolumePrivilege	1048	WMIC.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

pid process

1212
1212
1212
1212
1212
1212
1212
1212
Suspicious use of SendNotifyMessage 16 IoCs

Processes:

pid process

1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212

pid	process
1212
1212
1212
1212
1212
1212
1212
1212

pid	process
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3ff6093dab1fcb8aea139a302fa81c7a.exe1508.exe204F.exeC11.execmd.exetaskeng.exe

description	pid	process	target process
PID 612 wrote to memory of 1456	612	3ff6093dab1fcb8aea139a302fa81c7a.exe	3ff6093dab1fcb8aea139a302fa81c7a.exe
PID 612 wrote to memory of 1456	612	3ff6093dab1fcb8aea139a302fa81c7a.exe	3ff6093dab1fcb8aea139a302fa81c7a.exe
PID 612 wrote to memory of 1456	612	3ff6093dab1fcb8aea139a302fa81c7a.exe	3ff6093dab1fcb8aea139a302fa81c7a.exe
PID 612 wrote to memory of 1456	612	3ff6093dab1fcb8aea139a302fa81c7a.exe	3ff6093dab1fcb8aea139a302fa81c7a.exe
PID 612 wrote to memory of 1456	612	3ff6093dab1fcb8aea139a302fa81c7a.exe	3ff6093dab1fcb8aea139a302fa81c7a.exe
PID 612 wrote to memory of 1456	612	3ff6093dab1fcb8aea139a302fa81c7a.exe	3ff6093dab1fcb8aea139a302fa81c7a.exe
PID 612 wrote to memory of 1456	612	3ff6093dab1fcb8aea139a302fa81c7a.exe	3ff6093dab1fcb8aea139a302fa81c7a.exe
PID 1212 wrote to memory of 1044	1212		A4C.exe
PID 1212 wrote to memory of 1044	1212		A4C.exe
PID 1212 wrote to memory of 1044	1212		A4C.exe
PID 1212 wrote to memory of 1044	1212		A4C.exe
PID 1212 wrote to memory of 796	1212		C11.exe
PID 1212 wrote to memory of 796	1212		C11.exe
PID 1212 wrote to memory of 796	1212		C11.exe
PID 1212 wrote to memory of 796	1212		C11.exe
PID 1212 wrote to memory of 1040	1212		1508.exe
PID 1212 wrote to memory of 1040	1212		1508.exe
PID 1212 wrote to memory of 1040	1212		1508.exe
PID 1212 wrote to memory of 1040	1212		1508.exe
PID 1212 wrote to memory of 1104	1212		204F.exe
PID 1212 wrote to memory of 1104	1212		204F.exe
PID 1212 wrote to memory of 1104	1212		204F.exe
PID 1212 wrote to memory of 1104	1212		204F.exe
PID 1040 wrote to memory of 1824	1040	1508.exe	taskeng.exe
PID 1040 wrote to memory of 1824	1040	1508.exe	taskeng.exe
PID 1040 wrote to memory of 1824	1040	1508.exe	taskeng.exe
PID 1040 wrote to memory of 1824	1040	1508.exe	taskeng.exe
PID 1040 wrote to memory of 1492	1040	1508.exe	notepad.exe
PID 1040 wrote to memory of 1492	1040	1508.exe	notepad.exe
PID 1040 wrote to memory of 1492	1040	1508.exe	notepad.exe
PID 1040 wrote to memory of 1492	1040	1508.exe	notepad.exe
PID 1040 wrote to memory of 1492	1040	1508.exe	notepad.exe
PID 1040 wrote to memory of 1492	1040	1508.exe	notepad.exe
PID 1040 wrote to memory of 1492	1040	1508.exe	notepad.exe
PID 1104 wrote to memory of 792	1104	204F.exe	WerFault.exe
PID 1104 wrote to memory of 792	1104	204F.exe	WerFault.exe
PID 1104 wrote to memory of 792	1104	204F.exe	WerFault.exe
PID 1104 wrote to memory of 792	1104	204F.exe	WerFault.exe
PID 796 wrote to memory of 1644	796	C11.exe	cmd.exe
PID 796 wrote to memory of 1644	796	C11.exe	cmd.exe
PID 796 wrote to memory of 1644	796	C11.exe	cmd.exe
PID 796 wrote to memory of 1644	796	C11.exe	cmd.exe
PID 1644 wrote to memory of 1692	1644	cmd.exe	timeout.exe
PID 1644 wrote to memory of 1692	1644	cmd.exe	timeout.exe
PID 1644 wrote to memory of 1692	1644	cmd.exe	timeout.exe
PID 1644 wrote to memory of 1692	1644	cmd.exe	timeout.exe
PID 1824 wrote to memory of 1916	1824	taskeng.exe	cmd.exe
PID 1824 wrote to memory of 1916	1824	taskeng.exe	cmd.exe
PID 1824 wrote to memory of 1916	1824	taskeng.exe	cmd.exe
PID 1824 wrote to memory of 1916	1824	taskeng.exe	cmd.exe
PID 1824 wrote to memory of 528	1824	taskeng.exe	cmd.exe
PID 1824 wrote to memory of 528	1824	taskeng.exe	cmd.exe
PID 1824 wrote to memory of 528	1824	taskeng.exe	cmd.exe
PID 1824 wrote to memory of 528	1824	taskeng.exe	cmd.exe
PID 1824 wrote to memory of 1652	1824	taskeng.exe	cmd.exe
PID 1824 wrote to memory of 1652	1824	taskeng.exe	cmd.exe
PID 1824 wrote to memory of 1652	1824	taskeng.exe	cmd.exe
PID 1824 wrote to memory of 1652	1824	taskeng.exe	cmd.exe
PID 1824 wrote to memory of 2000	1824	taskeng.exe	cmd.exe
PID 1824 wrote to memory of 2000	1824	taskeng.exe	cmd.exe
PID 1824 wrote to memory of 2000	1824	taskeng.exe	cmd.exe
PID 1824 wrote to memory of 2000	1824	taskeng.exe	cmd.exe
PID 1824 wrote to memory of 1764	1824	taskeng.exe	cmd.exe
PID 1824 wrote to memory of 1764	1824	taskeng.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3ff6093dab1fcb8aea139a302fa81c7a.exe
"C:\Users\Admin\AppData\Local\Temp\3ff6093dab1fcb8aea139a302fa81c7a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:612

C:\Users\Admin\AppData\Local\Temp\3ff6093dab1fcb8aea139a302fa81c7a.exe
"C:\Users\Admin\AppData\Local\Temp\3ff6093dab1fcb8aea139a302fa81c7a.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1456

C:\Users\Admin\AppData\Local\Temp\A4C.exe
C:\Users\Admin\AppData\Local\Temp\A4C.exe
1⤵
- Executes dropped EXE
PID:1044

C:\Users\Admin\AppData\Local\Temp\C11.exe
C:\Users\Admin\AppData\Local\Temp\C11.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\C11.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1692

C:\Users\Admin\AppData\Local\Temp\1508.exe
C:\Users\Admin\AppData\Local\Temp\1508.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wmic shadowcopy delete
3⤵
PID:1916

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
3⤵
PID:528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C wbadmin delete catalog -quiet
3⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C vssadmin delete shadows /all /quiet
3⤵
PID:1764

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\~temp001.bat
3⤵
PID:1804

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:708

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -agent 0
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1648

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:860

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\204F.exe
C:\Users\Admin\AppData\Local\Temp\204F.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 896
2⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
712047b6bcb26b144850856b8fa91227

SHA1
15f79da0f60351039d3f77a027a2d50bc4ebc048

SHA256
f402c4bbde9c98ef2255f822a8cc1fd1d8f9ac8989507b61ae590a4cf58ac883

SHA512
4e85dc9e220a8a41dab0ad123d58ef16e131b14dd69c8295847d5d7cde8a540f7b19a017ebcfbf6e180d57a923d0acb85c4d833cdf243991a9af2b868fbdf398

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
99dea8219d4e6ab338e22f69b74e5408

SHA1
0bbe52e3b82a695244c17f4fe16698a74ff0c8eb

SHA256
e55af4c7df7eb82d4a101382949600ce735a0192a3588e54d0e2e7e0d072f66a

SHA512
7a22aba4178140cf1aef9fbfe95bace7019213df493571ee5dce08de25bb74c5a1bd8e25a30db1288c50c3b4b49e13dfcf9198c790feeff23666ad09b9a041dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
8d305aea10e9c9c8cd09e4bb8742d516

SHA1
b949093642c32493cc09333eb8755f212801e57d

SHA256
93008aa3e24f552f1613361d3504a2d5b7f158ac02a544e9cefc5c9311746638

SHA512
b5d20814bd3a633ad4ba5832e4d164a40ff7f1ea2b3cf86885e905ccf9c1dbac397eac397cc68137c5f9fa37125e0403ff453115dc669ab6ca1c3eadd781f1d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
7a60c98bd6d0ac1d5423673c181a341c

SHA1
24bcc65443f384d672ef359e19e7451140c0e9e9

SHA256
2edf531fe22c9098d9295adfb21835fa09879891f669ee0541c73d9bb8187c10

SHA512
01a6d59c3dd65b68137cd2cda4d23fe603e39568559b9fbdd9eec61ddc13f4cf21d0aa928a96cd671e399d9716c5899f25f71bb80a760608ae480126008f8e62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
2b172e804903720a5c573758a74e5f16

SHA1
86334e186006cff9d6b2f4c4f15abfbb0aa9d671

SHA256
ce05a8558cc90f42b8e80c5509b8cd09f1e735a624c02d3e9f3f05148c29af8b

SHA512
aa6f203d4140618622beb399c0a90edaaf1a8bcae35cd274fb1ee3d8fdbc62a76dafb8837c8aad1e6977e0ddae9a2490d3421f05ab502e99cd5a0f47457c68fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
4b53300415c8ac2b5d4e6c137916682c

SHA1
39053d23d2d8e17319acda3f24d9977869071b87

SHA256
7f2dfd41091a01a69b1b75a2fde117d9910f9f3d70b1b43b9fd63c2dd95d975d

SHA512
7baa57bd4e3a9798a89393f1dd88152527a5ce9284692465ea79edb4edd66691f4aee2a3ac75ce1c478505e60566634f2b51c7eedb5d5203e6a87ded414f1905

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
056dafbde5bc1544dd64c18bac22a5ed

SHA1
db6d394cf77395ed02eea5c34cb0f817fd0e74ee

SHA256
1905a4f7fcd01e4b8300186749f741e473483bbef3c6309d0836b2268cd1b75d

SHA512
72db4ce354a949a8af98656650c4b782aae878227236e478ff1d401ce1f9506ad8e5334ec4719e6726179f2ab8b0dd948b437ae7f2b107b216e4595b120d34b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\20FS0QLA\FS4CRRS8.htm
MD5
6b17a59cec1a7783febae9aa55c56556

SHA1
01d4581e2b3a6348679147a915a0b22b2a66643a

SHA256
66987b14b90d41632be98836f9601b12e7f329ffab05595887889c9c5716fbeb

SHA512
3337efd12b9c06b7768eb928a78caae243b75257c5aabe7a49e908a2f735af55f7257a40bd2330dc13865ead18ed805b54a6c5105740fdcbbaccacf7997bcbc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K8CH4PHC\1VQSQFUA.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\1508.exe
MD5
86d11b31007a713ce45399c288250e13

SHA1
a97192cfd32de4bcb7bbfc2bca01863ef2a1775d

SHA256
be4040ca824e98b6ffb1d115459cefd6630c4aeaa24ef205acb851fde260ee9a

SHA512
a5cc4f839b3f9cfcf9016060a1e8508a7351af4ca04a4ab9726b2bb9d44529bfefe091c23e3029fa5fe677fff305fc0defb199b7c46217c84750e07c64288656

Download Submit
C:\Users\Admin\AppData\Local\Temp\1508.exe
MD5
86d11b31007a713ce45399c288250e13

SHA1
a97192cfd32de4bcb7bbfc2bca01863ef2a1775d

SHA256
be4040ca824e98b6ffb1d115459cefd6630c4aeaa24ef205acb851fde260ee9a

SHA512
a5cc4f839b3f9cfcf9016060a1e8508a7351af4ca04a4ab9726b2bb9d44529bfefe091c23e3029fa5fe677fff305fc0defb199b7c46217c84750e07c64288656

Download Submit
C:\Users\Admin\AppData\Local\Temp\204F.exe
MD5
4293ef413d755d4b2f1de90eb54c5ce1

SHA1
3739d002feb8d6317cc0ed0b6d5d857b9c93cf10

SHA256
fd028222d4b842354168e2e8ea761ae3c984624ee29e72f93ea5f998d8d17605

SHA512
9107e440ef16ef9717ac578c3e60f211ea92dabcee78005e224e53e62f99b067fc5809b2267087bf71b01d49819fc0a812c6a73f7d1ab5097d16a00292eceb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\204F.exe
MD5
4293ef413d755d4b2f1de90eb54c5ce1

SHA1
3739d002feb8d6317cc0ed0b6d5d857b9c93cf10

SHA256
fd028222d4b842354168e2e8ea761ae3c984624ee29e72f93ea5f998d8d17605

SHA512
9107e440ef16ef9717ac578c3e60f211ea92dabcee78005e224e53e62f99b067fc5809b2267087bf71b01d49819fc0a812c6a73f7d1ab5097d16a00292eceb95

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4C.exe
MD5
7e1bcffb711d89cda9047c7524c9da3f

SHA1
abc912051241a2d5255fdf7515e0f12a940abb4b

SHA256
6bd7a19d9a4345b9c9ec1192a07e6d343a46cb6b5bd80752fabfafc1d3512204

SHA512
e2cc200737dda99ae28cff33272fc99f13f8224c67d4dbc21091fe2cb4d7561ec27820afad57eca0407dca2677537fcbd3aca4848bc588421e1c63f1c377f90f

Download Submit
C:\Users\Admin\AppData\Local\Temp\C11.exe
MD5
fd65695e041f266ab803c76c1575361d

SHA1
b1bd2416cc9e588bf0c9bf63c2caa2ee0a47783c

SHA256
af76cd6efd8e93ae782595287e90e767e2228b8cd3995ae8533d98ab53d00e5c

SHA512
b84f35d79ffc4e0401907c5a1721d9d061bb91e0458ba2c7484a825a0431f7f09b4aa88b1002f6f356cf3bb778bdd8855fac08b19cdbdc0369a898165a19909d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C11.exe
MD5
fd65695e041f266ab803c76c1575361d

SHA1
b1bd2416cc9e588bf0c9bf63c2caa2ee0a47783c

SHA256
af76cd6efd8e93ae782595287e90e767e2228b8cd3995ae8533d98ab53d00e5c

SHA512
b84f35d79ffc4e0401907c5a1721d9d061bb91e0458ba2c7484a825a0431f7f09b4aa88b1002f6f356cf3bb778bdd8855fac08b19cdbdc0369a898165a19909d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~temp001.bat
MD5
ef572e2c7b1bbd57654b36e8dcfdc37a

SHA1
b84c4db6d0dfd415c289d0c8ae099aea4001e3b7

SHA256
e6e609db3f387f42bfd16dd9e5695ddc2b73d86ae12baf4f0dfc4edda4a96a64

SHA512
b8c014b242e8e8f42da37b75fe96c52cd25ebd366d0b5103bcba5ac041806d13142a62351edecdee583d494d2a120f9b330f6229b1b5fe820e1c7d98981089e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
86d11b31007a713ce45399c288250e13

SHA1
a97192cfd32de4bcb7bbfc2bca01863ef2a1775d

SHA256
be4040ca824e98b6ffb1d115459cefd6630c4aeaa24ef205acb851fde260ee9a

SHA512
a5cc4f839b3f9cfcf9016060a1e8508a7351af4ca04a4ab9726b2bb9d44529bfefe091c23e3029fa5fe677fff305fc0defb199b7c46217c84750e07c64288656

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
86d11b31007a713ce45399c288250e13

SHA1
a97192cfd32de4bcb7bbfc2bca01863ef2a1775d

SHA256
be4040ca824e98b6ffb1d115459cefd6630c4aeaa24ef205acb851fde260ee9a

SHA512
a5cc4f839b3f9cfcf9016060a1e8508a7351af4ca04a4ab9726b2bb9d44529bfefe091c23e3029fa5fe677fff305fc0defb199b7c46217c84750e07c64288656

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
86d11b31007a713ce45399c288250e13

SHA1
a97192cfd32de4bcb7bbfc2bca01863ef2a1775d

SHA256
be4040ca824e98b6ffb1d115459cefd6630c4aeaa24ef205acb851fde260ee9a

SHA512
a5cc4f839b3f9cfcf9016060a1e8508a7351af4ca04a4ab9726b2bb9d44529bfefe091c23e3029fa5fe677fff305fc0defb199b7c46217c84750e07c64288656

Download Submit
C:\Users\Admin\Desktop\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
MD5
8398fd61b4a927cfeefb3312fe9d99b6

SHA1
90d584ee807f737fe94a2b49df464ecb751cd879

SHA256
bb8e653163dd2352d251e03285fc905a0f0ae166f63711e2e656d023cd73e30e

SHA512
5ff28d157688ba9b039ad16d8b9b03ffb05395f4a9586f25ce1064fb25df9e6f2a42a0f76efa0b2675a4b4ca6ffd71d9ab4e26593db50fd5ef9eb72b50a197a5

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
889055602bf74f9c97e4357e8c52494c

SHA1
60bf3b21973962c9a60be894fa4d49c81e99c692

SHA256
a388f3450d3840a7f91e93cdb4af549672af33ec05bdfce09a503e4e44fd7471

SHA512
fabe56e5a3fab5a806f78087e1db1a52342001034b1f13fcdc3395ca0fb07db579bdeaf73581e743d8abbb1c69fea0e535daaefb9dbb175fa8ef1f22a9f0aa5d

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
9bd61e19096029c8f6ae89b6e8863ef5

SHA1
b4e5c5fb53378a2dffd0f63790889f2ceb2c4fbe

SHA256
1869f2256a36c303992531bcef68d4f6f14a36ca9c01bcb1de3882a99d102310

SHA512
c522c454e6be501f37381e2d505663265d97196b80d5b0227b0cc209b49a6d4e513847148a177775e3328a21722688ffa7bfa95433bfc0078e19bdd5e6f1f89c

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
d631e56073e5c345a4d9d595a8c25bb5

SHA1
d506164517e6c0301d517c253c222714e04a7d15

SHA256
e17a8b5c8db8a4ddf1b439b24e4551617b6406c4f93a112f697fff5ce7b8e192

SHA512
bfb8adc2132e3a671d561d06046c3febfc6afd1b154ec7fb6a61943d6a51653d675ad93af734e6fb429d0ea54e2addf5e9d6ba5e4e5833e4778db9d161a1eed3

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
3942222cc00ac18dc4e30b3fe12f94d0

SHA1
7d857c965a35699447db7d0d99ebd079a6e3297e

SHA256
6c16bf590149369c122dd328f0fc47a5ef71b3a98d099b71fe7cda25f8e7aef7

SHA512
ec9783c8fc48024fb21ae2927d5ed1804c03899f61a0daf8674e4fa927943a711106a9fb8221f2a0dbce3e70be9bf4b277f184653c626d2fe99bd5f4f8567f94

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
3d34a5a163d604ab9be4bc335d19d58f

SHA1
d4e381f8015964d963c0adbe5f54763e790b839f

SHA256
1610968e584a0f69b3019026c59d75bece8738ef09547c3375b4d794fe530fc1

SHA512
b79e31f61c0695ee852ce9ac58bb7aea4705e304c01a689abb21aea34f175081b37db38bcfa8850d74a69a8fbf55754e1b502d03527454a85bdccd6689275a47

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
ff35a5e4d09c12d0868e1442fe97cbea

SHA1
a48eb471bbb1f8c9a63fb593276fad4cb47b9fdb

SHA256
7841b88bfd47acd1f787b0c8c9e5888caa52c6de285a862d636d621c0d95fd62

SHA512
e4761f33fecdd07520de949e9a0db94c6bfb3c41ce5749b5a8ca1144393d4349e09981b3a230fbb2cb0a9442b5175a855d6181abfda44d6a7f2b62f16996157c

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
e9b67f75f7b34f7ecaa1bdad44fec7ac

SHA1
e5e396984f537995eff67de37694f584c5d17ed7

SHA256
435387fea3e73dfd71aaeca5a70926fa457b560316b5917069e0c0c4b8d99a18

SHA512
e6f3ae49f74f07510eb898c1ddbb344129305f09a3a5ca21c73beb56de9a33a7f57d52ddc681acd8b85d5be88ce16a1facafe1fbbc74bb7d8ad75a246341055e

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
516c948bed6d622af3e8338cc08f3161

SHA1
cdb1def450b712b2827fa4b6cfc29eb352233917

SHA256
1a0125bcec94bad5e6c4fea260d1fffa061fa5f6e81c587f6f16822d391fe54a

SHA512
5e48a94718486061f7fcd528afeee71d670eb99fd57cf60d32d8f4add96a8ec76f1e743312281e9444ff2243f5941bfd8523961e2dda911daf8fa3319d26a201

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
0780e5bb11a759e2ade1e7fc9521d3d8

SHA1
ccdbafeeb209bc0322f58da5b6eda60f6a9a8240

SHA256
c11704dc3921c77378a2180a2dd6a1d9fa2cd2ee79dd71abe2f39a3360251e6c

SHA512
2d308081ca23e98c4e758d3bf5e225ef80705d6ca54bf3bf68f3bd8ce668c47cc312dae27182add97f28039820c890227f0e5e42cc950570de2c229b48062c62

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
adcc5250bd7b8575474b87f1337b08c6

SHA1
d20a62271c711ff8fd3a1670cd92315d0d80cbc4

SHA256
6aa572c2015947b6612bd98305145bc479211d529d2e849442cf04eb482c6a5d

SHA512
a74278d839b68d07243efef21220eaae05edb8c45849b1730f833a3c946af77178f5b5d0bb1f062ca0d3166ad15023b6b520683a030c5a03b9533ac6746d3306

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
c0254401557e24610f3f7596d017b883

SHA1
89831ce8dbce99347ed105db73cad8a1277a8579

SHA256
23bea8d442e797433f0fc04c3276b46ac87097cb29fc42b72c80bce7043b2e83

SHA512
71ab2200e9482f15a548dbd80b136602e3e06b98922a3bcf20f17a388a34ec6ca19f6eda32c358a322650f840b793b7795bf1612f33619260cf632afe99d5dae

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
e8874afb82e5b2db8d94f3124af6f2e1

SHA1
1fd7b916c8e16358abca06e9c71f63785940d917

SHA256
531ef1282ac182196b4a6f8ab33f87b643553a7ce3e770953251ef627f9eea4b

SHA512
65a4f1989e99c5c9354ca01d8bd706b3abc07f5acc6c828e2c3a6512edbbd78db89c5ce7324aef611695aa27bb4aa74e19cb652d84c8ae8cfd9a557ed8297de2

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
32098b94f8adcb275857ad1cbe480265

SHA1
621f7294c99efe871013468af5bfe6c8ec7e6634

SHA256
015ddb19f0db00cdaddf26f9a1fffdb974482366ecc706c667f27a55dd1a9cf8

SHA512
d53e5abc3511d44bd7f9b2883977fe881b1796e00f9437343d3353f11271b506ec261f3939889e67fd404eaebfd5e1636e50a767c0e7b11e2222cd4e50c12711

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
05722324dcbcc30b21ba42ad239d530c

SHA1
1bb9c5d118cdf293b60d42ef841feaaaa097c534

SHA256
fa358dfa57bd906b98fa50787f04ab354afd307519a86e9190cfd9ec0e47a756

SHA512
15fac32ba9796695c8cd89613e0eaf7428b8e8ad1acb1d82727a286f58e24a813339a25b8e3a97046a23828aab8708770d37f79a0444724454e4515f90d395c9

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
7108ff18f6369e1e2b15ffb5578b2c07

SHA1
c1b58e6c945ab70936e1025aa9c175f06e190ac5

SHA256
253a17e1175bf43d520a027dd152ce2988d66eed036d9c5241d8f8363fef044c

SHA512
3ab0bd43103e3c9f4e8b1cc92e196f30bce88e5b18a82a8a6d2993491059221dcc1e1a95bf8a8319d14151dda14a76281284de09a01459ea93a2cd2235634832

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
a7c25005eac0c07f52d8ca368a2940b9

SHA1
d18d0c93fb6b3e163ffbb81a6321fd16d928df3d

SHA256
91c794f2fbb18f5f29d576b07690b9edf10fc5d8cc27a5819cbb0433c9fc4dab

SHA512
19b19774c2e0334205456fd97c8742b53f9db1f39d2e77137b40063dd995fd3e1f80aa83d6600f5e7f0bd160d6636ee8b30bbf09db7db47ed3767048c15eb5a5

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
1df071acf8561d968435b3ba3ac30f50

SHA1
5dad870ed7462ba9c62371b655497eaec459f3fd

SHA256
7712113e00629b42960983617c4018d6b19cd09ba9ece02569bdf4ec3238cef6

SHA512
2b4fa009bd4f65a8d045029fb9acedf9ca1f81c7b2b6e5e72d8fb9b839eea9a078c31d158b334de38b48376e61c569dbdd41b0642c338f7aa509a993796e77ff

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
377b0d0b1ab71c279cdbea6f37a9dd39

SHA1
59416503576b6ea1edf34832b0dcfa04aee9e5db

SHA256
3d10d0412b0ecc30cc0a1d1d7c29437cd63643d3abcc74d80583433b16e16f6e

SHA512
dae7bd292551e73a4a06d6e46e9b5f7c0afc398946600fa2fae28e6b836989342895d4144325251471412218acba1fb00eb165ac0be293060183bb063c3c7d42

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
e51eb86f181cbaee2d89e06c49984eba

SHA1
d670e2e69ff21d744494f1cd6045430cc38ea8c7

SHA256
aec795606cb13f3e54dbf1e39804f465a16e0da809d6ef365868dbfa22846394

SHA512
3872f5326eb350abfc0ce0c0c2d08b93bb8f01f3d2f5c3c5be1d75f9be8c282582d9e113f61b8e7cd55e7c2693431b59623c29886ea17f0097844b6a25043db1

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
6999cc6b32b84a94aaad7d6956a614cd

SHA1
80b70c3937544b39e6c1ab898fbd4a5d80299682

SHA256
6181faab0606ce4466dd86f116bd4dfbddcbd71865a16c23250e515bdc604aaf

SHA512
9b0a15c626c6a19ca0ee8c712164e5b36fc0d6f99069b6f9f9e34f6cef046cdfd5465aa221edbfdb254e451de006b1a767b5ac4270831007ebcc9c80ecba6513

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
554832850760cdc7f55a3593c2088145

SHA1
95bd1c1a1dc71aec02411fe37d2a1c362c6460c8

SHA256
32aa758a91d2913d1528fb79e18cf0e811c9f383e2776b4103752c43dbd9c737

SHA512
7224ff9af3003b8ff0fc91968fb2ab0c92eb6ab68b20bb1420265dc7f96f91687571ac52b42d17aa9393f92b09639e8981a346226ee785f268153a80c8c8a5e8

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
59c0c3b4102ea779b024febfa6f36eeb

SHA1
b25c604ccc49f5ed9b161fa302c1e621478069d0

SHA256
851f98db3284bdbb68f891ffe2d7f5d17eb47e5eb5a7aee128c4edb8ac7081e6

SHA512
138ad3f644887c5b32c1da8ca78515b8b7768e0db86f29a90ae4dc64abf0317d95efed7888a5207c16c54382072af9f53edad117a0b399332874a78610d3e57c

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
9fc701707390309cc1e87ad552ba6105

SHA1
1229c04958527cd63779c35ac531dfa32fdac796

SHA256
435c30c4647d1cde92157683e326ed4f5b8929b739b0a6e480439d60e0929ff6

SHA512
0b88c874bbfa17b4a3ac7b14f3b949b757aba51264da1e39f7df9b6c893110beba76ae70241b28045c30804788b87b90107c18f130c90c17e9d79369023bd28e

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
57826b9b54c868e00eae95da78733081

SHA1
103f012cbc6236bb5ce8f63cc3263a552542059f

SHA256
b5a6f882a70eb9864df710991f1347d9de071af83d2e6023bd715d329a292fd0

SHA512
44c620ed38d18e9bf888b68afbae1ea3ce353da1057b361acba491b0248641da39174f8eff2be2a2d6ebc1e4013465898245f2b10f5210538dead85c2c53e1fb

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
e6484d2cebbdd47833c4ade10497c33e

SHA1
d11b11a11f8343a8405ac06187741b949c80ce61

SHA256
90de864e5cc48e256309fb7845285186335895b8ed727f74a9b852bb9097cc27

SHA512
8ff9575b49c2d6ace43b5b053d181c0c504a324a10f6ae7272b5054ace9715d5e98a9c0ea16b15ac999d94027fd4800dc4ffe30cd57ff652f5413600b720a981

Download Submit
C:\Users\Admin\Desktop\[email protected]
MD5
226b6edced86e3b4e4436af4cca3f842

SHA1
dfb4be552f9d4efa5cd023879e967e47e9e7890e

SHA256
8cc0ebaa072b79559d96bcfabd93e781fdf66ec61b11d37332cec734b8fdaa02

SHA512
84a31f9eb49ac6e805ccd092418d5b23ed16d930db7de1b78b110dab909fc66a7fcf30225584268a891a9ae4ce1c92048df63c1e6a5f67bbf623bdba868a3b0d

Download Submit
C:\Users\Public\Desktop\!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT
MD5
8398fd61b4a927cfeefb3312fe9d99b6

SHA1
90d584ee807f737fe94a2b49df464ecb751cd879

SHA256
bb8e653163dd2352d251e03285fc905a0f0ae166f63711e2e656d023cd73e30e

SHA512
5ff28d157688ba9b039ad16d8b9b03ffb05395f4a9586f25ce1064fb25df9e6f2a42a0f76efa0b2675a4b4ca6ffd71d9ab4e26593db50fd5ef9eb72b50a197a5

Download Submit
\Users\Admin\AppData\LocalLow\nU9pY0gT8d\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\nU9pY0gT8d\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\nU9pY0gT8d\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\LocalLow\nU9pY0gT8d\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\nU9pY0gT8d\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
\Users\Admin\AppData\LocalLow\nU9pY0gT8d\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\Local\Temp\204F.exe
MD5
4293ef413d755d4b2f1de90eb54c5ce1

SHA1
3739d002feb8d6317cc0ed0b6d5d857b9c93cf10

SHA256
fd028222d4b842354168e2e8ea761ae3c984624ee29e72f93ea5f998d8d17605

SHA512
9107e440ef16ef9717ac578c3e60f211ea92dabcee78005e224e53e62f99b067fc5809b2267087bf71b01d49819fc0a812c6a73f7d1ab5097d16a00292eceb95

Download Submit
\Users\Admin\AppData\Local\Temp\204F.exe
MD5
4293ef413d755d4b2f1de90eb54c5ce1

SHA1
3739d002feb8d6317cc0ed0b6d5d857b9c93cf10

SHA256
fd028222d4b842354168e2e8ea761ae3c984624ee29e72f93ea5f998d8d17605

SHA512
9107e440ef16ef9717ac578c3e60f211ea92dabcee78005e224e53e62f99b067fc5809b2267087bf71b01d49819fc0a812c6a73f7d1ab5097d16a00292eceb95

Download Submit
\Users\Admin\AppData\Local\Temp\204F.exe
MD5
4293ef413d755d4b2f1de90eb54c5ce1

SHA1
3739d002feb8d6317cc0ed0b6d5d857b9c93cf10

SHA256
fd028222d4b842354168e2e8ea761ae3c984624ee29e72f93ea5f998d8d17605

SHA512
9107e440ef16ef9717ac578c3e60f211ea92dabcee78005e224e53e62f99b067fc5809b2267087bf71b01d49819fc0a812c6a73f7d1ab5097d16a00292eceb95

Download Submit
\Users\Admin\AppData\Local\Temp\204F.exe
MD5
4293ef413d755d4b2f1de90eb54c5ce1

SHA1
3739d002feb8d6317cc0ed0b6d5d857b9c93cf10

SHA256
fd028222d4b842354168e2e8ea761ae3c984624ee29e72f93ea5f998d8d17605

SHA512
9107e440ef16ef9717ac578c3e60f211ea92dabcee78005e224e53e62f99b067fc5809b2267087bf71b01d49819fc0a812c6a73f7d1ab5097d16a00292eceb95

Download Submit
\Users\Admin\AppData\Local\Temp\204F.exe
MD5
4293ef413d755d4b2f1de90eb54c5ce1

SHA1
3739d002feb8d6317cc0ed0b6d5d857b9c93cf10

SHA256
fd028222d4b842354168e2e8ea761ae3c984624ee29e72f93ea5f998d8d17605

SHA512
9107e440ef16ef9717ac578c3e60f211ea92dabcee78005e224e53e62f99b067fc5809b2267087bf71b01d49819fc0a812c6a73f7d1ab5097d16a00292eceb95

Download Submit
\Users\Admin\AppData\Local\Temp\204F.exe
MD5
4293ef413d755d4b2f1de90eb54c5ce1

SHA1
3739d002feb8d6317cc0ed0b6d5d857b9c93cf10

SHA256
fd028222d4b842354168e2e8ea761ae3c984624ee29e72f93ea5f998d8d17605

SHA512
9107e440ef16ef9717ac578c3e60f211ea92dabcee78005e224e53e62f99b067fc5809b2267087bf71b01d49819fc0a812c6a73f7d1ab5097d16a00292eceb95

Download Submit
\Users\Admin\AppData\Local\Temp\204F.exe
MD5
4293ef413d755d4b2f1de90eb54c5ce1

SHA1
3739d002feb8d6317cc0ed0b6d5d857b9c93cf10

SHA256
fd028222d4b842354168e2e8ea761ae3c984624ee29e72f93ea5f998d8d17605

SHA512
9107e440ef16ef9717ac578c3e60f211ea92dabcee78005e224e53e62f99b067fc5809b2267087bf71b01d49819fc0a812c6a73f7d1ab5097d16a00292eceb95

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
MD5
86d11b31007a713ce45399c288250e13

SHA1
a97192cfd32de4bcb7bbfc2bca01863ef2a1775d

SHA256
be4040ca824e98b6ffb1d115459cefd6630c4aeaa24ef205acb851fde260ee9a

SHA512
a5cc4f839b3f9cfcf9016060a1e8508a7351af4ca04a4ab9726b2bb9d44529bfefe091c23e3029fa5fe677fff305fc0defb199b7c46217c84750e07c64288656

Download Submit
memory/392-129-0x0000000000000000-mapping.dmp

Download
memory/528-119-0x0000000000000000-mapping.dmp

Download
memory/572-130-0x0000000000000000-mapping.dmp

Download
memory/612-57-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/708-133-0x0000000000000000-mapping.dmp

Download
memory/792-106-0x0000000000000000-mapping.dmp

Download
memory/792-117-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/796-73-0x0000000000510000-0x000000000059E000-memory.dmp

Filesize
568KB

Download
memory/796-61-0x0000000000000000-mapping.dmp

Download
memory/796-75-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/860-163-0x0000000000000000-mapping.dmp

Download
memory/860-165-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1040-67-0x0000000000EF1000-0x0000000000F20000-memory.dmp

Filesize
188KB

Download
memory/1040-66-0x0000000000EF0000-0x0000000001545000-memory.dmp

Filesize
6.3MB

Download
memory/1040-63-0x0000000000000000-mapping.dmp

Download
memory/1044-74-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1044-69-0x0000000000220000-0x00000000002B0000-memory.dmp

Filesize
576KB

Download
memory/1044-59-0x0000000000000000-mapping.dmp

Download
memory/1048-125-0x0000000000000000-mapping.dmp

Download
memory/1104-92-0x0000000000220000-0x00000000002F4000-memory.dmp

Filesize
848KB

Download
memory/1104-93-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1104-71-0x0000000000000000-mapping.dmp

Download
memory/1212-58-0x0000000002940000-0x0000000002955000-memory.dmp

Filesize
84KB

Download
memory/1456-54-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1456-56-0x0000000075651000-0x0000000075653000-memory.dmp

Filesize
8KB

Download
memory/1456-55-0x0000000000402F18-mapping.dmp

Download
memory/1492-89-0x0000000000000000-mapping.dmp

Download
memory/1492-105-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1644-114-0x0000000000000000-mapping.dmp

Download
memory/1648-124-0x0000000000000000-mapping.dmp

Download
memory/1648-131-0x0000000000360000-0x00000000009B5000-memory.dmp

Filesize
6.3MB

Download
memory/1652-120-0x0000000000000000-mapping.dmp

Download
memory/1692-115-0x0000000000000000-mapping.dmp

Download
memory/1764-122-0x0000000000000000-mapping.dmp

Download
memory/1804-123-0x0000000000000000-mapping.dmp

Download
memory/1824-94-0x0000000000361000-0x0000000000390000-memory.dmp

Filesize
188KB

Download
memory/1824-91-0x0000000000360000-0x00000000009B5000-memory.dmp

Filesize
6.3MB

Download
memory/1824-86-0x0000000000000000-mapping.dmp

Download
memory/1916-118-0x0000000000000000-mapping.dmp

Download
memory/2000-121-0x0000000000000000-mapping.dmp

Download