General
Target

cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

Filesize

207KB

Completed

24-01-2022 01:18

Task

behavioral1

Score
10/10
MD5

98563381bf9dff3b3e987e969b31ce33

SHA1

bdf6b213a792dbcb74ccf4a3c86fa565f248505f

SHA256

cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde

SHA256

5b50e1162acccc13b7e4af06dae5df1ef0b1a2c136e5105bd32188752da566a0434fb532321a5a02ba5e8beab2edbf7e9e13676994d1c2f8940eeb0f674977e9

Malware Config

Extracted

Path

C:\9pw2c178g-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension 9pw2c178g. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/05F2E39D6AC34796 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/05F2E39D6AC34796 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: MabqOkTqpyIteob8GjwqmDEjCfLVTgI1VcuBMrpEBXcvCu0Bttozg5/OoNfFUwz3 vCdJH/fc/t905s8wefjaHYDVYPNIm2kmHsIwyZaP1z3DI+cTAM+j8zjqMKHL3OvK ZGjAaDy20C3LjmNLW9KbmolOpSbmDhtoRbsIKiYO5NNwwx7KLp1x3eHfyDFHaTdJ T9XXwgi+e51vVovm9w7jww7uHxz/2UhvmnMoY4x2ZFNlWJqIasRo7TJMkTd8t7/8 8viaUCRP/aZkem8FHnAHo/xi13qe3GpcvaACEw+N3IzILaw2zj9eRLQ8/+4Yn/8e y6Npb4Q5xs+qJeg2GMeJsDUNtPKtEXsSznkq+GA279B4h+PxedGZfCCbZPWj0uC2 iT7h8gYvO1vJBJXTRBbZ8RJ18Dmpme5u6bCm6kALsMhOobNOOWXmohf40u+SQKNx Oq/jc7rs6m+C1x1SHaSmGUsBBRoc60L5Rfe+rb1d6Cmi/MrTnaxlqwU98MY2KTcm igCj2yyHGHMnGcu+DXh/2o3Ry3GxXHL8ukHaGBlp+1nrvgDG1LN/G6xdqh3VkY4P JXxadW+0rfKWvOilwpGfOxkBjDrZJI47J/5tK30Th3N7EylbGp8dg1XMSdto+B4Q qEvPVJwjTsbtxpYzYxFG0HMxsX2r0DH30KcR5Z5ht6Yydtvwgfz8o/X5bWbiO6Z5 q30+EBMRv9j2g9mRtX4mPOPiUTY3hv2/c2p3OC7+HkISWhYAz5jLXLbx/BJTR4FI sAiR+Jt4VlRI4QBZZNOdMY7hKFCPNIzpL7blRexfP4+XHl3JRAo1dRxE81+bv0sf P86yIg5ckI2lXoA7v8zQp0EFtT21+CURJGzWF3K6S69U9a5/Jh0DH8QZm8o93s0a uCmZmWUPZjWI9tGfe9gfUmU8dJty2ioFuyVK5ipU6Td1hdGgNsoWnI4nNwQMLdrc CQIexIF0yqv8YovmkKeZTpn8a3RhDf0i1awkzC0QcmPRQQvNQClEiK2mt2lEmjhX XmJWTkWurSrOCONCDZsxYyZtg8pi7yQBh8D0k8ABvSUHvdaAMl0tpvZY+Qom03zm 14yxw54lUtwDAHirGd25S2iLN14tkLy0e8YEV1FfxtTy5pUH9w5/LBohy8295wwf 8WWm3zOBejEXp4gHnR7YFQ7+wHO+pGPa16ceHYTmqzs6TnpFS8I3fQOZggFv0dhb A/0PvQAgXyEwoHcn8T+LBoaqkKG+DX6jodeKJtY2+39PQbvhXPIxkGEme17H8WFB 7ZAq/FrlrKJhPBhG5B6pzw4dqnT4bug7qDZjX5/q ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/05F2E39D6AC34796

http://decryptor.cc/05F2E39D6AC34796

Extracted

Family

sodinokibi

Botnet

$2a$10$bYPwfV5f.unsW7RpjYqD/u290WiTDfoU8OCGlN3G.nU1ZtWwaUIdm

Campaign

3253

C2

pier40forall.org

sandd.nl

thaysa.com

completeweddingkansas.com

gaiam.nl

dpo-as-a-service.com

aarvorg.com

personalenhancementcenter.com

cheminpsy.fr

pinkexcel.com

rimborsobancario.net

deepsouthclothingcompany.com

ligiercenter-sachsen.de

webhostingsrbija.rs

marcuswhitten.site

asteriag.com

edv-live.de

levdittliv.se

vickiegrayimages.com

iwr.nl

sobreholanda.com

launchhubl.com

naswrrg.org

123vrachi.ru

dirittosanitario.biz

polymedia.dk

tennisclubetten.nl

liveottelut.com

scenepublique.net

wraithco.com

analiticapublica.es

tstaffing.nl

milanonotai.it

galserwis.pl

crosspointefellowship.church

onlybacklink.com

klusbeter.nl

despedidascostablanca.es

memaag.com

symphonyenvironmental.com

oneplusresource.org

mirjamholleman.nl

roygolden.com

kampotpepper.gives

pubweb.carnet.hr

lapmangfpt.info.vn

insigniapmg.com

colorofhorses.com

dekkinngay.com

div-vertriebsforschung.de

Attributes
net
true
pid
$2a$10$bYPwfV5f.unsW7RpjYqD/u290WiTDfoU8OCGlN3G.nU1ZtWwaUIdm
prc
sql
firefox
visio
mspub
xfssvccon
msaccess
oracle
ocautoupds
tbirdconfig
infopath
ocssd
excel
thebat
winword
wordpad
steam
isqlplussvc
dbeng50
outlook
thunderbird
dbsnmp
mydesktopqos
mydesktopservice
synctime
sqbcoreservice
ocomm
onenote
powerpnt
agntsvc
encsvc
ransom_oneliner
All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions
ransom_template
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
sub
3253
svc
memtas
mepocs
svc$
veeam
sophos
sql
vss
backup
Signatures 19

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Impact
Persistence
  • Modifies system executable filetype association
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    TTPs

    Modify RegistryChange Default File Association

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Neshta

    Description

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

  • Sodin,Sodinokibi,REvil

    Description

    Ransomware with advanced anti-analysis and privilege escalation functionality.

  • Executes dropped EXE
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    Reported IOCs

    pidprocess
    520cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Modifies extensions of user files
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\SendComplete.png => \??\c:\users\admin\pictures\SendComplete.png.9pw2c178gcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File renamedC:\Users\Admin\Pictures\ConvertFromStop.raw => \??\c:\users\admin\pictures\ConvertFromStop.raw.9pw2c178gcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File renamedC:\Users\Admin\Pictures\InstallDisconnect.raw => \??\c:\users\admin\pictures\InstallDisconnect.raw.9pw2c178gcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File renamedC:\Users\Admin\Pictures\InitializeProtect.crw => \??\c:\users\admin\pictures\InitializeProtect.crw.9pw2c178gcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File renamedC:\Users\Admin\Pictures\RequestDisable.tif => \??\c:\users\admin\pictures\RequestDisable.tif.9pw2c178gcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File renamedC:\Users\Admin\Pictures\SearchGrant.tif => \??\c:\users\admin\pictures\SearchGrant.tif.9pw2c178gcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Loads dropped DLL
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    Reported IOCs

    pidprocess
    1088cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    1088cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    1088cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Runcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\k51299BQXH = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3582-490\\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe"cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Enumerates connected drives
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\L:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\N:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\P:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\R:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\S:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\A:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\F:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\K:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\T:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\V:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\D:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\Y:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\Z:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\J:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\M:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\W:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\G:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\Q:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\I:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\O:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\U:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\X:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\B:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\E:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened (read-only)\??\H:cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Drops file in System32 directory
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\System32\CatRoot2\dberr.txtcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Sets desktop wallpaper using registry
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    Tags

    TTPs

    DefacementModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\48x.bmp"cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Drops file in Program Files directory
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modification\??\c:\program files\DebugDeny.ttccb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\MSTORE.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmplayer.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\ConvertToSuspend.csscb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\iexplore.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmlaunch.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\ResolveUnlock.dwgcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File created\??\c:\program files\9pw2c178g-readme.txtcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\WINDOW~4\ImagingDevices.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\ClearSwitch.sqlcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\InvokeConnect.vstcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File created\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\9pw2c178g-readme.txtcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File created\??\c:\program files (x86)\microsoft sql server compact edition\v3.5\desktop\9pw2c178g-readme.txtcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\GRAPH.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\misc.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\WINDOW~1\WinMail.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\SendJoin.odtcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\setup_wm.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmprph.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\INTERN~1\ieinstal.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File created\??\c:\program files (x86)\9pw2c178g-readme.txtcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXEcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\WINDOW~1\wab.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmpconfig.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\WI54FB~1\wmpshare.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modification\??\c:\program files\PublishTrace.foncb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    File opened for modificationC:\PROGRA~2\WI4223~1\sidebar.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Drops file in Windows directory
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\svchost.comcb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies registry class
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Modifies system certificate store
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986ecb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956ddecb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
  • Suspicious behavior: EnumeratesProcesses
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exepowershell.exe

    Reported IOCs

    pidprocess
    520cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    548powershell.exe
  • Suspicious use of AdjustPrivilegeToken
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exepowershell.exevssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege520cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    Token: SeDebugPrivilege548powershell.exe
    Token: SeBackupPrivilege1952vssvc.exe
    Token: SeRestorePrivilege1952vssvc.exe
    Token: SeAuditPrivilege1952vssvc.exe
  • Suspicious use of WriteProcessMemory
    cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1088 wrote to memory of 5201088cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    PID 1088 wrote to memory of 5201088cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    PID 1088 wrote to memory of 5201088cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    PID 1088 wrote to memory of 5201088cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.execb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    PID 520 wrote to memory of 548520cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exepowershell.exe
    PID 520 wrote to memory of 548520cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exepowershell.exe
    PID 520 wrote to memory of 548520cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exepowershell.exe
    PID 520 wrote to memory of 548520cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exepowershell.exe
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
    "C:\Users\Admin\AppData\Local\Temp\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe"
    Modifies system executable filetype association
    Loads dropped DLL
    Drops file in Program Files directory
    Drops file in Windows directory
    Modifies registry class
    Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe"
      Executes dropped EXE
      Modifies extensions of user files
      Adds Run key to start application
      Enumerates connected drives
      Drops file in System32 directory
      Sets desktop wallpaper using registry
      Drops file in Program Files directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:520
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:548
  • C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wbem\unsecapp.exe -Embedding
    PID:1116
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:1952
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
        Initial Access
          Lateral Movement
            Privilege Escalation
              Replay Monitor
              00:00 00:00
              Downloads
              • C:\Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

                MD5

                9efbbace685671cc174a24989e4dda08

                SHA1

                9234b5bd774ca12b0fe46ce74c80f1ea76d85600

                SHA256

                65980c4eba464e9bdaa06ac6bad34b90405c591769accb078ac352288be9def5

                SHA512

                a2af96b0e6557c1f4bb4900f5abb0d39594847521156d37c33c7f3c744475bf8e91a8f14e0910e6c4f192da9aa25e40acd691b7efe841adcf95ac8670b140133

              • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

                MD5

                9e2b9928c89a9d0da1d3e8f4bd96afa7

                SHA1

                ec66cda99f44b62470c6930e5afda061579cde35

                SHA256

                8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

                SHA512

                2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

              • \Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

                MD5

                9efbbace685671cc174a24989e4dda08

                SHA1

                9234b5bd774ca12b0fe46ce74c80f1ea76d85600

                SHA256

                65980c4eba464e9bdaa06ac6bad34b90405c591769accb078ac352288be9def5

                SHA512

                a2af96b0e6557c1f4bb4900f5abb0d39594847521156d37c33c7f3c744475bf8e91a8f14e0910e6c4f192da9aa25e40acd691b7efe841adcf95ac8670b140133

              • \Users\Admin\AppData\Local\Temp\3582-490\cb6db23d41d26f985ac7316fe5747ede297ed0b3ab9f71c76a84c598d00accde.exe

                MD5

                9efbbace685671cc174a24989e4dda08

                SHA1

                9234b5bd774ca12b0fe46ce74c80f1ea76d85600

                SHA256

                65980c4eba464e9bdaa06ac6bad34b90405c591769accb078ac352288be9def5

                SHA512

                a2af96b0e6557c1f4bb4900f5abb0d39594847521156d37c33c7f3c744475bf8e91a8f14e0910e6c4f192da9aa25e40acd691b7efe841adcf95ac8670b140133

              • memory/548-62-0x0000000002832000-0x0000000002834000-memory.dmp

              • memory/548-59-0x000007FEFC321000-0x000007FEFC323000-memory.dmp

              • memory/548-63-0x0000000002834000-0x0000000002837000-memory.dmp

              • memory/548-60-0x000007FEF35B0000-0x000007FEF410D000-memory.dmp

              • memory/548-64-0x000000001B760000-0x000000001BA5F000-memory.dmp

              • memory/548-65-0x000000000283B000-0x000000000285A000-memory.dmp

              • memory/548-61-0x0000000002830000-0x0000000002832000-memory.dmp

              • memory/1088-54-0x0000000076C61000-0x0000000076C63000-memory.dmp