satana | 683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

Analysis

max time kernel
4294249s
max time network
191s
platform
windows7_x64
resource
win7-20220311-en
submitted
02-04-2022 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

satana.exe
Size

49KB
MD5

46bfd4f1d581d7c0121d2b19a005d3df
SHA1

5b063298bbd1670b4d39e1baef67f854b8dcba9d
SHA256

683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
SHA512

b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

Score

10^/10

satana bootkit persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Ransom Note

You had bad luck.There was crypting of all your files in a FS bootkit virus <!SATANA!> To decrypt you need send on this E-mail: [email protected] your private code: A3D90235E1136671AB1195C6078184FF and pay on a Bitcoin Wallet: XtumpYQZE3THSx5fG3P9uFTocAbU6DCdwQ total 0,5 btc After that during 1 - 2 days the software will be sent to you - decryptor - and the necessary instructions. All changes in hardware configurations of your computer can make the decryption of your files absolutely impossible! Decryption of your files is possible only on your PC! Recovery is possible during 7 days, after which the program - decryptor - can not ask for the necessary signature from a public certificate server. Please contact via e-mail, which you can find as yet in the form of a text document in a folder with encrypted files, as well as in the name of all encrypted files.If you do not appreciate your files we recommend you format all your disks and reinstall the system. Read carefully this warning as it is no longer able to see at startup of the computer. We remind once again- it is all serious! Do not touch the configuration of your computer! E-mail: [email protected] - this is our mail CODE: A3D90235E1136671AB1195C6078184FF this is code; you must send BTC: XtumpYQZE3THSx5fG3P9uFTocAbU6DCdwQ here need to pay 0,5 bitcoins How to pay on the Bitcoin wallet you can easily find on the Internet. Enter your unlock code, obtained by E-mail here and press "ENTER" to continue the normal download on your computer. Good luck! May God help you! <!SATANA!>

Emails

[email protected]

Signatures

Satana
Ransomware family which also encrypts the system's Master Boot Record (MBR).
ransomware satana
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

jbbf.exejbbf.exe

pid process

1808 jbbf.exe
1476 jbbf.exe
Deletes itself 1 IoCs

Processes:

jbbf.exe

pid process

1476 jbbf.exe
Loads dropped DLL 6 IoCs

Processes:

satana.exejbbf.exejbbf.exe

pid process

1880 satana.exe
1880 satana.exe
1880 satana.exe
1880 satana.exe
1808 jbbf.exe
1476 jbbf.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1808	jbbf.exe
1476	jbbf.exe

pid	process
1476	jbbf.exe

pid	process
1880	satana.exe
1880	satana.exe
1880	satana.exe
1880	satana.exe
1808	jbbf.exe
1476	jbbf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

satana.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	satana.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\qtlmdigk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\!satana!.txt"	satana.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

jbbf.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 jbbf.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	jbbf.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

satana.exejbbf.exe

description	pid	process	target process
PID 1924 set thread context of 1880	1924	satana.exe	satana.exe
PID 1808 set thread context of 1476	1808	jbbf.exe	jbbf.exe

Drops file in Program Files directory 64 IoCs

Processes:

jbbf.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml	jbbf.exe
File created	C:\Program Files\Windows Sidebar\de-DE\!satana!.txt	jbbf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif	jbbf.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\28.png	jbbf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png	jbbf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\drag.png	jbbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\Attachments.jpg	jbbf.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\!satana!.txt	jbbf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png	jbbf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml	jbbf.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\!satana!.txt	jbbf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty.png	jbbf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\!satana!.txt	jbbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\tab_on.gif	jbbf.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_left.png	jbbf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml	jbbf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_m.png	jbbf.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif	jbbf.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\HandPrints.jpg	jbbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg	jbbf.exe
File created	C:\Program Files\Common Files\Microsoft Shared\!satana!.txt	jbbf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png	jbbf.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\!satana!.txt	jbbf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\!satana!.txt	jbbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Clarity.xml	jbbf.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png	jbbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif	jbbf.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml	jbbf.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_right.png	jbbf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp	jbbf.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\!satana!.txt	jbbf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\gadget.xml	jbbf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\!satana!.txt	jbbf.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\!satana!.txt	jbbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_bullets.gif	jbbf.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.jpg	jbbf.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_left.png	jbbf.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\32.png	jbbf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_SelectionSubpicture.png	jbbf.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png	jbbf.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\!satana!.txt	jbbf.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\!satana!.txt	jbbf.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	jbbf.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\!satana!.txt	jbbf.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png	jbbf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\!satana!.txt	jbbf.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\!satana!.txt	jbbf.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\!satana!.txt	jbbf.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\!satana!.txt	jbbf.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Slipstream.xml	jbbf.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-right.png	jbbf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous.png	jbbf.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\!satana!.txt	jbbf.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\!satana!.txt	jbbf.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\!satana!.txt	jbbf.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\!satana!.txt	jbbf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter.png	jbbf.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\!satana!.txt	jbbf.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nl\!satana!.txt	jbbf.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.bmp	jbbf.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\!satana!.txt	jbbf.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\!satana!.txt	jbbf.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\gadget.xml	jbbf.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\!satana!.txt	jbbf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

VSSADMIN.EXE

pid process

1188 VSSADMIN.EXE

pid	process
1188	VSSADMIN.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

jbbf.exevssvc.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1476	jbbf.exe
Token: SeBackupPrivilege	896	vssvc.exe
Token: SeRestorePrivilege	896	vssvc.exe
Token: SeAuditPrivilege	896	vssvc.exe
Token: SeShutdownPrivilege	1476	jbbf.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

satana.exesatana.exejbbf.exejbbf.exe

description	pid	process	target process
PID 1924 wrote to memory of 1880	1924	satana.exe	satana.exe
PID 1924 wrote to memory of 1880	1924	satana.exe	satana.exe
PID 1924 wrote to memory of 1880	1924	satana.exe	satana.exe
PID 1924 wrote to memory of 1880	1924	satana.exe	satana.exe
PID 1924 wrote to memory of 1880	1924	satana.exe	satana.exe
PID 1924 wrote to memory of 1880	1924	satana.exe	satana.exe
PID 1924 wrote to memory of 1880	1924	satana.exe	satana.exe
PID 1924 wrote to memory of 1880	1924	satana.exe	satana.exe
PID 1924 wrote to memory of 1880	1924	satana.exe	satana.exe
PID 1924 wrote to memory of 1880	1924	satana.exe	satana.exe
PID 1880 wrote to memory of 1808	1880	satana.exe	jbbf.exe
PID 1880 wrote to memory of 1808	1880	satana.exe	jbbf.exe
PID 1880 wrote to memory of 1808	1880	satana.exe	jbbf.exe
PID 1880 wrote to memory of 1808	1880	satana.exe	jbbf.exe
PID 1808 wrote to memory of 1476	1808	jbbf.exe	jbbf.exe
PID 1808 wrote to memory of 1476	1808	jbbf.exe	jbbf.exe
PID 1808 wrote to memory of 1476	1808	jbbf.exe	jbbf.exe
PID 1808 wrote to memory of 1476	1808	jbbf.exe	jbbf.exe
PID 1808 wrote to memory of 1476	1808	jbbf.exe	jbbf.exe
PID 1808 wrote to memory of 1476	1808	jbbf.exe	jbbf.exe
PID 1808 wrote to memory of 1476	1808	jbbf.exe	jbbf.exe
PID 1808 wrote to memory of 1476	1808	jbbf.exe	jbbf.exe
PID 1808 wrote to memory of 1476	1808	jbbf.exe	jbbf.exe
PID 1808 wrote to memory of 1476	1808	jbbf.exe	jbbf.exe
PID 1476 wrote to memory of 1188	1476	jbbf.exe	VSSADMIN.EXE
PID 1476 wrote to memory of 1188	1476	jbbf.exe	VSSADMIN.EXE
PID 1476 wrote to memory of 1188	1476	jbbf.exe	VSSADMIN.EXE
PID 1476 wrote to memory of 1188	1476	jbbf.exe	VSSADMIN.EXE
PID 1476 wrote to memory of 12020	1476	jbbf.exe	NOTEPAD.EXE
PID 1476 wrote to memory of 12020	1476	jbbf.exe	NOTEPAD.EXE
PID 1476 wrote to memory of 12020	1476	jbbf.exe	NOTEPAD.EXE
PID 1476 wrote to memory of 12020	1476	jbbf.exe	NOTEPAD.EXE
PID 1476 wrote to memory of 12048	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12048	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12048	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12048	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12048	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12048	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12048	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12048	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12048	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12080	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12080	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12080	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12080	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12080	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12080	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12080	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12080	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12080	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12132	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12132	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12132	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12132	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12132	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12132	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12132	1476	jbbf.exe	rundll32.exe
PID 1476 wrote to memory of 12132	1476	jbbf.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\satana.exe
"C:\Users\Admin\AppData\Local\Temp\satana.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\satana.exe
  "C:\Users\Admin\AppData\Local\Temp\satana.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Users\Admin\AppData\Local\Temp\jbbf.exe
    "C:\Users\Admin\AppData\Local\Temp\jbbf.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\satana.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\jbbf.exe
      "C:\Users\Admin\AppData\Local\Temp\jbbf.exe" {846ee340-7039-11de-9d20-806e6f6e6963} "C:\Users\Admin\AppData\Local\Temp\satana.exe"
      4⤵
      Executes dropped EXE
      Deletes itself
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\Windows\SysWOW64\VSSADMIN.EXE
        
        "C:\Windows\system32\VSSADMIN.EXE" Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:1188
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\!satana!.txt
        5⤵
        
        PID:12020
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe
        5⤵
        
        PID:12048
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe
        5⤵
        
        PID:12132
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe
        5⤵
        
        PID:12080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\!satana!.txt
1⤵
PID:11912

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:12100

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\!satana!.txt

Filesize
1KB

MD5
9f30500ec5d0f749cf1c468a5b754741

SHA1
09a531504ef7132ae81564929f4c5303db2a2119

SHA256
4989cbe9df3e80de55510e2d8c52f3763df13cc0203e852c44b67a38010b4196

SHA512
e06faa0ba380f583fd0e37ce12e5ab412215d62f99725bb83dde99c37f7b787a89cbd6feff51956701b3011ef68e24ad86be1ec82e75b87bd521e70169855130

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbbf.exe

Filesize
49KB

MD5
46bfd4f1d581d7c0121d2b19a005d3df

SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d

SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbbf.exe

Filesize
49KB

MD5
46bfd4f1d581d7c0121d2b19a005d3df

SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d

SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbbf.exe

Filesize
49KB

MD5
46bfd4f1d581d7c0121d2b19a005d3df

SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d

SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

Download Submit
C:\Users\Public\Desktop\!satana!.txt

Filesize
1KB

MD5
9f30500ec5d0f749cf1c468a5b754741

SHA1
09a531504ef7132ae81564929f4c5303db2a2119

SHA256
4989cbe9df3e80de55510e2d8c52f3763df13cc0203e852c44b67a38010b4196

SHA512
e06faa0ba380f583fd0e37ce12e5ab412215d62f99725bb83dde99c37f7b787a89cbd6feff51956701b3011ef68e24ad86be1ec82e75b87bd521e70169855130

Download Submit
\Users\Admin\AppData\Local\Temp\jbbf.exe

Filesize
49KB

MD5
46bfd4f1d581d7c0121d2b19a005d3df

SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d

SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

Download Submit
\Users\Admin\AppData\Local\Temp\jbbf.exe

Filesize
49KB

MD5
46bfd4f1d581d7c0121d2b19a005d3df

SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d

SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

Download Submit
\Users\Admin\AppData\Local\Temp\jbbf.exe

Filesize
49KB

MD5
46bfd4f1d581d7c0121d2b19a005d3df

SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d

SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

Download Submit
\Users\Admin\AppData\Local\Temp\jbbf.exe

Filesize
49KB

MD5
46bfd4f1d581d7c0121d2b19a005d3df

SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d

SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

Download Submit
\Users\Admin\AppData\Local\Temp\jbbf.exe

Filesize
49KB

MD5
46bfd4f1d581d7c0121d2b19a005d3df

SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d

SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

Download Submit
\Users\Admin\AppData\Local\Temp\jbbf.exe

Filesize
49KB

MD5
46bfd4f1d581d7c0121d2b19a005d3df

SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d

SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

Download Submit
memory/1188-79-0x0000000000000000-mapping.dmp

Download
memory/1476-76-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1808-65-0x0000000000000000-mapping.dmp

Download
memory/1880-57-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1880-59-0x00000000763D1000-0x00000000763D3000-memory.dmp

Filesize
8KB

Download
memory/1880-60-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1880-54-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1880-55-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/11912-80-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmp

Filesize
8KB

Download
memory/12020-82-0x0000000000000000-mapping.dmp

Download
memory/12048-84-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/12048-86-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/12048-88-0x0000000000000000-mapping.dmp

Download
memory/12080-93-0x0000000000000000-mapping.dmp

Download