crypvault | 3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566

Analysis

max time kernel
45s
max time network
56s
platform
windows7_x64
resource
win7-20220414-en
submitted
01-07-2022 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566.exe
Size

1.1MB
MD5

67602186447c604718f329e4a75efa30
SHA1

da92fac48b831c782fe13704c444518dfab9f43f
SHA256

3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566
SHA512

99bc50931bfd4bedacdef49ed52d3270327d6314e661bafeac4c7099f4a95f1c1c555726769898876fafe0fa1c3303797b1a09604bead0795f297c75ff372590

Score

10^/10

crypvault persistence ransomware

Malware Config

Signatures

CrypVault
Ransomware family which makes encrypted files look like they have been quarantined by AV.
ransomware crypvault
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

vssadmin.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 1636 vssadmin.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	1636	vssadmin.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exetasklist.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IEData = "C:\\Windows\\SysWOW64\\IEData\\IEData.lnk"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	tasklist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IEData = "C:\\Windows\\SysWOW64\\IEData\\IEData.lnk"	tasklist.exe

Executes dropped EXE 1 IoCs

Processes:

plGbK6.exe

pid process

1648 plGbK6.exe

pid	process
1648	plGbK6.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta	svchost.exe

Loads dropped DLL 2 IoCs

Processes:

WScript.exeWScript.exe

pid process

1172 WScript.exe
1848 WScript.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1172	WScript.exe
1848	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\nPSJHqv7sImdXngC = "C:\\Users\\Admin\\AppData\\Roaming\\WXYT4cfXl0u4ZrGW\\0BBJCMxzSLI7uJFL.lnk"	WScript.exe

Drops file in System32 directory 17 IoCs

Processes:

explorer.exe

description	ioc	process
File created	C:\Windows\SysWOW64\IEData\api-ms-win-core-console-l1-1-0.dll	explorer.exe
File opened for modification	C:\Windows\SysWOW64\IEData\IEData.cmd	explorer.exe
File created	C:\Windows\SysWOW64\IEData\IEData.cmd	explorer.exe
File created	C:\Windows\SysWOW64\IEData\AltTab.dll	explorer.exe
File created	C:\Windows\SysWOW64\IEData\apds.dll	explorer.exe
File created	C:\Windows\SysWOW64\IEData\api-ms-win-core-misc-l1-1-0.dll	explorer.exe
File created	C:\Windows\SysWOW64\IEData\api-ms-win-core-processthreads-l1-1-0.dll	explorer.exe
File opened for modification	C:\Windows\SysWOW64\IEData	explorer.exe
File created	C:\Windows\SysWOW64\IEData\IEData.lnk	explorer.exe
File created	C:\Windows\SysWOW64\IEData\api-ms-win-core-debug-l1-1-0.dll	explorer.exe
File created	C:\Windows\SysWOW64\IEData\api-ms-win-core-processenvironment-l1-1-0.dll	explorer.exe
File opened for modification	C:\Windows\SysWOW64\IEData\IEData.lnk	explorer.exe
File created	C:\Windows\SysWOW64\IEData\accessibilitycpl.dll	explorer.exe
File opened for modification	C:\Windows\SysWOW64\IEData\accessibilitycpl.dll	explorer.exe
File created	C:\Windows\SysWOW64\IEData\aclui.dll	explorer.exe
File created	C:\Windows\SysWOW64\IEData\ActionCenterCPL.dll	explorer.exe
File created	C:\Windows\SysWOW64\IEData\aeevts.dll	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

plGbK6.exe

description pid process target process

PID 1648 set thread context of 1836 1648 plGbK6.exe vbc.exe

description	pid	process	target process
PID 1648 set thread context of 1836	1648	plGbK6.exe	vbc.exe

Drops file in Program Files directory 5 IoCs

Processes:

plGbK6.exe

description	ioc	process
File opened for modification	C:\PROGRA~3\plGbK6.vbs	plGbK6.exe
File opened for modification	C:\PROGRA~3\Xhlm7tWi	plGbK6.exe
File created	C:\PROGRA~3\plGbK6.backup	plGbK6.exe
File opened for modification	C:\PROGRA~3\plGbK6.backup	plGbK6.exe
File created	C:\PROGRA~3\plGbK61.backup	plGbK6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

996 1568 WerFault.exe svchost.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1808 tasklist.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

880 vssadmin.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

plGbK6.exevbc.exe

pid process

1648 plGbK6.exe
1648 plGbK6.exe
1836 vbc.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

vbc.exeexplorer.exetasklist.exeexplorer.exe

pid process

1836 vbc.exe
1152 explorer.exe
1808 tasklist.exe
308 explorer.exe

pid	pid_target	process	target process
996	1568	WerFault.exe	svchost.exe

pid	process
1808	tasklist.exe

pid	process
880	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
1648	plGbK6.exe
1648	plGbK6.exe
1836	vbc.exe

pid	process
1836	vbc.exe
1152	explorer.exe
1808	tasklist.exe
308	explorer.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

wmic.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1500	wmic.exe
Token: SeSecurityPrivilege	1500	wmic.exe
Token: SeTakeOwnershipPrivilege	1500	wmic.exe
Token: SeLoadDriverPrivilege	1500	wmic.exe
Token: SeSystemProfilePrivilege	1500	wmic.exe
Token: SeSystemtimePrivilege	1500	wmic.exe
Token: SeProfSingleProcessPrivilege	1500	wmic.exe
Token: SeIncBasePriorityPrivilege	1500	wmic.exe
Token: SeCreatePagefilePrivilege	1500	wmic.exe
Token: SeBackupPrivilege	1500	wmic.exe
Token: SeRestorePrivilege	1500	wmic.exe
Token: SeShutdownPrivilege	1500	wmic.exe
Token: SeDebugPrivilege	1500	wmic.exe
Token: SeSystemEnvironmentPrivilege	1500	wmic.exe
Token: SeRemoteShutdownPrivilege	1500	wmic.exe
Token: SeUndockPrivilege	1500	wmic.exe
Token: SeManageVolumePrivilege	1500	wmic.exe
Token: 33	1500	wmic.exe
Token: 34	1500	wmic.exe
Token: 35	1500	wmic.exe
Token: SeIncreaseQuotaPrivilege	1500	wmic.exe
Token: SeSecurityPrivilege	1500	wmic.exe
Token: SeTakeOwnershipPrivilege	1500	wmic.exe
Token: SeLoadDriverPrivilege	1500	wmic.exe
Token: SeSystemProfilePrivilege	1500	wmic.exe
Token: SeSystemtimePrivilege	1500	wmic.exe
Token: SeProfSingleProcessPrivilege	1500	wmic.exe
Token: SeIncBasePriorityPrivilege	1500	wmic.exe
Token: SeCreatePagefilePrivilege	1500	wmic.exe
Token: SeBackupPrivilege	1500	wmic.exe
Token: SeRestorePrivilege	1500	wmic.exe
Token: SeShutdownPrivilege	1500	wmic.exe
Token: SeDebugPrivilege	1500	wmic.exe
Token: SeSystemEnvironmentPrivilege	1500	wmic.exe
Token: SeRemoteShutdownPrivilege	1500	wmic.exe
Token: SeUndockPrivilege	1500	wmic.exe
Token: SeManageVolumePrivilege	1500	wmic.exe
Token: 33	1500	wmic.exe
Token: 34	1500	wmic.exe
Token: 35	1500	wmic.exe
Token: SeBackupPrivilege	1616	vssvc.exe
Token: SeRestorePrivilege	1616	vssvc.exe
Token: SeAuditPrivilege	1616	vssvc.exe

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566.execmd.exeWScript.exeplGbK6.exevbc.execmd.exeexplorer.exetasklist.exeexplorer.exesvchost.exe

description	pid	process	target process
PID 1376 wrote to memory of 1380	1376	3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566.exe	cmd.exe
PID 1376 wrote to memory of 1380	1376	3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566.exe	cmd.exe
PID 1376 wrote to memory of 1380	1376	3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566.exe	cmd.exe
PID 1376 wrote to memory of 1380	1376	3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566.exe	cmd.exe
PID 1380 wrote to memory of 1172	1380	cmd.exe	WScript.exe
PID 1380 wrote to memory of 1172	1380	cmd.exe	WScript.exe
PID 1380 wrote to memory of 1172	1380	cmd.exe	WScript.exe
PID 1380 wrote to memory of 1172	1380	cmd.exe	WScript.exe
PID 1172 wrote to memory of 1648	1172	WScript.exe	plGbK6.exe
PID 1172 wrote to memory of 1648	1172	WScript.exe	plGbK6.exe
PID 1172 wrote to memory of 1648	1172	WScript.exe	plGbK6.exe
PID 1172 wrote to memory of 1648	1172	WScript.exe	plGbK6.exe
PID 1648 wrote to memory of 1836	1648	plGbK6.exe	vbc.exe
PID 1648 wrote to memory of 1836	1648	plGbK6.exe	vbc.exe
PID 1648 wrote to memory of 1836	1648	plGbK6.exe	vbc.exe
PID 1648 wrote to memory of 1836	1648	plGbK6.exe	vbc.exe
PID 1648 wrote to memory of 1836	1648	plGbK6.exe	vbc.exe
PID 1648 wrote to memory of 1836	1648	plGbK6.exe	vbc.exe
PID 1648 wrote to memory of 1836	1648	plGbK6.exe	vbc.exe
PID 1648 wrote to memory of 1836	1648	plGbK6.exe	vbc.exe
PID 1648 wrote to memory of 1836	1648	plGbK6.exe	vbc.exe
PID 1648 wrote to memory of 1836	1648	plGbK6.exe	vbc.exe
PID 1648 wrote to memory of 684	1648	plGbK6.exe	cmd.exe
PID 1648 wrote to memory of 684	1648	plGbK6.exe	cmd.exe
PID 1648 wrote to memory of 684	1648	plGbK6.exe	cmd.exe
PID 1648 wrote to memory of 684	1648	plGbK6.exe	cmd.exe
PID 1836 wrote to memory of 1152	1836	vbc.exe	explorer.exe
PID 1836 wrote to memory of 1152	1836	vbc.exe	explorer.exe
PID 1836 wrote to memory of 1152	1836	vbc.exe	explorer.exe
PID 1836 wrote to memory of 1152	1836	vbc.exe	explorer.exe
PID 684 wrote to memory of 1848	684	cmd.exe	WScript.exe
PID 684 wrote to memory of 1848	684	cmd.exe	WScript.exe
PID 684 wrote to memory of 1848	684	cmd.exe	WScript.exe
PID 684 wrote to memory of 1848	684	cmd.exe	WScript.exe
PID 1152 wrote to memory of 1808	1152	explorer.exe	tasklist.exe
PID 1152 wrote to memory of 1808	1152	explorer.exe	tasklist.exe
PID 1152 wrote to memory of 1808	1152	explorer.exe	tasklist.exe
PID 1152 wrote to memory of 1808	1152	explorer.exe	tasklist.exe
PID 1808 wrote to memory of 308	1808	tasklist.exe	explorer.exe
PID 1808 wrote to memory of 308	1808	tasklist.exe	explorer.exe
PID 1808 wrote to memory of 308	1808	tasklist.exe	explorer.exe
PID 1808 wrote to memory of 308	1808	tasklist.exe	explorer.exe
PID 308 wrote to memory of 1568	308	explorer.exe	svchost.exe
PID 308 wrote to memory of 1568	308	explorer.exe	svchost.exe
PID 308 wrote to memory of 1568	308	explorer.exe	svchost.exe
PID 308 wrote to memory of 1568	308	explorer.exe	svchost.exe
PID 1568 wrote to memory of 1500	1568	svchost.exe	wmic.exe
PID 1568 wrote to memory of 1500	1568	svchost.exe	wmic.exe
PID 1568 wrote to memory of 1500	1568	svchost.exe	wmic.exe
PID 1568 wrote to memory of 1500	1568	svchost.exe	wmic.exe
PID 1568 wrote to memory of 1936	1568	svchost.exe	mshta.exe
PID 1568 wrote to memory of 1936	1568	svchost.exe	mshta.exe
PID 1568 wrote to memory of 1936	1568	svchost.exe	mshta.exe
PID 1568 wrote to memory of 1936	1568	svchost.exe	mshta.exe
PID 1568 wrote to memory of 996	1568	svchost.exe	WerFault.exe
PID 1568 wrote to memory of 996	1568	svchost.exe	WerFault.exe
PID 1568 wrote to memory of 996	1568	svchost.exe	WerFault.exe
PID 1568 wrote to memory of 996	1568	svchost.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566.exe
"C:\Users\Admin\AppData\Local\Temp\3ddf1da783551e626ba3575748eb8bc9d92424a910e6841a05f15079ae605566.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\plGbK61.vbs
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\plGbK61.vbs"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\ProgramData\plGbK6.exe
      "C:\ProgramData\plGbK6.exe" C:\ProgramData\plGbK6.au3
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1648
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1836
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        Adds policy Run key to start application
        Drops file in System32 directory
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\tasklist.exe
        
        C:\Windows\SysWOW64\tasklist.exe
        7⤵
        Adds policy Run key to start application
        Enumerates processes with tasklist
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        8⤵
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        9⤵
        Drops startup file
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic process call create "vssadmin.exe delete shadows /all /quiet"
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta.exe C:\Users\Admin\Desktop\VAULT.hta
        10⤵
        Modifies Internet Explorer settings
        
        PID:1936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 744
        10⤵
        Program crash
        
        PID:996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\PROGRA~3\plGbK6.vbs
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:684
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\PROGRA~3\plGbK6.vbs"
        6⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1848

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\plGbK6.folder

Filesize
33B

MD5
33a6417430acf3de0d63ce51ea379446

SHA1
1edd015375aafbcfb019fbbff2e5f155fdc56bd0

SHA256
4fe93a90b2deab9e438b21127815cefebb8c3686c301b0cb110eb8ac18ec403a

SHA512
4f1f28fb96463b82403a43cb559b3a8a27d617864995adeb74b34f2d2856e5a9c11c1f562b28a867859cf7f59bf2b303a6434f27474e8d5e3fb9d3b8acb2faa3

Download Submit
C:\PROGRA~3\plGbK6.path

Filesize
102B

MD5
96a5701b8802017f8eb5c0b12f2d6648

SHA1
bf2674795d2adaf68b4427ea31c06ea8c28c1341

SHA256
080979ee8e1989d94b3da1442ae87c25d9ce888b7358daa5a7fc6ba3db24c72b

SHA512
924ad1f07b399f01b7268b01b05d2c33b6087551172f39f7d3e381395e8b7a8036774949076cd4109f3e79a7a72c9bdd137eea38b6695d6a47a2dbe3c9546468

Download Submit
C:\PROGRA~3\plGbK6.vbs

Filesize
648B

MD5
ee5c36bd87008356db08a36bb6657602

SHA1
874c97cce3c010a24e3b8817c34c70c04668b42d

SHA256
044ae0c0d26bdaa388ae02cf80c945a7ec542aeb34b0de046f2e1590ff530585

SHA512
f0169f74b93f2841fe146b1dedc471606511b3bebcd5c4498270cb7cebdb5e68fc5bcf7dc5036bd18ae3b4bea094fcebe9c5b180b9f58384123ddc61ecd2b370

Download Submit
C:\ProgramData\plGbK6

Filesize
34KB

MD5
f22becbde3aa82e56d20a475a7122670

SHA1
f8eb33dd6cc868176048ee552f16e893c6269649

SHA256
036181c87137ebebeb51d1462e615cf21c5b8bd75354dea855c35915ab080a7a

SHA512
739c008fc414edb56440796235b78799468b1791592600028ea591345cc4245ba35a67452cd54fb5c40e423c9a22a0280ce194755412a905713737c6ada7b4f9

Download Submit
C:\ProgramData\plGbK6.au3

Filesize
83KB

MD5
d7ae10e0c6e165746d5b6cd960e11835

SHA1
9011a7efcccad994025cc49a6d33ea8be3f06177

SHA256
7fbb4f71146b85919af9166225cd8d87b314bb867b63ab4a0a785d5be8e71dbe

SHA512
e26f2a1b24e963d0129bca6de7b98345923121f19227abb7d3f4998f8fd50bf96d96c4264a50cd52f721b0639af79167704d2b4b905e12b969108cad15952f27

Download Submit
C:\ProgramData\plGbK6.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\ProgramData\plGbK6.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\ProgramData\plGbK61.vbs

Filesize
102B

MD5
cda398717513da50830b084697723e1d

SHA1
fe120f38ddce40e9e5dc7a680df87557337ab948

SHA256
3252524e7063782846866933b9bb7f30d24c101279905e8cd78a15348f2a4422

SHA512
3dfbf16256cc43df34c2c1df1ef1854c77751abe8dec0795fb80b582c8f8832014ba878af30bc986451f5259667f17bd768184e961ac1c924dd1bf701fd2338e

Download Submit
C:\Users\Admin\Desktop\VAULT.hta

Filesize
4KB

MD5
cfd06e26fb55549b4af98bcbf3cb9931

SHA1
c1f51c7b81be9f3f63d904d61a0452606f09837b

SHA256
a7c38911204a4b9d424473ff0d4526f42b14b3040a434381831c04637e1b17df

SHA512
e9565b90ab6627d67b2d71f0901a02a78ee5f6009abe4190bdb328920457ca600e2c21b494e336165ce30cf3fc9d87ea1f5a3e34cce938709b3a106771ac3b87

Download Submit
C:\Windows\SysWOW64\IEData\IEData.cmd

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Windows\SysWOW64\IEData\IEData.lnk

Filesize
1KB

MD5
adc7ea78b22e52cf3251ddc1f5c30adc

SHA1
ecdf71211bddf848fa427b75420fad7d284d94ff

SHA256
22abe10db7c72932a781925d161801777aa179967ed683ab5a08217d4957ed6d

SHA512
5b140e2c34daf1a6e5bba08b63cfed68b09ad323276e3994cb980f4ac6844a34674e4d35a9149810af5a1fb34e11424da90f23039d5c4c67b777690c2b6c485e

Download Submit
\ProgramData\plGbK6.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\ProgramData\plGbK6.exe

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
memory/308-99-0x0000000000BB0000-0x0000000000E31000-memory.dmp

Filesize
2.5MB

Download
memory/308-94-0x0000000000000000-mapping.dmp

Download
memory/308-96-0x00000000748F1000-0x00000000748F3000-memory.dmp

Filesize
8KB

Download
memory/684-79-0x0000000000000000-mapping.dmp

Download
memory/996-105-0x0000000000000000-mapping.dmp

Download
memory/1152-87-0x0000000074981000-0x0000000074983000-memory.dmp

Filesize
8KB

Download
memory/1152-82-0x0000000000000000-mapping.dmp

Download
memory/1152-91-0x0000000000B30000-0x0000000000DB1000-memory.dmp

Filesize
2.5MB

Download
memory/1172-58-0x0000000000000000-mapping.dmp

Download
memory/1376-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1380-55-0x0000000000000000-mapping.dmp

Download
memory/1500-100-0x0000000000000000-mapping.dmp

Download
memory/1568-97-0x0000000000000000-mapping.dmp

Download
memory/1568-102-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

Filesize
32KB

Download
memory/1648-62-0x0000000000000000-mapping.dmp

Download
memory/1808-90-0x0000000000000000-mapping.dmp

Download
memory/1808-101-0x00000000003C0000-0x00000000003D6000-memory.dmp

Filesize
88KB

Download
memory/1836-80-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1836-76-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1836-74-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1836-73-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1836-72-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1836-77-0x0000000000406F4A-mapping.dmp

Download
memory/1836-70-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1836-69-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1836-83-0x0000000000400000-0x000000000040A228-memory.dmp

Filesize
40KB

Download
memory/1848-86-0x0000000000000000-mapping.dmp

Download
memory/1936-103-0x0000000000000000-mapping.dmp

Download