koxic | 699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-en-20211208
submitted
21-01-2022 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

enc.exe
Size

156KB
MD5

14ee62fcc9163509856671400429ad55
SHA1

7544332b52769ca853d900669ef5e272a2ae1665
SHA256

699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd
SHA512

4d71c87be6f6ad7c9f3277b60850cd7136cecfd5f15621d1e56b1897008da8cc742578112ea955f8417c8d4cf13bcfb92e7ceafb34720017b47d81c4d2603bff

Score

10^/10

koxic evasion ransomware trojan

Malware Config

Extracted

Path

C:\Documents and Settings\WANNA_RECOVER_KOXIC_FILEZ_GWOFW.txt

Ransom Note

--=== Hello. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. All sensitive information also leaked. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should send sample to us to decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise-time is much more valuable than money. [+] How to contact us? [+] You have two ways: 1) [Recommended] Using an email Just write us an email to [email protected] 2) Quick contact with us or if you will not receive our letters download qTox and ADD our TOXID: F3C777D22A0686055A3558917315676D607026B680DA5C8D3D4D887017A2A844F546AE59F59F How to download QTOX: - https://tox.chat/download.html - https://github.com/qTox/qTox/releases/download/v1.17.3/setup-qtox-x86_64-release.exe Add our mails to contacts so as not to lose letters from us. Check your spam sometimes, our emails may get there. [+] Consequences if we do not find a common language [+] 1. The data were irretrievably lost. 2. Leaked data will be published or sold on blmarket (or to competitors). 3. In some cases, DDOS attacks will be applied to your inftastructure. !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! Your UserID: 3CAAD560B9DD8BEA42D45863345B4FA3DFA1A4F158B1121D8B7364B60DEA6C28F64C2C3992975FFA26AE951BFA7EB56233C4A305A31F00909BD391B2569A841E77CB66EDF70C17F16631B154FC20D29BF2678AC751A5E6A2CF37ECA4E16B69C45FF1930E7DD73A17B284A9A64DFC64ADEB4D12D23A94FF5E2D57C4C923569CD9D15FD516EE37C068451B9A160C48A5AF452CBA532519BC6C27F1744BAF6D9A550AAB17B955BEC2AAF0B5DAD4DE192EE381087B8B18184F17A74F9BB3D735E026523B5AA1DBE35253A3637FDCC82E3B72643F539E73DD6DBE51A45FFA83E7A9A796463543D6850D860087F0E695DBDF7C6CB1011F4F0AC2A9BA26F0249D7696343082010A0282010100DF0C314434C1F9DC94B20FCB2448958BD49FD799BAFBAE622B3E4C6004DF9C47D5F6B817A80C8E1357E5352DADE7FD6AA10425BCB59594B06840486FA8861B0A5E1FC7E08DBB6A25D2074DEF5123BD6D7AAC7FA7A698BB93BC029B003F97F0840AC8387F75C8CE647F0AC559676F649321EEC5CFB47D5BA888130F90B051529EAAFB1E7BB1B49FA30EBDE6B06ABAFBB259DE780C8A2F540BDF0AD494501D1CC6A2864B601E47023C01A17B2D7D0251537F95C053B065A06C17A2B29EB4FB2D8DB15B6FCA52622BB136097BE9B1000F366AB73F81F83BD6C0F51391C37AE304F22B2DB861C95B42A1C12C371A4A547BFD3A5CA745EBC52E35538CC6CE493F2E31020301000194C3F43FF33E4E09FD6A544B8451758347574F4657

Emails

[email protected]

URLs

https://tox.chat/download.html

https://github.com/qTox/qTox/releases/download/v1.17.3/setup-qtox-x86_64-release.exe

Signatures

Koxic
A C++ written ransomware first seen in late 2021.
ransomware koxic
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables taskbar notifications via registry modification
evasion

Modifies extensions of user files 18 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

enc.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\ExportStep.png => C:\Users\Admin\Pictures\ExportStep.png.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Users\Admin\Pictures\ExportStep.png.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Users\Admin\Pictures\EnterRestore.tiff.KOXIC_GWOFW	enc.exe
File renamed	C:\Users\Admin\Pictures\EnableAssert.tiff => C:\Users\Admin\Pictures\EnableAssert.tiff.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Users\Admin\Pictures\WatchCheckpoint.raw.KOXIC_GWOFW	enc.exe
File renamed	C:\Users\Admin\Pictures\SyncSave.crw => C:\Users\Admin\Pictures\SyncSave.crw.KOXIC_GWOFW	enc.exe
File renamed	C:\Users\Admin\Pictures\RevokeResolve.raw => C:\Users\Admin\Pictures\RevokeResolve.raw.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Users\Admin\Pictures\SyncSave.crw.KOXIC_GWOFW	enc.exe
File renamed	C:\Users\Admin\Pictures\EnterRestore.tiff => C:\Users\Admin\Pictures\EnterRestore.tiff.KOXIC_GWOFW	enc.exe
File renamed	C:\Users\Admin\Pictures\WatchCheckpoint.raw => C:\Users\Admin\Pictures\WatchCheckpoint.raw.KOXIC_GWOFW	enc.exe
File renamed	C:\Users\Admin\Pictures\ConvertUnprotect.tif => C:\Users\Admin\Pictures\ConvertUnprotect.tif.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Users\Admin\Pictures\EnableAssert.tiff.KOXIC_GWOFW	enc.exe
File renamed	C:\Users\Admin\Pictures\FormatRemove.raw => C:\Users\Admin\Pictures\FormatRemove.raw.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Users\Admin\Pictures\FormatRemove.raw.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertUnprotect.tif.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Users\Admin\Pictures\RevokeResolve.raw.KOXIC_GWOFW	enc.exe
File renamed	C:\Users\Admin\Pictures\MountClear.raw => C:\Users\Admin\Pictures\MountClear.raw.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Users\Admin\Pictures\MountClear.raw.KOXIC_GWOFW	enc.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

792 cmd.exe

pid	process
792	cmd.exe

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

enc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"	enc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration\NotificationSuppress = "1"	enc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtectione = "0"	enc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\DisableBlockAtFirstSeen = "1"	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\LocalSettingOverrideSpynetReporting = "0"	enc.exe

Drops file in Program Files directory 64 IoCs

Processes:

enc.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00297_.WMF.KOXIC_GWOFW	enc.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\WANNA_RECOVER_KOXIC_FILEZ_GWOFW.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Solstice.xml.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\shvlzm.exe.mui.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_FR.LEX.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\ProPlusWW.XML.KOXIC_GWOFW	enc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\WANNA_RECOVER_KOXIC_FILEZ_GWOFW.txt	enc.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\icecast.luac.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00443_.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Samara.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.png.KOXIC_GWOFW	enc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\WANNA_RECOVER_KOXIC_FILEZ_GWOFW.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_dot.png.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG.KOXIC_GWOFW	enc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\WANNA_RECOVER_KOXIC_FILEZ_GWOFW.txt	enc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\sunmscapi.jar.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Amsterdam.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301418.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239063.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186362.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01329_.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\meta-index.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM.KOXIC_GWOFW	enc.exe
File created	C:\Program Files (x86)\Common Files\System\fr-FR\WANNA_RECOVER_KOXIC_FILEZ_GWOFW.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\mpvis.dll.mui.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07804_.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground.wmv.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-favorites.xml_hidden.KOXIC_GWOFW	enc.exe
File created	C:\Program Files\Windows Defender\en-US\WANNA_RECOVER_KOXIC_FILEZ_GWOFW.txt	enc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mset7db.kic.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR3B.GIF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239611.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Cairo.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\alt-rt.jar.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\settings.js.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Juan.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0171847.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00130_.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\HEADER.GIF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Irkutsk.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Belize.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplateRTL.html.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\vlc.mo.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\vlc.mo.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\PREVIEW.GIF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_hail.png.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.RSA.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\localizedStrings.js.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\settings.css.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196354.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090027.WMF.KOXIC_GWOFW	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPFT532.CNV.KOXIC_GWOFW	enc.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1960 ipconfig.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1860 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

560 taskkill.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1056 notepad.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1592 PING.EXE

pid	process
1960	ipconfig.exe

pid	process
1860	vssadmin.exe

pid	process
560	taskkill.exe

pid	process
1056	notepad.exe

pid	process
1592	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exevssvc.exeenc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeBackupPrivilege	844	vssvc.exe
Token: SeRestorePrivilege	844	vssvc.exe
Token: SeAuditPrivilege	844	vssvc.exe
Token: SeBackupPrivilege	740	enc.exe
Token: SeRestorePrivilege	740	enc.exe
Token: SeManageVolumePrivilege	740	enc.exe
Token: SeTakeOwnershipPrivilege	740	enc.exe
Token: SeIncreaseQuotaPrivilege	1212	WMIC.exe
Token: SeSecurityPrivilege	1212	WMIC.exe
Token: SeTakeOwnershipPrivilege	1212	WMIC.exe
Token: SeLoadDriverPrivilege	1212	WMIC.exe
Token: SeSystemProfilePrivilege	1212	WMIC.exe
Token: SeSystemtimePrivilege	1212	WMIC.exe
Token: SeProfSingleProcessPrivilege	1212	WMIC.exe
Token: SeIncBasePriorityPrivilege	1212	WMIC.exe
Token: SeCreatePagefilePrivilege	1212	WMIC.exe
Token: SeBackupPrivilege	1212	WMIC.exe
Token: SeRestorePrivilege	1212	WMIC.exe
Token: SeShutdownPrivilege	1212	WMIC.exe
Token: SeDebugPrivilege	1212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1212	WMIC.exe
Token: SeRemoteShutdownPrivilege	1212	WMIC.exe
Token: SeUndockPrivilege	1212	WMIC.exe
Token: SeManageVolumePrivilege	1212	WMIC.exe
Token: 33	1212	WMIC.exe
Token: 34	1212	WMIC.exe
Token: 35	1212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1212	WMIC.exe
Token: SeSecurityPrivilege	1212	WMIC.exe
Token: SeTakeOwnershipPrivilege	1212	WMIC.exe
Token: SeLoadDriverPrivilege	1212	WMIC.exe
Token: SeSystemProfilePrivilege	1212	WMIC.exe
Token: SeSystemtimePrivilege	1212	WMIC.exe
Token: SeProfSingleProcessPrivilege	1212	WMIC.exe
Token: SeIncBasePriorityPrivilege	1212	WMIC.exe
Token: SeCreatePagefilePrivilege	1212	WMIC.exe
Token: SeBackupPrivilege	1212	WMIC.exe
Token: SeRestorePrivilege	1212	WMIC.exe
Token: SeShutdownPrivilege	1212	WMIC.exe
Token: SeDebugPrivilege	1212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1212	WMIC.exe
Token: SeRemoteShutdownPrivilege	1212	WMIC.exe
Token: SeUndockPrivilege	1212	WMIC.exe
Token: SeManageVolumePrivilege	1212	WMIC.exe
Token: 33	1212	WMIC.exe
Token: 34	1212	WMIC.exe
Token: 35	1212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	988	WMIC.exe
Token: SeSecurityPrivilege	988	WMIC.exe
Token: SeTakeOwnershipPrivilege	988	WMIC.exe
Token: SeLoadDriverPrivilege	988	WMIC.exe
Token: SeSystemProfilePrivilege	988	WMIC.exe
Token: SeSystemtimePrivilege	988	WMIC.exe
Token: SeProfSingleProcessPrivilege	988	WMIC.exe
Token: SeIncBasePriorityPrivilege	988	WMIC.exe
Token: SeCreatePagefilePrivilege	988	WMIC.exe
Token: SeBackupPrivilege	988	WMIC.exe
Token: SeRestorePrivilege	988	WMIC.exe
Token: SeShutdownPrivilege	988	WMIC.exe
Token: SeDebugPrivilege	988	WMIC.exe
Token: SeSystemEnvironmentPrivilege	988	WMIC.exe
Token: SeRemoteShutdownPrivilege	988	WMIC.exe
Token: SeUndockPrivilege	988	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

enc.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 740 wrote to memory of 1672	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1672	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1672	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1672	740	enc.exe	cmd.exe
PID 1672 wrote to memory of 560	1672	cmd.exe	taskkill.exe
PID 1672 wrote to memory of 560	1672	cmd.exe	taskkill.exe
PID 1672 wrote to memory of 560	1672	cmd.exe	taskkill.exe
PID 1672 wrote to memory of 560	1672	cmd.exe	taskkill.exe
PID 740 wrote to memory of 1148	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1148	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1148	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1148	740	enc.exe	cmd.exe
PID 1148 wrote to memory of 1860	1148	cmd.exe	vssadmin.exe
PID 1148 wrote to memory of 1860	1148	cmd.exe	vssadmin.exe
PID 1148 wrote to memory of 1860	1148	cmd.exe	vssadmin.exe
PID 1148 wrote to memory of 1860	1148	cmd.exe	vssadmin.exe
PID 740 wrote to memory of 1848	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1848	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1848	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1848	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1648	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1648	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1648	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1648	740	enc.exe	cmd.exe
PID 1648 wrote to memory of 1212	1648	cmd.exe	WMIC.exe
PID 1648 wrote to memory of 1212	1648	cmd.exe	WMIC.exe
PID 1648 wrote to memory of 1212	1648	cmd.exe	WMIC.exe
PID 1648 wrote to memory of 1212	1648	cmd.exe	WMIC.exe
PID 740 wrote to memory of 1820	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1820	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1820	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1820	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1956	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1956	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1956	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1956	740	enc.exe	cmd.exe
PID 1956 wrote to memory of 988	1956	cmd.exe	WMIC.exe
PID 1956 wrote to memory of 988	1956	cmd.exe	WMIC.exe
PID 1956 wrote to memory of 988	1956	cmd.exe	WMIC.exe
PID 1956 wrote to memory of 988	1956	cmd.exe	WMIC.exe
PID 740 wrote to memory of 1036	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1036	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1036	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1036	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1324	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1324	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1324	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1324	740	enc.exe	cmd.exe
PID 1324 wrote to memory of 288	1324	cmd.exe	WMIC.exe
PID 1324 wrote to memory of 288	1324	cmd.exe	WMIC.exe
PID 1324 wrote to memory of 288	1324	cmd.exe	WMIC.exe
PID 1324 wrote to memory of 288	1324	cmd.exe	WMIC.exe
PID 740 wrote to memory of 1952	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1952	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1952	740	enc.exe	cmd.exe
PID 740 wrote to memory of 1952	740	enc.exe	cmd.exe
PID 740 wrote to memory of 316	740	enc.exe	cmd.exe
PID 740 wrote to memory of 316	740	enc.exe	cmd.exe
PID 740 wrote to memory of 316	740	enc.exe	cmd.exe
PID 740 wrote to memory of 316	740	enc.exe	cmd.exe
PID 316 wrote to memory of 1944	316	cmd.exe	WMIC.exe
PID 316 wrote to memory of 1944	316	cmd.exe	WMIC.exe
PID 316 wrote to memory of 1944	316	cmd.exe	WMIC.exe
PID 316 wrote to memory of 1944	316	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\enc.exe
"C:\Users\Admin\AppData\Local\Temp\enc.exe"
1⤵
- Modifies extensions of user files
- Windows security modification
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM MSASCuiL.exe taskkill /F /IM MSMpeng.exe taskkill /F /IM msseces.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM MSASCuiL.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet sc config browser sc config browser start=enabled sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo OS INFO: > %TEMP%\JDABUAUCS"
  2⤵
  PID:1848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic OS get Caption,CSDVersion,OSArchitecture,Version >> %TEMP%\JDABUAUCS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic OS get Caption,CSDVersion,OSArchitecture,Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo BIOS INFO: >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version >> %TEMP%\JDABUAUCS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:988
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo CPU INFO: >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors >> %TEMP%\JDABUAUCS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors
    3⤵
    PID:288
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMPHYSICAL INFO: >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMPHYSICAL get MaxCapacity >> %TEMP%\JDABUAUCS"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMPHYSICAL get MaxCapacity
    3⤵
    PID:1944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMORYCHIP: INFO >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag
    3⤵
    PID:1392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo NIC INFO: >> %TEMP%\JDABUAUCS"
  2⤵
  PID:792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic NIC get Description, MACAddress, NetEnabled, Speed >> %TEMP%\JDABUAUCS"
  2⤵
  PID:268
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic NIC get Description, MACAddress, NetEnabled, Speed
    3⤵
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DISKDRIVE INFO: >> %TEMP%\JDABUAUCS"
  2⤵
  PID:680
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic DISKDRIVE get InterfaceType, Name, Size, Status >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic DISKDRIVE get InterfaceType, Name, Size, Status
    3⤵
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo USERACCOUNT INFO: >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic USERACCOUNT get Caption, Name, PasswordRequired, Status >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic USERACCOUNT get Caption, Name, PasswordRequired, Status
    3⤵
    PID:604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo IPCONFIG: >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "ipconfig >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1336
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DATABASES FILES: >> %TEMP%\JDABUAUCS"
  2⤵
  PID:1740
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_GWOFW.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1056
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\enc.exe"
  2⤵
  - Deletes itself
  PID:792
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:1592

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JDABUAUCS

MD5
887ae0db192785398c154a027c858317

SHA1
9e1258a3444e7f54d4a2b23bec0c020d67f285b6

SHA256
9841fc54844c86d073907913cfd2fccc49d13db491e790c6aeb30b7159e62bf5

SHA512
65364e8797ecc23d9eac18cfe0c1393e9429ee15cde33b7b936c917608196da7bf53ba7c21d9bb637c9a91797eb58a4dbb2346dc4bd9e6c947a711b381dfcb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDABUAUCS

MD5
e6403f25d17fafd94d88dab8d559f954

SHA1
e17199a85b3f639f7e4958f66a6d11aea472f737

SHA256
4f7cd25d024340380515e1647d23d6bc46c5fec3f437d8c2d7f933eb86eab2b4

SHA512
0b4389edfad1635810fbf3b69d58ba1181147164e033c1ea325dbbb2361eca74c992d1ea3c83355b6a9249600efeea04e58643cdfbc90cd4d1349f42ede88e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDABUAUCS

MD5
e6403f25d17fafd94d88dab8d559f954

SHA1
e17199a85b3f639f7e4958f66a6d11aea472f737

SHA256
4f7cd25d024340380515e1647d23d6bc46c5fec3f437d8c2d7f933eb86eab2b4

SHA512
0b4389edfad1635810fbf3b69d58ba1181147164e033c1ea325dbbb2361eca74c992d1ea3c83355b6a9249600efeea04e58643cdfbc90cd4d1349f42ede88e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDABUAUCS

MD5
87cf292058eb08c907e2129e15100ed2

SHA1
0533d6387da50f84333707ac6a4165a9e46e6f17

SHA256
3f9f7a3913d2fde0c1cc93c537641f3a5de4fa2859790a5e5defa2522ee38532

SHA512
1da4950cc8fbc1efd84ae92f6419dc92b1ebb0d5211b5bb65d3fdf0ebf1823d447555c12327f83002a7d2b8354e6200af6ec59141774f7551df5acedf2c211d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDABUAUCS

MD5
87cf292058eb08c907e2129e15100ed2

SHA1
0533d6387da50f84333707ac6a4165a9e46e6f17

SHA256
3f9f7a3913d2fde0c1cc93c537641f3a5de4fa2859790a5e5defa2522ee38532

SHA512
1da4950cc8fbc1efd84ae92f6419dc92b1ebb0d5211b5bb65d3fdf0ebf1823d447555c12327f83002a7d2b8354e6200af6ec59141774f7551df5acedf2c211d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDABUAUCS

MD5
0f2e565e7cd9df67ed466c68285c92f8

SHA1
dac129b57aab5a16b0490fbdaa2bf13d451a7941

SHA256
cc270aa8f1bd55907831d0c54748347f3d81252c1711e878b117b01cdeaed490

SHA512
c3a7713fe3d203e1bed9d468ec3de2b590db8e5a4a9b5486b2e9bea157808aeee19231aba5f7a0c3216fa2118c002bf62ef68ec51dc5349341a92ced205a4435

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDABUAUCS

MD5
0f2e565e7cd9df67ed466c68285c92f8

SHA1
dac129b57aab5a16b0490fbdaa2bf13d451a7941

SHA256
cc270aa8f1bd55907831d0c54748347f3d81252c1711e878b117b01cdeaed490

SHA512
c3a7713fe3d203e1bed9d468ec3de2b590db8e5a4a9b5486b2e9bea157808aeee19231aba5f7a0c3216fa2118c002bf62ef68ec51dc5349341a92ced205a4435

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDABUAUCS

MD5
a28aec31cbd38485181a7079419aa66b

SHA1
94aa44c58417a4195fe786679b1feb793e69d135

SHA256
8828e5a883a98217828f794f9405e06e2ef2ca1025288e52b70c477d045e19ad

SHA512
3914be3a8745d604175f208940dba77455e8ad76f8629e1bdf4f3b340b0198a8a1c42f101f4eb70c5f47b8eeca48eceed119175a3641dd37811192cc24661468

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDABUAUCS

MD5
a28aec31cbd38485181a7079419aa66b

SHA1
94aa44c58417a4195fe786679b1feb793e69d135

SHA256
8828e5a883a98217828f794f9405e06e2ef2ca1025288e52b70c477d045e19ad

SHA512
3914be3a8745d604175f208940dba77455e8ad76f8629e1bdf4f3b340b0198a8a1c42f101f4eb70c5f47b8eeca48eceed119175a3641dd37811192cc24661468

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDABUAUCS

MD5
84fc9373ea5f54c4ed110d319224d35e

SHA1
431978d9a749a7ca3812f73997b8400c2af3be79

SHA256
f59f1a3808b6783a19ba4d4196cbf48acfd42eb8e60b8e9d3ba836e558e3512e

SHA512
4d7c97ae3fe0904d548dc77c05c674d40284b8452dffe5a11411287e0242bb7658f3834b92f4935dcb1b22341c4572891524120d5e8af4a606d71e0b76a6c9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDABUAUCS

MD5
85ca6e87fbc582c10528a6bd8ae95335

SHA1
ec8b13976b326e080b78ca0be9098097021ba1a5

SHA256
41904b00a205b9dad73867ac120e551d20c28718369bdfdb06dbbe4814a08d99

SHA512
2b61045246879c53c7e47e90666035a230b84739ed1c6a440ac7bae267aeec3d36f0c26acdcd63c4797ca2a89dbf328b4c693412789db012913d58b8a525cee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDABUAUCS

MD5
85ca6e87fbc582c10528a6bd8ae95335

SHA1
ec8b13976b326e080b78ca0be9098097021ba1a5

SHA256
41904b00a205b9dad73867ac120e551d20c28718369bdfdb06dbbe4814a08d99

SHA512
2b61045246879c53c7e47e90666035a230b84739ed1c6a440ac7bae267aeec3d36f0c26acdcd63c4797ca2a89dbf328b4c693412789db012913d58b8a525cee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDABUAUCS

MD5
dc02411633054d8e891d931e04a1bed7

SHA1
06305e5cfae532766578c5929db3ae58e0f5ced2

SHA256
92a975cdac9567bddf43f1c90e11c9bbf47c3680e7f56e4c41f7778d2fb48e8e

SHA512
9c9988c6fe89ef5cc914b5d900ca87402f417a5fd2f23e37a4e6ea6b0368ac767044736fea36638953d36b2ac14d19bebadf7561d9d2afc845d168ac1028d1f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDABUAUCS

MD5
dc02411633054d8e891d931e04a1bed7

SHA1
06305e5cfae532766578c5929db3ae58e0f5ced2

SHA256
92a975cdac9567bddf43f1c90e11c9bbf47c3680e7f56e4c41f7778d2fb48e8e

SHA512
9c9988c6fe89ef5cc914b5d900ca87402f417a5fd2f23e37a4e6ea6b0368ac767044736fea36638953d36b2ac14d19bebadf7561d9d2afc845d168ac1028d1f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDABUAUCS

MD5
72340adf0b8edde4807d10a681f3bbbf

SHA1
ad5a14d53479fec62c11edf183352338430394a4

SHA256
caa466ab7a79d3b4f65a3982c820155da81c5250071fcd9c6e572ef7b604e133

SHA512
f5269344475634143e7d8a9fd110b972180d98f7d1f1bab6b40a84d388a114048920ad5622f18be81f3ff25940a16213017d9439c8057714d20adc4189e24589

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDABUAUCS

MD5
72340adf0b8edde4807d10a681f3bbbf

SHA1
ad5a14d53479fec62c11edf183352338430394a4

SHA256
caa466ab7a79d3b4f65a3982c820155da81c5250071fcd9c6e572ef7b604e133

SHA512
f5269344475634143e7d8a9fd110b972180d98f7d1f1bab6b40a84d388a114048920ad5622f18be81f3ff25940a16213017d9439c8057714d20adc4189e24589

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDABUAUCS

MD5
a796359beb8e8c81b2245f4ad95e1203

SHA1
005f1e35bddf0c9594b34bf2f2a19a00df65ddd3

SHA256
e19a8c78381356456be0d74679df4e1f76f052ec2c4d6e75cde145fdc9c229f5

SHA512
d6ef597fe7d89149c494ae76ebb7022920d9dc3775e40ae700a32f8d6b3ac05d94f336b5c4de030928f039d9c2b882ef9413eec0b39625b81344d0a0acc3f710

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDABUAUCS

MD5
f3c659bcdc557553f20e1c8122b3f6a0

SHA1
a207b52fa3274ef1a301ff0fb1610d972c289f97

SHA256
a0753e562bc0b967a0048b0daf6d33cd748f4c088af7fe8f35667431e8ddf718

SHA512
d4ab58bde98354e27cff8734a066c5b4ad35acde120771949fe5203b33f9b0e655b37ed16ce3c1e0b4f78fc6dfbce28d93f424f0637131f0d1822b926c80d64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_GWOFW.txt

MD5
dee665bd7a005af14397b00afb459a05

SHA1
7c994862ec9ccb6e3db2bfc75523ec02d5760b21

SHA256
8a45516f99156ac75537a29e903d384291087b5d36acdcd59782400e1695a704

SHA512
eaabee608fac5aabfbf79dde85821d12892b11d0a4e90574fde8154be9543c855034a7a5adf672c924bfbd5f14ba0adb71a5c4f267e2cdff467448d2386e5f3a

Download Submit
memory/740-54-0x0000000075321000-0x0000000075323000-memory.dmp

Filesize
8KB

Download