koxic | 699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd

Analysis

max time kernel
121s
max time network
133s
platform
windows10_x64
resource
win10-en-20211208
submitted
21-01-2022 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

enc.exe
Size

156KB
MD5

14ee62fcc9163509856671400429ad55
SHA1

7544332b52769ca853d900669ef5e272a2ae1665
SHA256

699159e695e230a48d94b6103b48940ed596d0b48fb6d936c04d86eed539cecd
SHA512

4d71c87be6f6ad7c9f3277b60850cd7136cecfd5f15621d1e56b1897008da8cc742578112ea955f8417c8d4cf13bcfb92e7ceafb34720017b47d81c4d2603bff

Score

10^/10

koxic evasion ransomware trojan

Malware Config

Extracted

Path

C:\Documents and Settings\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt

Ransom Note

--=== Hello. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. All sensitive information also leaked. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should send sample to us to decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise-time is much more valuable than money. [+] How to contact us? [+] You have two ways: 1) [Recommended] Using an email Just write us an email to [email protected] 2) Quick contact with us or if you will not receive our letters download qTox and ADD our TOXID: F3C777D22A0686055A3558917315676D607026B680DA5C8D3D4D887017A2A844F546AE59F59F How to download QTOX: - https://tox.chat/download.html - https://github.com/qTox/qTox/releases/download/v1.17.3/setup-qtox-x86_64-release.exe Add our mails to contacts so as not to lose letters from us. Check your spam sometimes, our emails may get there. [+] Consequences if we do not find a common language [+] 1. The data were irretrievably lost. 2. Leaked data will be published or sold on blmarket (or to competitors). 3. In some cases, DDOS attacks will be applied to your inftastructure. !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! Your UserID: 3A98C964D38DDD2DAC186F99426E84A88CDB52932837E560A66C729B28A17E3459348400F01D8A014B07FC40DFDF279BACC044D6F10E834B2C775FE86064AE2C45E8497551705FD88DCD0A2C7B619EB0BAB3483B9E5007DF07D5665392F98DEBF2D2B138031744B5F3B5E44BAAD976AC70FB8325A56E8F03ABECBA7D5C8F3914BB665BFCDCE5736B2EB185E4C31C15222BEADFC11833D1D81828D4F423450A129A4B04073A631BD03C214193776A1BADE21B57C620CF9F1F46FECA225131F78A1B17CE28B9C93BDEA7105B3EFCA5844B380F9CDC2FC5F291668A0B0140915D05CF7C9DFC7E3D25C74AE64C2D44B933056E23BA35EEC3165910F7A1F2435FCBED3082010A0282010100C3D725BFC5BA5120D1A121F2BD9803D86802A660AF3F5D048D187F56D3CFA3A9A688A40AE8A9F289556D3C9C549C27BCDBD0DBEB05A86A49C9F303845E6915BE89271EA53C04906870A37E356BD987C95BAC6D3BE981BF9C2D4533A8E5157F91620138F3E1E20CC6EC1BA41E5D04E863CAE5DA17D16CBEB7DD33E5E0E587875C4A04BE18A8F168BC3BCA3308E5699D4A58AB9A3ED5A54FC9594DD263C2A331EDB57C185ABF14CF84DC0250276FC1D983D7F9296C68702314BCF5FE6D4B927A12817B88124E093B1922DB80930AE12675E563936A3A44E5B77481A89A5C70926466AB137521E3C6449E4C03FE0806895F339E4F47EACC9FB503D16FF0B86F60E90203010001E165A86C174F7DF5EC2043486D5A44D04D52545441

Emails

[email protected]

URLs

https://tox.chat/download.html

https://github.com/qTox/qTox/releases/download/v1.17.3/setup-qtox-x86_64-release.exe

Signatures

Koxic
A C++ written ransomware first seen in late 2021.
ransomware koxic
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables taskbar notifications via registry modification
evasion

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

enc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\DisableBlockAtFirstSeen = "1"	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\LocalSettingOverrideSpynetReporting = "0"	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"	enc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\UX Configuration	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\UX Configuration\NotificationSuppress = "1"	enc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	enc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtectione = "0"	enc.exe

Drops file in Program Files directory 64 IoCs

Processes:

enc.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fullscreen.svg.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\plugin.js.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_ja.jar.KOXIC_MRTTA	enc.exe
File created	C:\Program Files\Windows Defender\en-US\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File created	C:\Program Files\Windows NT\Accessories\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.KOXIC_MRTTA	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\ui-strings.js.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\id_get.svg.KOXIC_MRTTA	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-tw\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-util-lookup.jar.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar.KOXIC_MRTTA	enc.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\illustrations.png.KOXIC_MRTTA	enc.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestDrive.ps1.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\es-es\ui-strings.js.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sv_get.svg.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\ui-strings.js.KOXIC_MRTTA	enc.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2017.125.40.0_x64__8wekyb3d8bbwe\Assets\EnsoUI\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\PesterState.Tests.ps1.KOXIC_MRTTA	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Test-Assertion.ps1.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar.KOXIC_MRTTA	enc.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Content\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\S-1-5-21-369956170-74428499-1628131376-1000-MergedResources-0.pri.KOXIC_MRTTA	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\ui-strings.js.KOXIC_MRTTA	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-ae\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fi-fi\ui-strings.js.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\ui-strings.js.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar.KOXIC_MRTTA	enc.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\130\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\vlc.mo.KOXIC_MRTTA	enc.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Content\holoLens\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\es-ES\msaddsr.dll.mui.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-options.xml.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jvm.hprof.txt.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\dcfmui.msi.16.en-us.boot.tree.dat.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_partialselected-default_18.svg.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml.KOXIC_MRTTA	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\cs-cz\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ko-kr\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\SetupTeardown.Tests.ps1.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMXL.TTF.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART13.BDR.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_zh_tw_135x40.svg.KOXIC_MRTTA	enc.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms.KOXIC_MRTTA	enc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt	enc.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkServerCP.KOXIC_MRTTA	enc.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

3992 ipconfig.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

852 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3756 taskkill.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1644 notepad.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3748 PING.EXE

pid	process
3992	ipconfig.exe

pid	process
852	vssadmin.exe

pid	process
3756	taskkill.exe

pid	process
1644	notepad.exe

pid	process
3748	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

enc.exe

pid	process
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe
2428	enc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exevssvc.exeenc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3756	taskkill.exe
Token: SeBackupPrivilege	2312	vssvc.exe
Token: SeRestorePrivilege	2312	vssvc.exe
Token: SeAuditPrivilege	2312	vssvc.exe
Token: SeBackupPrivilege	2428	enc.exe
Token: SeRestorePrivilege	2428	enc.exe
Token: SeManageVolumePrivilege	2428	enc.exe
Token: SeTakeOwnershipPrivilege	2428	enc.exe
Token: SeIncreaseQuotaPrivilege	364	WMIC.exe
Token: SeSecurityPrivilege	364	WMIC.exe
Token: SeTakeOwnershipPrivilege	364	WMIC.exe
Token: SeLoadDriverPrivilege	364	WMIC.exe
Token: SeSystemProfilePrivilege	364	WMIC.exe
Token: SeSystemtimePrivilege	364	WMIC.exe
Token: SeProfSingleProcessPrivilege	364	WMIC.exe
Token: SeIncBasePriorityPrivilege	364	WMIC.exe
Token: SeCreatePagefilePrivilege	364	WMIC.exe
Token: SeBackupPrivilege	364	WMIC.exe
Token: SeRestorePrivilege	364	WMIC.exe
Token: SeShutdownPrivilege	364	WMIC.exe
Token: SeDebugPrivilege	364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	364	WMIC.exe
Token: SeRemoteShutdownPrivilege	364	WMIC.exe
Token: SeUndockPrivilege	364	WMIC.exe
Token: SeManageVolumePrivilege	364	WMIC.exe
Token: 33	364	WMIC.exe
Token: 34	364	WMIC.exe
Token: 35	364	WMIC.exe
Token: 36	364	WMIC.exe
Token: SeIncreaseQuotaPrivilege	364	WMIC.exe
Token: SeSecurityPrivilege	364	WMIC.exe
Token: SeTakeOwnershipPrivilege	364	WMIC.exe
Token: SeLoadDriverPrivilege	364	WMIC.exe
Token: SeSystemProfilePrivilege	364	WMIC.exe
Token: SeSystemtimePrivilege	364	WMIC.exe
Token: SeProfSingleProcessPrivilege	364	WMIC.exe
Token: SeIncBasePriorityPrivilege	364	WMIC.exe
Token: SeCreatePagefilePrivilege	364	WMIC.exe
Token: SeBackupPrivilege	364	WMIC.exe
Token: SeRestorePrivilege	364	WMIC.exe
Token: SeShutdownPrivilege	364	WMIC.exe
Token: SeDebugPrivilege	364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	364	WMIC.exe
Token: SeRemoteShutdownPrivilege	364	WMIC.exe
Token: SeUndockPrivilege	364	WMIC.exe
Token: SeManageVolumePrivilege	364	WMIC.exe
Token: 33	364	WMIC.exe
Token: 34	364	WMIC.exe
Token: 35	364	WMIC.exe
Token: 36	364	WMIC.exe
Token: SeIncreaseQuotaPrivilege	520	WMIC.exe
Token: SeSecurityPrivilege	520	WMIC.exe
Token: SeTakeOwnershipPrivilege	520	WMIC.exe
Token: SeLoadDriverPrivilege	520	WMIC.exe
Token: SeSystemProfilePrivilege	520	WMIC.exe
Token: SeSystemtimePrivilege	520	WMIC.exe
Token: SeProfSingleProcessPrivilege	520	WMIC.exe
Token: SeIncBasePriorityPrivilege	520	WMIC.exe
Token: SeCreatePagefilePrivilege	520	WMIC.exe
Token: SeBackupPrivilege	520	WMIC.exe
Token: SeRestorePrivilege	520	WMIC.exe
Token: SeShutdownPrivilege	520	WMIC.exe
Token: SeDebugPrivilege	520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	520	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

enc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2428 wrote to memory of 4056	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 4056	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 4056	2428	enc.exe	cmd.exe
PID 4056 wrote to memory of 3756	4056	cmd.exe	taskkill.exe
PID 4056 wrote to memory of 3756	4056	cmd.exe	taskkill.exe
PID 4056 wrote to memory of 3756	4056	cmd.exe	taskkill.exe
PID 2428 wrote to memory of 2752	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 2752	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 2752	2428	enc.exe	cmd.exe
PID 2752 wrote to memory of 852	2752	cmd.exe	vssadmin.exe
PID 2752 wrote to memory of 852	2752	cmd.exe	vssadmin.exe
PID 2752 wrote to memory of 852	2752	cmd.exe	vssadmin.exe
PID 2428 wrote to memory of 648	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 648	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 648	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 3996	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 3996	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 3996	2428	enc.exe	cmd.exe
PID 3996 wrote to memory of 364	3996	cmd.exe	WMIC.exe
PID 3996 wrote to memory of 364	3996	cmd.exe	WMIC.exe
PID 3996 wrote to memory of 364	3996	cmd.exe	WMIC.exe
PID 2428 wrote to memory of 1328	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 1328	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 1328	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 1140	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 1140	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 1140	2428	enc.exe	cmd.exe
PID 1140 wrote to memory of 520	1140	cmd.exe	WMIC.exe
PID 1140 wrote to memory of 520	1140	cmd.exe	WMIC.exe
PID 1140 wrote to memory of 520	1140	cmd.exe	WMIC.exe
PID 2428 wrote to memory of 3592	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 3592	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 3592	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 1928	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 1928	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 1928	2428	enc.exe	cmd.exe
PID 1928 wrote to memory of 2160	1928	cmd.exe	WMIC.exe
PID 1928 wrote to memory of 2160	1928	cmd.exe	WMIC.exe
PID 1928 wrote to memory of 2160	1928	cmd.exe	WMIC.exe
PID 2428 wrote to memory of 1684	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 1684	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 1684	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 1872	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 1872	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 1872	2428	enc.exe	cmd.exe
PID 1872 wrote to memory of 1960	1872	cmd.exe	WMIC.exe
PID 1872 wrote to memory of 1960	1872	cmd.exe	WMIC.exe
PID 1872 wrote to memory of 1960	1872	cmd.exe	WMIC.exe
PID 2428 wrote to memory of 3432	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 3432	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 3432	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 2172	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 2172	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 2172	2428	enc.exe	cmd.exe
PID 2172 wrote to memory of 3508	2172	cmd.exe	WMIC.exe
PID 2172 wrote to memory of 3508	2172	cmd.exe	WMIC.exe
PID 2172 wrote to memory of 3508	2172	cmd.exe	WMIC.exe
PID 2428 wrote to memory of 2368	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 2368	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 2368	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 2928	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 2928	2428	enc.exe	cmd.exe
PID 2428 wrote to memory of 2928	2428	enc.exe	cmd.exe
PID 2928 wrote to memory of 3216	2928	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\enc.exe
"C:\Users\Admin\AppData\Local\Temp\enc.exe"
1⤵
- Windows security modification
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM MSASCuiL.exe taskkill /F /IM MSMpeng.exe taskkill /F /IM msseces.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM MSASCuiL.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet sc config browser sc config browser start=enabled sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo OS INFO: > %TEMP%\DARHQFOMK"
  2⤵
  PID:648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic OS get Caption,CSDVersion,OSArchitecture,Version >> %TEMP%\DARHQFOMK"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic OS get Caption,CSDVersion,OSArchitecture,Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo BIOS INFO: >> %TEMP%\DARHQFOMK"
  2⤵
  PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version >> %TEMP%\DARHQFOMK"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo CPU INFO: >> %TEMP%\DARHQFOMK"
  2⤵
  PID:3592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors >> %TEMP%\DARHQFOMK"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors
    3⤵
    PID:2160
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMPHYSICAL INFO: >> %TEMP%\DARHQFOMK"
  2⤵
  PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMPHYSICAL get MaxCapacity >> %TEMP%\DARHQFOMK"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMPHYSICAL get MaxCapacity
    3⤵
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMORYCHIP: INFO >> %TEMP%\DARHQFOMK"
  2⤵
  PID:3432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag >> %TEMP%\DARHQFOMK"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag
    3⤵
    PID:3508
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo NIC INFO: >> %TEMP%\DARHQFOMK"
  2⤵
  PID:2368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic NIC get Description, MACAddress, NetEnabled, Speed >> %TEMP%\DARHQFOMK"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic NIC get Description, MACAddress, NetEnabled, Speed
    3⤵
    PID:3216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DISKDRIVE INFO: >> %TEMP%\DARHQFOMK"
  2⤵
  PID:1156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic DISKDRIVE get InterfaceType, Name, Size, Status >> %TEMP%\DARHQFOMK"
  2⤵
  PID:3880
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic DISKDRIVE get InterfaceType, Name, Size, Status
    3⤵
    PID:1392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo USERACCOUNT INFO: >> %TEMP%\DARHQFOMK"
  2⤵
  PID:2204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic USERACCOUNT get Caption, Name, PasswordRequired, Status >> %TEMP%\DARHQFOMK"
  2⤵
  PID:640
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic USERACCOUNT get Caption, Name, PasswordRequired, Status
    3⤵
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo IPCONFIG: >> %TEMP%\DARHQFOMK"
  2⤵
  PID:2828
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "ipconfig >> %TEMP%\DARHQFOMK"
  2⤵
  PID:1620
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:3992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DATABASES FILES: >> %TEMP%\DARHQFOMK"
  2⤵
  PID:2704
- C:\Windows\SysWOW64\notepad.exe
  notepad.exe C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\enc.exe"
  2⤵
  PID:2424
- - C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - Runs ping.exe
    PID:3748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DARHQFOMK

MD5
887ae0db192785398c154a027c858317

SHA1
9e1258a3444e7f54d4a2b23bec0c020d67f285b6

SHA256
9841fc54844c86d073907913cfd2fccc49d13db491e790c6aeb30b7159e62bf5

SHA512
65364e8797ecc23d9eac18cfe0c1393e9429ee15cde33b7b936c917608196da7bf53ba7c21d9bb637c9a91797eb58a4dbb2346dc4bd9e6c947a711b381dfcb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\DARHQFOMK

MD5
fe1f5baac0c9c57e000f0b6893756a21

SHA1
9c10748ecaa3905c40c902add707423d73d4ae09

SHA256
6cb0bdecbb75635586f36934b07f790081f4379be12afc40336f8728eebfd9d7

SHA512
b5ebe05e180b70f59a2ead7a901a469259bfed7f422222b6948ad5303951ea053fb4871f4f27f1709145e9e796c40480eb37fba85fa7aea3756fdb6450f8c973

Download Submit
C:\Users\Admin\AppData\Local\Temp\DARHQFOMK

MD5
fe1f5baac0c9c57e000f0b6893756a21

SHA1
9c10748ecaa3905c40c902add707423d73d4ae09

SHA256
6cb0bdecbb75635586f36934b07f790081f4379be12afc40336f8728eebfd9d7

SHA512
b5ebe05e180b70f59a2ead7a901a469259bfed7f422222b6948ad5303951ea053fb4871f4f27f1709145e9e796c40480eb37fba85fa7aea3756fdb6450f8c973

Download Submit
C:\Users\Admin\AppData\Local\Temp\DARHQFOMK

MD5
939c9e3c24b2bbfce9481e0f93161314

SHA1
6ae00d847e39b81322b2bd811b404a8eea6f6bbf

SHA256
1ec908abfd3ebc4d6bfbccbe7804967a902dc9f33d86efe01c0d6599c8eb96c8

SHA512
a5dfac17d09dbbd509a0e1384f93e7b918d457d96838b6d6fa1e987f40a299a3033aaa49173f92335b2c69d60796ea6df2e87396e50717eb91f67a9e529d4b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\DARHQFOMK

MD5
939c9e3c24b2bbfce9481e0f93161314

SHA1
6ae00d847e39b81322b2bd811b404a8eea6f6bbf

SHA256
1ec908abfd3ebc4d6bfbccbe7804967a902dc9f33d86efe01c0d6599c8eb96c8

SHA512
a5dfac17d09dbbd509a0e1384f93e7b918d457d96838b6d6fa1e987f40a299a3033aaa49173f92335b2c69d60796ea6df2e87396e50717eb91f67a9e529d4b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\DARHQFOMK

MD5
e5063f8c24b17f86f75e7210e31d4ae4

SHA1
92c47a085bf46e0fa8f5c374ce21b6839c9c9bbd

SHA256
cbe64f5f0dc7b2098137d2cf11a535bbfc9806eb94f7289955e1ac5e7db358df

SHA512
eefff9a7f2a1867bd8f38680b08c45b7300b7f60586c55c621004b7baaf61d5662230a2afaf1d51acee165f617952b6c2ff55f7449841ae6af64be37092a7005

Download Submit
C:\Users\Admin\AppData\Local\Temp\DARHQFOMK

MD5
e5063f8c24b17f86f75e7210e31d4ae4

SHA1
92c47a085bf46e0fa8f5c374ce21b6839c9c9bbd

SHA256
cbe64f5f0dc7b2098137d2cf11a535bbfc9806eb94f7289955e1ac5e7db358df

SHA512
eefff9a7f2a1867bd8f38680b08c45b7300b7f60586c55c621004b7baaf61d5662230a2afaf1d51acee165f617952b6c2ff55f7449841ae6af64be37092a7005

Download Submit
C:\Users\Admin\AppData\Local\Temp\DARHQFOMK

MD5
15115f7a7c6cfaa3d543c945eab674e8

SHA1
d48394c27046cd455ac78cec54eaf1d0e33e352c

SHA256
b87d7d297c65e29aea0ecc0c0ea6c986759f43a2f62a9b366ed5606994ab1472

SHA512
43345aeed683bccd97a0d5203b517e7245af0582fb73df1b6806819d796973ecbd4c6b057da84e0a07c47b02446f71176cbfd151a16436ea797ecec71c973b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\DARHQFOMK

MD5
15115f7a7c6cfaa3d543c945eab674e8

SHA1
d48394c27046cd455ac78cec54eaf1d0e33e352c

SHA256
b87d7d297c65e29aea0ecc0c0ea6c986759f43a2f62a9b366ed5606994ab1472

SHA512
43345aeed683bccd97a0d5203b517e7245af0582fb73df1b6806819d796973ecbd4c6b057da84e0a07c47b02446f71176cbfd151a16436ea797ecec71c973b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\DARHQFOMK

MD5
4f2739444101f387b1aa7174bc9b9a48

SHA1
cdbd86b7ecadec8a07495fe68aaf4d20ba555c08

SHA256
180d7908d52e06c5b0c82d0c45ddd103a213070f34890d6281efd5f944b1b05a

SHA512
c56d829d8f405c60872c122f610247aaf3c22f875569a06dd68bd219f93d4bcd1f512b45605efa7d433421da41150aa0ee533d6792b7bc038c2db0fb61c9e314

Download Submit
C:\Users\Admin\AppData\Local\Temp\DARHQFOMK

MD5
4f2739444101f387b1aa7174bc9b9a48

SHA1
cdbd86b7ecadec8a07495fe68aaf4d20ba555c08

SHA256
180d7908d52e06c5b0c82d0c45ddd103a213070f34890d6281efd5f944b1b05a

SHA512
c56d829d8f405c60872c122f610247aaf3c22f875569a06dd68bd219f93d4bcd1f512b45605efa7d433421da41150aa0ee533d6792b7bc038c2db0fb61c9e314

Download Submit
C:\Users\Admin\AppData\Local\Temp\DARHQFOMK

MD5
2f9d39ef9c4c3e541b7f4eb1e9e0360b

SHA1
1c6b015e85c186e03d4e49cfaa1c3308785b1890

SHA256
b33eb5819d97deca4a228acd3e9505b61a38579fadeb3ed9be85c509abbaf058

SHA512
c61f9df0169f8c5d1dff53733f8a86677ba7764cecda67e1e807df709ece698e832ebe2b07a11f8cf801bb631b1c77c16e02301438e69ca17195b4f3ea94ff8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DARHQFOMK

MD5
2f9d39ef9c4c3e541b7f4eb1e9e0360b

SHA1
1c6b015e85c186e03d4e49cfaa1c3308785b1890

SHA256
b33eb5819d97deca4a228acd3e9505b61a38579fadeb3ed9be85c509abbaf058

SHA512
c61f9df0169f8c5d1dff53733f8a86677ba7764cecda67e1e807df709ece698e832ebe2b07a11f8cf801bb631b1c77c16e02301438e69ca17195b4f3ea94ff8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DARHQFOMK

MD5
68b99eb237e87d3a7a19bcea10cec162

SHA1
5ba404ee245d5f8b87f44d63f5fe0dc4583bf91e

SHA256
d0e807819210347ced80edf1873a5c20323012d3d51a06f01d81783788c25d3a

SHA512
105061b7d9fb28ff34f9a6eee809cde3ca9d1e0022bf8b5990e5818a302dddc2737a645b26dafd1ce814896213d2b5f9d39e7ac768b0be19441093ad393ecda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DARHQFOMK

MD5
68b99eb237e87d3a7a19bcea10cec162

SHA1
5ba404ee245d5f8b87f44d63f5fe0dc4583bf91e

SHA256
d0e807819210347ced80edf1873a5c20323012d3d51a06f01d81783788c25d3a

SHA512
105061b7d9fb28ff34f9a6eee809cde3ca9d1e0022bf8b5990e5818a302dddc2737a645b26dafd1ce814896213d2b5f9d39e7ac768b0be19441093ad393ecda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DARHQFOMK

MD5
759dca03b49968d39589dd41f5963b4f

SHA1
e4e461662aa5c8e91b9f4a10cd7ff6684182aba2

SHA256
6a3f8a70fa8fd412e4ec66d46df34619a10f8c47b10d06400f7033054bbf54d4

SHA512
716b20c2e6b3bbc743d59c54b1d43aa0a318142ab828b241e04023ea6164e5f43ddd7c5d618d650175226f62de87b627a42f41afd83a3d6bb9015e55f19e7e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DARHQFOMK

MD5
759dca03b49968d39589dd41f5963b4f

SHA1
e4e461662aa5c8e91b9f4a10cd7ff6684182aba2

SHA256
6a3f8a70fa8fd412e4ec66d46df34619a10f8c47b10d06400f7033054bbf54d4

SHA512
716b20c2e6b3bbc743d59c54b1d43aa0a318142ab828b241e04023ea6164e5f43ddd7c5d618d650175226f62de87b627a42f41afd83a3d6bb9015e55f19e7e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DARHQFOMK

MD5
5dac5e9fefb048880fef433d15206d5f

SHA1
1a3a361a273098749325cc4417eb63d02b659316

SHA256
fb5cb9fbf554870d56c6aa1858a778cfa1c423537590ac7649cc4a7c884ff4fe

SHA512
9ded94c86895cc77cce033fa5ee446d3f7b86d44333587f9d99053d0a0a31c4e2932b4409f4a0ae99da7749d847dd0d1ad43d625e0783ad1b0090c188ffda54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DARHQFOMK

MD5
5330ab957567f37a244e83c5440c23b7

SHA1
a0df9a2a833fde96ae765d8f7b866d62b636203e

SHA256
e7358751b1136ca02f2e0d8c655d4b1bfe0dc20b6ecc950eb4d99d7b84eb2b06

SHA512
d201fc3252df71c191df7dbb8460928bce7373614ee0f36d5457195078e4721889bc2cf13c6112265d9f6e5472c59c37a749c945a5365ed5256cdf886d36b703

Download Submit
C:\Users\Admin\AppData\Local\Temp\WANNA_RECOVER_KOXIC_FILEZ_MRTTA.txt

MD5
dca4af426d090197ce37cfe079979a59

SHA1
4b716d2215cf60d5ca2bcc30f2191ba96e4abc8a

SHA256
53d6dc1d1a78f9abdcccb6319e614f596822ea03506f9400c214e351a53cfdb7

SHA512
007430856dd12145856dd41ae756fc4d8ba12c7fc2cb1542c2e6ae12400bc4411bacd1497d97a31e428b2090ba93f09d6b33b014fe7acbf441cfeb6736bd7f0b

Download Submit