0d93bc5a94ff11a3221e186b6fe8ee28aed9f2f1db2413e6562f43bc7f23786f

Analysis

max time kernel
146s
max time network
138s
platform
windows7_x64
resource
win7-en-20210920
submitted
19-10-2021 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rdmr_3.exe
Size

1.8MB
MD5

00c227b93837e5e5f7f24509459a0216
SHA1

8148f3df22b82dbdf664ff5e343bb053f01830b7
SHA256

0d93bc5a94ff11a3221e186b6fe8ee28aed9f2f1db2413e6562f43bc7f23786f
SHA512

574b1fdc7505aa597b078828d7559982e4b506c49466f2600b0dfcf4ba3584581df35e5c7baa91ddda97052c6e34d146d8d1e0457269f18ac7799deb9ef069db

Score

10^/10

evasion persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Read Me.TXT

Ransom Note

8888888b. 888 888 Y88b 888 888 888 888 888 d88P .d88b. .d88888 .d88b. .d88b. 88888b.d88b. .d88b. 888d888 8888888P" d8P Y8b d88" 888 d8P Y8b d8P Y8b 888 "888 "88b d8P Y8b 888P" 888 T88b 88888888 888 888 88888888 88888888 888 888 888 88888888 888 888 T88b Y8b. Y88b 888 Y8b. Y8b. 888 888 888 Y8b. 888 888 T88b "Y8888 "Y88888 "Y8888 "Y8888 888 888 888 "Y8888 888 Made by Cerebrate - Dread Forums TOR [http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/] [Q1] What happened, I cannot open my files and they have an odd extension? [A1] Your files have been encrypted by Redeemer, a new ransomware operation. [Q2] Is there any way to recover my files? [A2] Yes, you can recover your files. This will however cost you money in XMR (Monero). [Q3] Is there any any way to recover my files without paying? [A3] Without paying it is impossible your files. Redeemer uses most secure algorithms and a sophisticated encryption scheme which guarantees security. Without a proper key, you will never regain access to your files. [Q4] What is XMR (Monero)? [A4] It is a privacy oriented cryptocurrency. You can learn more about Monero on getmonero.org. You can view ways to purchase it on www.monero.how/how-to-buy-monero. [Q5] How will I decrypt my files? [A5] Follow the general instructions: -1. Buy 32 XMR. -2. Contact aloop@protonmail.com and send the following key: -----BEGIN REDEEMER PUBLIC KEY----- OTGmo9caCtb5ZQm7jp07g54cTviSAkZNGTlKSw0bMGGNhRtyRN O+Z361jnoEdIyRTuuHxm/gw/Kr+oVHOGzsDFOaZQOu3VrC+Y5U F5JenNtKAvMNEJnggiWiCzJommGWhU4oKJZMBRsx3uT3HVD9X9 4ZlPBXVc/khMWDpQSMSBtlfMTBsbq2bsea2erKdDslvN+RFP95 u7wSeX0AKTfrM8+4X0p8jvADpZrYvngm0hCdmol25uf5Kg3/P2 IRdVg45ZyG3BzTN9inBBBpgx7bXrVxMdKFNDgXUoOi7qoHwO1w 25nbsh4OAwhDx/LyGDI1rUaw4vKwjkMITinbh8f00WfYo3WaII In2VMMZdtmbbsTAnMdpx4VpjYULfWjy+Unoqfl2yL+bHJ+HPqo 3p4M31i/jJf0eCA4QQHMoHs3GwD7OTUMiFW8pdDLRynAxp0Ft/ hzlBpvLWQpsXzWK4kuLIin9hkZ+299qM8Jal8d2rWjjcvnPxVu lhNQGMzvkhaHYJDOmNxADmmeqHGriAYsQ+Gj2yyYu+sPcmzHRQ 0GPL0oaX9FJEFY8y865yF6ttzzdUeGGvkYcWw76MS+S4hKP+JP lAbN685WLF7eBlVpQHYl55ctH+wCAFn7ZkFOw6kSNYrKuttDtg nZyNciSJZdwb8R8fTZMU/3pad6sJr+oOh9Jw== -----END REDEEMER PUBLIC KEY----- -3. You will receive an XMR address where you will need to pay the requested amount of Monero. -4. After you pay and the payment is verified, you will receive a decryption tool and a key which will restore all your files and your computer back to normal.

Emails

aloop@protonmail.com

Signatures

Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

rdmr_3.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\PingUnpublish.tiff	rdmr_3.exe
File created	C:\Users\Admin\Pictures\FormatDeny.tif.redeem	rdmr_3.exe
File created	C:\Users\Admin\Pictures\LimitRemove.tiff.redeem	rdmr_3.exe
File created	C:\Users\Admin\Pictures\PingUnpublish.tiff.redeem	rdmr_3.exe
File created	C:\Users\Admin\Pictures\UseRequest.crw.redeem	rdmr_3.exe
File opened for modification	C:\Users\Admin\Pictures\LimitRemove.tiff	rdmr_3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 17 IoCs

Processes:

rdmr_3.exe

description	ioc	process
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	rdmr_3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	rdmr_3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	rdmr_3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	rdmr_3.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	rdmr_3.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	rdmr_3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	rdmr_3.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	rdmr_3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	rdmr_3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	rdmr_3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	rdmr_3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	rdmr_3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	rdmr_3.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	rdmr_3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	rdmr_3.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	rdmr_3.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	rdmr_3.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

rdmr_3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Redeemer Ransomware - Your Data Is Encrypted"	rdmr_3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "8888888b. 888 \n888 Y88b 888 \n888 888 888 \n888 d88P .d88b. .d88888 .d88b. .d88b. 88888b.d88b. .d88b. 888d888 \n8888888P\" d8P Y8b d88\" 888 d8P Y8b d8P Y8b 888 \"888 \"88b d8P Y8b 888P\" \n888 T88b 88888888 888 888 88888888 88888888 888 888 888 88888888 888 \n888 T88b Y8b. Y88b 888 Y8b. Y8b. 888 888 888 Y8b. 888 \n888 T88b \"Y8888 \"Y88888 \"Y8888 \"Y8888 888 888 888 \"Y8888 888 \n\nMade by Cerebrate - Dread Forums TOR\n[http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/]\n\n\n\n[Q1] What happened, I cannot open my files and they have an odd extension?\n[A1] Your files have been encrypted by Redeemer, a new ransomware operation.\n\n[Q2] Is there any way to recover my files?\n[A2] Yes, you can recover your files. This will however cost you money in XMR (Monero).\n\n[Q3] Is there any any way to recover my files without paying?\n[A3] Without paying it is impossible your files.\nRedeemer uses most secure algorithms and a sophisticated encryption scheme which guarantees security.\nWithout a proper key, you will never regain access to your files.\n\n[Q4] What is XMR (Monero)?\n[A4] It is a privacy oriented cryptocurrency.\nYou can learn more about Monero on getmonero.org.\nYou can view ways to purchase it on www.monero.how/how-to-buy-monero.\n\n[Q5] How will I decrypt my files?\n[A5] Follow the general instructions:\n-1. Buy 32 XMR.\n-2. Contact aloop@protonmail.com and send the following key:\n\n-----BEGIN REDEEMER PUBLIC KEY-----\nOTGmo9caCtb5ZQm7jp07g54cTviSAkZNGTlKSw0bMGGNhRtyRN\nO+Z361jnoEdIyRTuuHxm/gw/Kr+oVHOGzsDFOaZQOu3VrC+Y5U\nF5JenNtKAvMNEJnggiWiCzJommGWhU4oKJZMBRsx3uT3HVD9X9\n4ZlPBXVc/khMWDpQSMSBtlfMTBsbq2bsea2erKdDslvN+RFP95\nu7wSeX0AKTfrM8+4X0p8jvADpZrYvngm0hCdmol25uf5Kg3/P2\nIRdVg45ZyG3BzTN9inBBBpgx7bXrVxMdKFNDgXUoOi7qoHwO1w\n25nbsh4OAwhDx/LyGDI1rUaw4vKwjkMITinbh8f00WfYo3WaII\nIn2VMMZdtmbbsTAnMdpx4VpjYULfWjy+Unoqfl2yL+bHJ+HPqo\n3p4M31i/jJf0eCA4QQHMoHs3GwD7OTUMiFW8pdDLRynAxp0Ft/\nhzlBpvLWQpsXzWK4kuLIin9hkZ+299qM8Jal8d2rWjjcvnPxVu\nlhNQGMzvkhaHYJDOmNxADmmeqHGriAYsQ+Gj2yyYu+sPcmzHRQ\n0GPL0oaX9FJEFY8y865yF6ttzzdUeGGvkYcWw76MS+S4hKP+JP\nlAbN685WLF7eBlVpQHYl55ctH+wCAFn7ZkFOw6kSNYrKuttDtg\nnZyNciSJZdwb8R8fTZMU/3pad6sJr+oOh9Jw==\n-----END REDEEMER PUBLIC KEY-----\n\n-3. You will receive an XMR address where you will need to pay the requested amount of Monero.\n-4. After you pay and the payment is verified, you will receive a decryption tool and a key which will restore all your files and your computer back to normal."	rdmr_3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Redeemer Ransomware - Your Data Is Encrypted"	rdmr_3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "8888888b. 888 \n888 Y88b 888 \n888 888 888 \n888 d88P .d88b. .d88888 .d88b. .d88b. 88888b.d88b. .d88b. 888d888 \n8888888P\" d8P Y8b d88\" 888 d8P Y8b d8P Y8b 888 \"888 \"88b d8P Y8b 888P\" \n888 T88b 88888888 888 888 88888888 88888888 888 888 888 88888888 888 \n888 T88b Y8b. Y88b 888 Y8b. Y8b. 888 888 888 Y8b. 888 \n888 T88b \"Y8888 \"Y88888 \"Y8888 \"Y8888 888 888 888 \"Y8888 888 \n\nMade by Cerebrate - Dread Forums TOR\n[http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/]\n\n\n\n[Q1] What happened, I cannot open my files and they have an odd extension?\n[A1] Your files have been encrypted by Redeemer, a new ransomware operation.\n\n[Q2] Is there any way to recover my files?\n[A2] Yes, you can recover your files. This will however cost you money in XMR (Monero).\n\n[Q3] Is there any any way to recover my files without paying?\n[A3] Without paying it is impossible your files.\nRedeemer uses most secure algorithms and a sophisticated encryption scheme which guarantees security.\nWithout a proper key, you will never regain access to your files.\n\n[Q4] What is XMR (Monero)?\n[A4] It is a privacy oriented cryptocurrency.\nYou can learn more about Monero on getmonero.org.\nYou can view ways to purchase it on www.monero.how/how-to-buy-monero.\n\n[Q5] How will I decrypt my files?\n[A5] Follow the general instructions:\n-1. Buy 32 XMR.\n-2. Contact aloop@protonmail.com and send the following key:\n\n-----BEGIN REDEEMER PUBLIC KEY-----\nOTGmo9caCtb5ZQm7jp07g54cTviSAkZNGTlKSw0bMGGNhRtyRN\nO+Z361jnoEdIyRTuuHxm/gw/Kr+oVHOGzsDFOaZQOu3VrC+Y5U\nF5JenNtKAvMNEJnggiWiCzJommGWhU4oKJZMBRsx3uT3HVD9X9\n4ZlPBXVc/khMWDpQSMSBtlfMTBsbq2bsea2erKdDslvN+RFP95\nu7wSeX0AKTfrM8+4X0p8jvADpZrYvngm0hCdmol25uf5Kg3/P2\nIRdVg45ZyG3BzTN9inBBBpgx7bXrVxMdKFNDgXUoOi7qoHwO1w\n25nbsh4OAwhDx/LyGDI1rUaw4vKwjkMITinbh8f00WfYo3WaII\nIn2VMMZdtmbbsTAnMdpx4VpjYULfWjy+Unoqfl2yL+bHJ+HPqo\n3p4M31i/jJf0eCA4QQHMoHs3GwD7OTUMiFW8pdDLRynAxp0Ft/\nhzlBpvLWQpsXzWK4kuLIin9hkZ+299qM8Jal8d2rWjjcvnPxVu\nlhNQGMzvkhaHYJDOmNxADmmeqHGriAYsQ+Gj2yyYu+sPcmzHRQ\n0GPL0oaX9FJEFY8y865yF6ttzzdUeGGvkYcWw76MS+S4hKP+JP\nlAbN685WLF7eBlVpQHYl55ctH+wCAFn7ZkFOw6kSNYrKuttDtg\nnZyNciSJZdwb8R8fTZMU/3pad6sJr+oOh9Jw==\n-----END REDEEMER PUBLIC KEY-----\n\n-3. You will receive an XMR address where you will need to pay the requested amount of Monero.\n-4. After you pay and the payment is verified, you will receive a decryption tool and a key which will restore all your files and your computer back to normal."	rdmr_3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

1812 vssadmin.exe
1228 vssadmin.exe

pid	process
1812	vssadmin.exe
1228	vssadmin.exe

Modifies registry class 7 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\redeemer	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell\Open	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell\Open\Command	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\redeemer\Shell\Open\Command\ = "\"C:\\Windows\\system32\\cmd.exe\" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file."	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.redeem	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.redeem\ = "redeemer"	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1724 PING.EXE

pid	process
1724	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exerdmr_3.exe

description	pid	process
Token: SeBackupPrivilege	1968	vssvc.exe
Token: SeRestorePrivilege	1968	vssvc.exe
Token: SeAuditPrivilege	1968	vssvc.exe
Token: SeSecurityPrivilege	1692	wevtutil.exe
Token: SeBackupPrivilege	1692	wevtutil.exe
Token: SeSecurityPrivilege	620	wevtutil.exe
Token: SeBackupPrivilege	620	wevtutil.exe
Token: SeSecurityPrivilege	1016	wevtutil.exe
Token: SeBackupPrivilege	1016	wevtutil.exe
Token: SeSecurityPrivilege	1276	wevtutil.exe
Token: SeBackupPrivilege	1276	wevtutil.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe
Token: SeTakeOwnershipPrivilege	1508	rdmr_3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rdmr_3.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1508 wrote to memory of 1836	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1836	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1836	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1836	1508	rdmr_3.exe	cmd.exe
PID 1836 wrote to memory of 1812	1836	cmd.exe	vssadmin.exe
PID 1836 wrote to memory of 1812	1836	cmd.exe	vssadmin.exe
PID 1836 wrote to memory of 1812	1836	cmd.exe	vssadmin.exe
PID 1836 wrote to memory of 1812	1836	cmd.exe	vssadmin.exe
PID 1508 wrote to memory of 1532	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1532	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1532	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1532	1508	rdmr_3.exe	cmd.exe
PID 1532 wrote to memory of 1692	1532	cmd.exe	wevtutil.exe
PID 1532 wrote to memory of 1692	1532	cmd.exe	wevtutil.exe
PID 1532 wrote to memory of 1692	1532	cmd.exe	wevtutil.exe
PID 1532 wrote to memory of 1692	1532	cmd.exe	wevtutil.exe
PID 1508 wrote to memory of 1476	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1476	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1476	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1476	1508	rdmr_3.exe	cmd.exe
PID 1476 wrote to memory of 620	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 620	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 620	1476	cmd.exe	wevtutil.exe
PID 1476 wrote to memory of 620	1476	cmd.exe	wevtutil.exe
PID 1508 wrote to memory of 1660	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1660	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1660	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1660	1508	rdmr_3.exe	cmd.exe
PID 1660 wrote to memory of 1016	1660	cmd.exe	wevtutil.exe
PID 1660 wrote to memory of 1016	1660	cmd.exe	wevtutil.exe
PID 1660 wrote to memory of 1016	1660	cmd.exe	wevtutil.exe
PID 1660 wrote to memory of 1016	1660	cmd.exe	wevtutil.exe
PID 1508 wrote to memory of 1604	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1604	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1604	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1604	1508	rdmr_3.exe	cmd.exe
PID 1604 wrote to memory of 1276	1604	cmd.exe	wevtutil.exe
PID 1604 wrote to memory of 1276	1604	cmd.exe	wevtutil.exe
PID 1604 wrote to memory of 1276	1604	cmd.exe	wevtutil.exe
PID 1604 wrote to memory of 1276	1604	cmd.exe	wevtutil.exe
PID 1508 wrote to memory of 1084	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1084	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1084	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1084	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 900	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 900	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 900	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 900	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 864	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 864	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 864	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 864	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1920	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1920	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1920	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1920	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1532	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1532	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1532	1508	rdmr_3.exe	cmd.exe
PID 1508 wrote to memory of 1532	1508	rdmr_3.exe	cmd.exe
PID 1532 wrote to memory of 1228	1532	cmd.exe	vssadmin.exe
PID 1532 wrote to memory of 1228	1532	cmd.exe	vssadmin.exe
PID 1532 wrote to memory of 1228	1532	cmd.exe	vssadmin.exe
PID 1532 wrote to memory of 1228	1532	cmd.exe	vssadmin.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1564 attrib.exe

pid	process
1564	attrib.exe

C:\Users\Admin\AppData\Local\Temp\rdmr_3.exe
"C:\Users\Admin\AppData\Local\Temp\rdmr_3.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies WinLogon
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil clear-log Application
2⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\wevtutil.exe
wevtutil clear-log Application
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil clear-log Security
2⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\wevtutil.exe
wevtutil clear-log Security
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil clear-log Setup
2⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\wevtutil.exe
wevtutil clear-log Setup
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil clear-log System
2⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\wevtutil.exe
wevtutil clear-log System
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
2⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin delete systemstatebackup -deleteoldest -quiet
2⤵
PID:900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ftype redeemer="C:\Windows\system32\cmd.exe" /c msg * Redeemer Ransowmare - this file cannot be opened until decrypted. Check ReadMe.TXT for more details how to decrypt your file.
2⤵
- Modifies registry class
PID:864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c assoc .redeem=redeemer
2⤵
- Modifies registry class
PID:1920

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\rem.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /All /Quiet
3⤵
- Interacts with shadow copies
PID:1228

C:\Windows\SysWOW64\wevtutil.exe
wevtutil clear-log Application
3⤵
PID:1440

C:\Windows\SysWOW64\wevtutil.exe
wevtutil clear-log Security
3⤵
PID:1660

C:\Windows\SysWOW64\wevtutil.exe
wevtutil clear-log Setup
3⤵
PID:1276

C:\Windows\SysWOW64\wevtutil.exe
wevtutil clear-log System
3⤵
PID:1936

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
3⤵
- Runs ping.exe
PID:1724

C:\Windows\SysWOW64\attrib.exe
attrib -h -r -s *.*
3⤵
- Views/modifies file attributes
PID:1564

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Indicator Removal on Host

T1070

File Deletion

T1107

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0c1919a0-44c8-4fae-925e-48a839f4156c.tmp.redeem
MD5
0c7e678bff2b4b47da14b9714de39b86

SHA1
57da27dea61264431928dce479944f05be441437

SHA256
6e472704068c1a04e178a08e94723de9ff62447acb171982eae5c402422bc12a

SHA512
cb3e0a9c7ff55d213384d8a79f8b9816d8cdc03c0533e5e5b44d151855d039fc04aee6208b0793bedc2a484bd66f9eefdc797646beb821fed9341110551194cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b3ed5da-7a5f-4f4e-bdaf-7e40401ba0c7.tmp.redeem
MD5
de48aad377804ccd4724f39c376749b6

SHA1
d8aeed479ec7a71b4528deada34e625b8be30768

SHA256
2b8de0c59d331b0decf6bea3a4da3e559c59d7c30f8a9b1cdf029eb839a94c06

SHA512
eb9b93ef20b046cb33b5d2facf97a9c03f30fb4d9ea4dd1162a66fb2bd9eeab80b68f71fc9ea76ab4407a6e593c413b9266e7b92531da40c0aac8ad62ba071cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ba67d42-8a01-4556-b51e-6d2a52d9fd26.tmp.redeem
MD5
4ffad08ef9b804dd852e86a15a9343a7

SHA1
01fa0139cb0fbc8892abf590400136022309120b

SHA256
00c69adc8f996e27a4afdd3273de1981c3b680d9c020bf2d14efc8163194596c

SHA512
82050aaf09b928f2f2e27bf282502d38fbd0fa565bd8d7e6f4415f47c0bfe28e922919cc35eace8ad55c862e41d192a6f05d3c43221d6c38f516c0efc7b9a75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b72f755-a2e9-49ad-92c7-f6b2676f7a82.tmp.redeem
MD5
e9a0591f6f6cc8a67800a3d72774aca3

SHA1
5479eaf074838f5e59c2ee5f4adaf8a64dff61e0

SHA256
4026b72ecef9967d8823dc07d7b13e899e3b7f549e714cefa34a57e9d075f821

SHA512
5e8cba6103b3ac1977a5e72dd18dff07421c36e4d51df110706b1dfb45e93a2022f12f67291088615b709e6abf79ba6e691cc22962c49a82f434132b5c88c0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ff4d7b2-c0c7-4c01-a745-1de4db285eeb.tmp.redeem
MD5
cf16d1291633d53e7bd3647ea60843df

SHA1
21e7af5f6e32d2df5850dd142ae437e1f80c7712

SHA256
ad8953cc412a7f6fcb98ea7950df9a4260405f00411c79cda7e34e5428c09249

SHA512
514fd1a81bdd4d3d29a1305e624826b3f1465606d2ca3de5736cd402b9488780e4081340cf5408af2b2fb82b1ee1e5e6fb68eacc9811e4dd4504117764d396b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a80f130-1150-4939-9893-99021df73ea0.tmp.redeem
MD5
11059b1a61425de8ec71572df1040bc7

SHA1
2aa275973840506b2b8f23470d3054912dcb6124

SHA256
9308b5c95f928c32487daa4e864b710fa1918af97bdb727e0901e398b9beb358

SHA512
44ce3e9e70cae573e2188654dbbee992893a6ad9c0b2dfa8bbeb968dc690082e778e0ac3d084cbc5a814811b5d6d54222c8f40f645976b3f18f88f63f7455215

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f24dec6-69fc-4aa5-a967-c61157822192.tmp.redeem
MD5
52ca694197c52933edb5c4402a185a47

SHA1
8d94afa918b9abcaa9855d15106b510990a523dd

SHA256
e0ea6e4d04647bbee4424c8ccc5368658b6e61a4f58ab2af8d5ed44846385023

SHA512
fa94a737e2a32668eedd7436e9cdd99db4b3ebdbe5366c4081cf98c931aeeaf7d8ed90f4ab3e8a7d8997c09d32a1362d1e13ac59aa34b79b2dfc2bdd05a20b48

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00000.log.redeem
MD5
d00f9cc0d037cb771423f45a8c43f320

SHA1
8cacf7e0b3618ae9670b0c420e2d56563476a0c1

SHA256
11bcc34f15924f13a6e79efeceb267d8c2fd04f5d725c9a5e5733417cf5df7c0

SHA512
f40363b6f522086d94fc67076e6c4effdae0ca13aaae1d853ee3d659f5e814c88b5072f22cbc8ae7861cc4921b30fcc96162fdaa8e6fa21e5140df8ba41ee3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001.log.redeem
MD5
8d10b56e079ab764041079852f7b92fb

SHA1
b855f16d440da519b3e7073474b9851fa2f7ad17

SHA256
ed1f7e0955277dabd2ad9ae3278a80d544d3138032b533ad58571c7ca873feaa

SHA512
a2e6e4038da384d642807360cdd093f96ac5b6d5ff91876281787ce9ce90060cef0b49547969a5324fa7ddaaa63e9276e04a7a8808cd119298455aa065c2435c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp.redeem
MD5
983110444bb1e2e3367f7d1bec91a199

SHA1
4e367b885988fae3e8b9df93ef85f98aed8ec717

SHA256
1795dfa6d6691cc76185d7d90a117980a7277b08a1476a77d812b53016e10f51

SHA512
7b1d251398e42b8745eee98990d7bad8017d92b283f588fd6a427ec32b36e9e642f2742311d12653591faa3a219ae28ced992e63a70454ff50ea1f3149d362b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log.redeem
MD5
4a78b0fae960a233950c06bf75e5ac02

SHA1
ee39eb7ef831c59143bb31f16de9c4e73e861002

SHA256
b5b4f27581541c674896d5b5ed845a521c20607bf97e85590703bfaa27e7ca08

SHA512
846e12a996ebfe83ff3454dc8a7614fd676d2832050cda2b0a547888cd6c4418858b81f4f6042ebb5aff4c38e56aaf9292a4d6b29995d9100b5bff8c5567ff08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20210920_131035753-MSI_netfx_Full_x64.msi.txt.redeem
MD5
3f7661e740a6458c125d8706d7f8d516

SHA1
59cf26ad1e8347efaae8bff993929407669cdaa2

SHA256
c2af58a280b46efabf5424b434de714cc503ac07eababc15aa038635e3582c35

SHA512
ac9770a7bae6f0812e0c28b39e8132341b8d93a3ac586e596b84464eb9a01305ba5256da24c3b1474b373e7dff3768646d794a7f5d1ac9d411cb52532784a88c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20210920_131035753.html.redeem
MD5
8f1df694ace567ff50226f7ddc1dea54

SHA1
a990e7ecde898f0ce436418308efb323c5bedeab

SHA256
80252ebe761d24d306fa78b2d86ebaa043649c8d90d06b909f251cbe61a399ce

SHA512
90d024113f693fb01461387255a6852cb9a835abe33fbbb2fcc9e1a3afd772b573966ffbdb82dbddd0eb9e4a5263f55d471472e47165ed6a6a566f87ed6ab303

Download Submit
C:\Users\Admin\AppData\Local\Temp\RD6F36.tmp.redeem
MD5
690eb88f7a4490be373b3b68c61e6093

SHA1
d6dff9943ff77f30981dd11972a6b7653fc9ad55

SHA256
dc2fbfd16da3006ff18fd27028e966d3f9bafbe9791adac84cf2a302aa127712

SHA512
48929a4dd7ea9ba97a6c79f35783e4d08f9f364037ceaebe4eb58540cb9e31e5ca67359410632276ae59a971d922b27052bf1dabe21875a3f47794b431b079f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGI1871.tmp-tmp.redeem
MD5
162d854357803eb78723b8ce1ae4fad5

SHA1
48ecf31a3824ec94caf2c759da05809f1d1b0a8c

SHA256
406aefd8b59944042facfbc5887fccf958c2363959144870fc1b5c48e4cf6689

SHA512
6e8349161857e01fcd3e29bbbdb16a7d0049c309ce7b489797efafefba16fe86c24c7d4ceefd0ebdb33d20cee46cd7084dc40b80a761e4b428d672b2632063f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGI1871.tmp.redeem
MD5
5c0124cbfbbeb54394eda5b698564b5f

SHA1
0bf509ce6b6ade7333eaf787b57b34a03ab183e3

SHA256
edcc3ffdc3daea7a094e78350f95eb218bb01dd84cfafe2df5a3c19dbea0c70b

SHA512
83daebf10aea47e19e29346fad90ddc22094cb27e94f18d2217dac73e731afa73da1c2a6a71ca3e695fab88260b9cee776fa4173c53bdc2ea20a6d9044182ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Read Me.TXT
MD5
f52cd750015318b7b57ba5d7fe166f23

SHA1
6bdfdb224fe0b077d658f4e4471980ee243d3fc3

SHA256
63c935290037541a1a5f85508c0135974516aaaca778a2dd3354121fab768ef0

SHA512
1477f371d5e10f1c515b01e588a7949bd6adefaed5566bcce857b05dbd27e8dc4c01413df2659721b7fcfcd9c1d12122a5f5138815dd00346cebbf12a0a5fe26

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupExe(202109201319267F8).log.redeem
MD5
e82cd1a2d7a986adcd366b107e122851

SHA1
ef374e0ce495fe171d4e645ed92662e78fe4bb1b

SHA256
252995a40cbf4518a9b31e0f901602c51ccb9e9525f44b19662720e06fb6d0cc

SHA512
042c0c0d24f0cceec81a2735e4d988b38772950788d7d69c3b908c5f9992f32c38b9cf392b0904f80a89e055d63fa27474de99a11da925d74216d0678fefe5ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\c60bcdcc-1e5c-4b98-8712-bd44cf4c7af8.tmp.redeem
MD5
967a5a140c04841edb69ebf990ecbd33

SHA1
5d9acd1d7b11af4c3e89a39349b8a4fa2fb8f0b1

SHA256
834eafbc6831d0f0b768d7f3bb9109d81de5b800112cf476596bef27a779e7eb

SHA512
7e854c3407c788a88cdc3a32b049fe5fb5134691b7de121c9d1e03a86cc3a2a0f72c358bcc353fa550f0fee9de2ef46b1e7f03b02cef75ac2ebe6521c46087a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbd69d6e-a4b2-445e-b5cb-61393562b8ad.tmp.redeem
MD5
edfcc21874024f15e0486549450f24dc

SHA1
5158a51595d5d7fdbb2e204bbf170948800da5a0

SHA256
c42ebb34788653d935288caa6c5a6699f62e5d1c61619fbe4944c7fda835e694

SHA512
246443815a2a695c606be13449eebf04aa42cf854455d0e53be269f7cd188d6e0708dc7f3d084f09b040199436ada1377a2d95eaf8ba02ff88a9cd466aa85926

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log.redeem
MD5
f9d9baac2cfbea1f1f1fcd8df9893876

SHA1
f7b536ebd167e960c1c8d7817329e2013c1c49ba

SHA256
90be2bc43841bc7151d68b8342e33fadc04914233bd87fa32ed66177bdd667e8

SHA512
5e3a5e87f8b741995a35e589487b477193f6ed0bcd9883cf75579dd5b4feb1fcd283b3130fea0aa97632f0c9d7e322fd8bdab054b7678954091b54e9b628fecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.redeem
MD5
b53a4f1fa39e9f1a2ab6609db8ec2884

SHA1
9fe8026f9ca70a92e4c2e20ca9e05cfce60632c6

SHA256
ad83f0c3217f4c982439551ab39c0b979d9996e260176a03442369c97500b9c5

SHA512
fd77addbc5e56f3808e07ddcec566c8fb2ebd8371b4f71aeb1e8f8bda6e57f98a166c77b6b785f7b1aacecbc686ac1ded56dd308cf0822cec0908492707a5875

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt.redeem
MD5
014233fe16188887a6eac08084527dde

SHA1
5c407bf80340beb6774ceb04f6ef4163b76e9323

SHA256
3261f48a24979bc4d1e0100801be8ef6f8050a9d15f6868d874c4cbf9ae4872b

SHA512
4936e4c609edd714fe0d9d6c7bb4dda9182558b322255db496a85a5e30ed9afa648ef902b0a123dfa2d1568c72feee3f4ed41d38061a108bdc150af23bba9baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI37BF.txt.redeem
MD5
38020ecbc9d03c6be200304ba73e93e5

SHA1
843c6c9b3e7c41821583c9be1297a05813b7b787

SHA256
0d540529e93c6139c475e3db34326322670dcaf44607595adcb3004ef69ef051

SHA512
dbb68de1bfffdf5a4640406f4df9d8146023d8ee13c974544313218099337c2ba8064195c6643eaa2c37520cc1a06d97ba2bf32184b7e32169879efd7f76993e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI37BF.txt.redeem
MD5
3bc5dc384e52109f55436f81b43a82f5

SHA1
5a8745c059e699f96d0c665e949feae3240d52c4

SHA256
141b28ba2475d7a7a21c43f49ed1b22efd6480abea686d7f58519c52c6ede495

SHA512
ed1b5d754a94212e045be7de7539a797339b10c6e03124d6724b07cbbfb4779fa714b01df43e9155388835db77b81ecdad133bcbd966937e1c7c2102ff9338b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20210920_131101_805.txt.redeem
MD5
1856169476e78f44bbe2d708451b71d4

SHA1
b671797351a67f55f1763617612061294e561108

SHA256
51d01e3bf410527b1dd96c71760c32fe43cb10149d4bed8d7f738fe54c27ef37

SHA512
797a1fc951cde587c2798b37f78fddf5e97d430f8000a1aa26912495e54b5ccbee1fa788a8d18718ca154007c8586b9dc4871c385e95207ebd8691e40051ad61

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20210920_131103_412.txt.redeem
MD5
2375527ea3538d9598ea1a57ca9621e5

SHA1
f85814f23e2f68528a5dd91a0cca7db646840068

SHA256
d0ce3e7f61a5071d3f64f55b08c5ed255e8fdc4740233f447ee9b6dc2a65582b

SHA512
7370599ecd280b1a7577abbbb7c67834ad165b6280719f4455ec558775c260268bb21b921074ff41781f0bbc255d355d49352395dfa8a0df95931f674f8827d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log.redeem
MD5
c8bfba3899ea9f8a57def232e97e5cb9

SHA1
280b45f4dbc5eb16f63005a6482bd6c612365aed

SHA256
f5db611bf129c39e47650d46b1df51f4c0140bcd3428136f0312ef24b1786cd6

SHA512
cae670659674d214907655cc37c8f0ff794fb9c9c2599e96b156f67bcaf8e7398fd26269850dbea14891a07682bc8432063162f72e8ae76a199dd95b67e643ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log.redeem
MD5
eb017720064d2c187fdfd6c0598f3979

SHA1
6a3783d7c0a0326a44971c9052ff625331e3431d

SHA256
131a01d3548ad1aa66e054e57eb7d92fc33a369a0f3a679fd728ae9bcee53e04

SHA512
59f979c1cde579f9a2b651a60ba015ab0b1ea7ff53cdfbd4ddd8a617b796ea04845476fbe203f9e8bad1396b6505d57d765a6683e6f6abf088d29bfd35150ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jawshtml.html.redeem
MD5
fa7e24ad0011f369703acc3f4dac8c62

SHA1
dd1895049781d7b9c441ade7c0134f3996f34cc3

SHA256
4d91cd8ae2fd7454404bcb03104f3bb117ed5ecfb8e7821d38b1ec315938c6ad

SHA512
55aa8d5d31858a437ebcf90d0485eb2b2c642190682c10038996f803e6c79d4c2bc144399de2837ef8c1091685484216fb59e5f57ff751f34974d72ccfc3ec2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log.redeem
MD5
eb4be91db59b23ddbb3633df87c87dad

SHA1
8a933d9ccb00825a85f5563a3049696dbb59a28c

SHA256
9945370823d4d1f21b4616b9792fb2f9073d4268022aba8d710961f2b051fd84

SHA512
bc493b7c3be1919e6a609085a2953567cdf0663f441247d4c3d3145c59674a05b1cfd254aecb5e2624390b5882bfbef25957f4dcba8ac3d8f0b96ddc8c67b70f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup-20210920-132802-0.log.redeem
MD5
1fff0a29afd2e7f5cecb433365493a51

SHA1
ac2f17eb563378993580e4bdee54c45cdede1ea6

SHA256
4601510dffb7e761501981dc0621c0f4680fc1a7f94d17a81eb82cd56f30e3e2

SHA512
61a83dabae85e3a99ef6ea69c4e04917658b0f9d578c9ac0a826fdf8bc1140e4b05b30a2afcd1443d254d286f266300d458dcd719c0dbb493d94b6a1d5901b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup-20210920-133137-0.log.redeem
MD5
7d4551e4c04c3ce97dbd2d2e19aa4fc6

SHA1
b2fcbd49ca11f435c001a088fbaa79234a0c95e9

SHA256
818b27ee94485fc32f3ed61ea6701d55ac50572c4d1eb936a2dc79bc821aaf24

SHA512
91290f867dd781a7e21f25d08a2f7a55beb79ed43ddbc351c84972c7e75c385b5da24140c7228d48029f32700d66039f80ebb7f4175f99d692232b6ebb51be19

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup-20210920-133450-0.log.redeem
MD5
b6c47924f5069f712eba8d1a4f3011a8

SHA1
8d3811ff6c76cb74f3b256d83140733768a6061c

SHA256
b882075e22744d9258bcc99736255759d2dfbc5549d168671161bf222e84c5e2

SHA512
78175e019a88b95ab051fd42faed693413d20435cfb6dcb6409c6c93e4bd0a22d62471bac9ebbec0fa99756f620c1e43f581ce53caf3a79d77973c6aee2c9008

Download Submit
C:\Users\Admin\AppData\Local\Temp\rem.bat
MD5
6881b34456863e9f8fa0a66fb60bb21a

SHA1
ccc31f6057c273c774a36b1ac76b2e2e0faf9d6f

SHA256
a932f4eb13c4c7bc0ca0152ff3fdbd58c8ec8d218350b439837fd3f7242cf64b

SHA512
5ce597dc94a8af0d315aa2fa2b6bd84a65666f4bc0cb297fe3768acc0a4f1a918bac80a9fb571991854aa3d8e058c4aa954cc95c67ad613d0d0a12d165c39551

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log.redeem
MD5
9271178a34227276e9e3d2fe61fb73b9

SHA1
d62e0cbcf198f39cbcf0188490af9d7150c44890

SHA256
b68f99e134d9ac2605938daaac846230657a731eabc7ef7ef6de01905f8a46fd

SHA512
f0f5e9a2ab132c0e6e85e68cbb355067d7207ba5ebbd0952bcfde515decf9decaf5fa861cbce042ac43a59000e56b89d78f000a8b98a543e85967c379b23c834

Download Submit
memory/620-59-0x0000000000000000-mapping.dmp

Download
memory/864-66-0x0000000000000000-mapping.dmp

Download
memory/900-65-0x0000000000000000-mapping.dmp

Download
memory/1016-61-0x0000000000000000-mapping.dmp

Download
memory/1084-64-0x0000000000000000-mapping.dmp

Download
memory/1228-71-0x0000000000000000-mapping.dmp

Download
memory/1276-74-0x0000000000000000-mapping.dmp

Download
memory/1276-63-0x0000000000000000-mapping.dmp

Download
memory/1440-72-0x0000000000000000-mapping.dmp

Download
memory/1476-58-0x0000000000000000-mapping.dmp

Download
memory/1508-53-0x0000000076B61000-0x0000000076B63000-memory.dmp

Filesize
8KB

Download
memory/1532-69-0x0000000000000000-mapping.dmp

Download
memory/1532-56-0x0000000000000000-mapping.dmp

Download
memory/1564-77-0x0000000000000000-mapping.dmp

Download
memory/1604-62-0x0000000000000000-mapping.dmp

Download
memory/1660-73-0x0000000000000000-mapping.dmp

Download
memory/1660-60-0x0000000000000000-mapping.dmp

Download
memory/1692-57-0x0000000000000000-mapping.dmp

Download
memory/1724-76-0x0000000000000000-mapping.dmp

Download
memory/1812-55-0x0000000000000000-mapping.dmp

Download
memory/1836-54-0x0000000000000000-mapping.dmp

Download
memory/1920-67-0x0000000000000000-mapping.dmp

Download
memory/1936-75-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads