badrabbit | 4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304

Resubmissions

20-07-2023 23:06

230720-23hkxaba64 10

29-09-2022 12:38

220929-pt4essbhbr 10

Analysis

max time kernel
87s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2022 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe
Size

148KB
MD5

3ce563e899291b59fa8c57c98cad9b4e
SHA1

7157cc9cf910735727b6601ad4d532cdd0fedc7e
SHA256

4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304
SHA512

827dc0e9f9212ec0d4c1e8c7180c33d387548f7de6d0b45a2eef01f22f69ee571d3f2f8b610b8f671f4b25abaa578431ce758a5e41740e7b8c63ca85ef953469
SSDEEP

3072:/UuL1hDewdkuaLYO/IBK2btFVL1xTevRUyZDDdnN5:/Ue1hyioVgBhnNPK5FZD5n

Score

10^/10

badrabbit cerber mimikatz troldesh wannacry bootkit discovery evasion persistence ransomware trojan upx worm

Malware Config

Extracted

Path

\??\c:\_R_E_A_D___T_H_I_S___RE50_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/4BA7-57EA-FF88-0098-B2A6 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/4BA7-57EA-FF88-0098-B2A6 2. http://xpcx6erilkjced3j.19kdeh.top/4BA7-57EA-FF88-0098-B2A6 3. http://xpcx6erilkjced3j.1mpsnr.top/4BA7-57EA-FF88-0098-B2A6 4. http://xpcx6erilkjced3j.18ey8e.top/4BA7-57EA-FF88-0098-B2A6 5. http://xpcx6erilkjced3j.17gcun.top/4BA7-57EA-FF88-0098-B2A6 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/4BA7-57EA-FF88-0098-B2A6

http://xpcx6erilkjced3j.1n5mod.top/4BA7-57EA-FF88-0098-B2A6

http://xpcx6erilkjced3j.19kdeh.top/4BA7-57EA-FF88-0098-B2A6

http://xpcx6erilkjced3j.1mpsnr.top/4BA7-57EA-FF88-0098-B2A6

http://xpcx6erilkjced3j.18ey8e.top/4BA7-57EA-FF88-0098-B2A6

http://xpcx6erilkjced3j.17gcun.top/4BA7-57EA-FF88-0098-B2A6

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdnsgvhk.4zp\\[email protected]"	[email protected]

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

mimikatz is an open source tool to dump credentials on Windows 2 IoCs

resource	yara_rule
behavioral2/files/0x0002000000022e31-221.dat	mimikatz
behavioral2/files/0x0002000000022e31-223.dat	mimikatz

Contacts a large (1116) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	[email protected]

Disables Task Manager via registry modification
evasion

Executes dropped EXE 35 IoCs

pid	Process
4516	[email protected]
3432	[email protected]
876	[email protected]
1172	[email protected]
4004	Fantom.exe
2872	[email protected]
2040	[email protected]
4152	[email protected]
3064	[email protected]
1756	[email protected]
3816	[email protected]
2780	PkAUIAQo.exe
3696	[email protected]
3704	voQQsQwA.exe
4460	30D4.tmp
4276	[email protected]
4872	[email protected]
2404	[email protected]
5352	[email protected]
5380	[email protected]
5528	[email protected]
5540	[email protected]
5644	[email protected]
5736	[email protected]
5904	[email protected]
6464	[email protected]
6648	[email protected]
6852	[email protected]
6952	[email protected]
5540	[email protected]
1600	[email protected]
5936	[email protected]
5492	[email protected]
4976	[email protected]
4664	voQQsQwA.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1740	netsh.exe
4836	netsh.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\DisableNew.tif.deria	[email protected]
File opened for modification	C:\Users\Admin\Pictures\GrantAdd.png.deria	[email protected]
File opened for modification	C:\Users\Admin\Pictures\UpdateExport.png.deria	[email protected]
File opened for modification	C:\Users\Admin\Pictures\WatchInstall.crw.deria	[email protected]

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0001000000022e05-138.dat	upx
behavioral2/memory/3432-146-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral2/memory/3432-145-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral2/memory/3432-172-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral2/memory/4152-188-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/4152-189-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/3432-197-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral2/memory/4152-204-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/files/0x0001000000022e46-308.dat	upx
behavioral2/files/0x0001000000022e46-311.dat	upx
behavioral2/memory/6464-314-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe	[email protected]

Loads dropped DLL 3 IoCs

pid	Process
1100	rundll32.exe
3816	[email protected]
3816	[email protected]

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4440	icacls.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PkAUIAQo.exe = "C:\\Users\\Admin\\XosUgMoc\\PkAUIAQo.exe"	PkAUIAQo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\voQQsQwA.exe = "C:\\ProgramData\\qekgkMEU\\voQQsQwA.exe"	voQQsQwA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bdnsgvhk.4zp\\[email protected]"	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PkAUIAQo.exe = "C:\\Users\\Admin\\XosUgMoc\\PkAUIAQo.exe"	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\voQQsQwA.exe = "C:\\ProgramData\\qekgkMEU\\voQQsQwA.exe"	[email protected]

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\r:	[email protected]
File opened (read-only)	\??\t:	[email protected]
File opened (read-only)	\??\k:	[email protected]
File opened (read-only)	\??\l:	[email protected]
File opened (read-only)	\??\q:	[email protected]
File opened (read-only)	\??\f:	[email protected]
File opened (read-only)	\??\v:	[email protected]
File opened (read-only)	\??\x:	[email protected]
File opened (read-only)	\??\n:	[email protected]
File opened (read-only)	\??\o:	[email protected]
File opened (read-only)	\??\p:	[email protected]
File opened (read-only)	\??\u:	[email protected]
File opened (read-only)	\??\y:	[email protected]
File opened (read-only)	\??\a:	[email protected]
File opened (read-only)	\??\e:	[email protected]
File opened (read-only)	\??\m:	[email protected]
File opened (read-only)	\??\z:	[email protected]
File opened (read-only)	\??\i:	[email protected]
File opened (read-only)	\??\j:	[email protected]
File opened (read-only)	\??\s:	[email protected]
File opened (read-only)	\??\w:	[email protected]
File opened (read-only)	\??\b:	[email protected]
File opened (read-only)	\??\g:	[email protected]
File opened (read-only)	\??\h:	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER"	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü. Â îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû."	[email protected]

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	[email protected]
File opened for modification	\??\PhysicalDrive0	[email protected]

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\microsoft\word	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\Reader_DC.helpcfg.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README_th_en_CA_v2.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	\??\c:\program files (x86)\excel	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\license.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\README_en_GB.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\AdobeHunspellPlugin.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\List.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\added.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\added.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	\??\c:\program files (x86)\powerpoint	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\extensibility.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\program files (x86)\the bat!	[email protected]
File opened for modification	\??\c:\program files (x86)\thunderbird	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\WordNet_license.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\List.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\excel	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\affDescription.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.aff.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\README_en_US.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\tifffilt.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\plugin.X.manifest.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.aff.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\hyph_en_CA.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\hyph_en_US.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_CA.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\hyph_en_GB.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\office	[email protected]
File opened for modification	\??\c:\program files (x86)\outlook	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\excluded.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\excluded.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Info.plist.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\en_GB.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\InkDiv.dll.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	\??\c:\program files (x86)\word	[email protected]
File opened for modification	\??\c:\program files (x86)\office	[email protected]
File opened for modification	\??\c:\program files (x86)\onenote	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\changelog.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	\??\c:\program files (x86)\bitcoin	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\en_US.dic.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\Excluded.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README_en_CA.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	\??\c:\program files (x86)\	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\en_GB.aff.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	\??\c:\program files (x86)\steam	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\Added.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt.79EFC4CA4865899FD5922E6B81A23228D22811B720E1EC04D5372149AA9D4A0A	[email protected]

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Web	[email protected]
File created	C:\Windows\__tmp_rar_sfx_access_check_240620375	[email protected]
File created	C:\Windows\antivirus-platinum.exe	[email protected]
File created	C:\Windows\302746537.exe	[email protected]
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File opened for modification	C:\Windows\MSCOMCTL.OCX	[email protected]
File opened for modification	C:\Windows\30D4.tmp	rundll32.exe
File opened for modification	C:\Windows\antivirus-platinum.exe	[email protected]
File created	C:\Windows\COMCTL32.OCX	[email protected]
File opened for modification	C:\Windows\COMCTL32.OCX	[email protected]
File created	C:\Windows\MSCOMCTL.OCX	[email protected]
File opened for modification	C:\Windows\302746537.exe	[email protected]
File created	C:\Windows\dispci.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2568	6464	WerFault.exe	236
3732	5492	WerFault.exe	279

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	[email protected]
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	[email protected]

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4404	schtasks.exe
1012	schtasks.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
6388	taskkill.exe
3132	taskkill.exe

Modifies Control Panel 6 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\sTimeFormat = "ÕÓÉ"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperOriginX = "210"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\WallpaperOriginY = "187"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\MenuShowDelay = "9999"	[email protected]

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	[email protected]

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	[email protected]

Modifies registry class 1 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND	[email protected]

Modifies registry key 1 TTPs 45 IoCs

Modify Registry

T1112

pid	Process
3148	reg.exe
6284	reg.exe
4040	reg.exe
5544	reg.exe
1504	reg.exe
3536	reg.exe
4908	reg.exe
5848	reg.exe
5984	reg.exe
5816	reg.exe
4100	reg.exe
5140	reg.exe
6100	reg.exe
6924	reg.exe
5644	reg.exe
4548	reg.exe
4336	reg.exe
6020	reg.exe
5924	reg.exe
3724	reg.exe
6124	reg.exe
5868	reg.exe
1688	reg.exe
3896	reg.exe
1076	reg.exe
5828	reg.exe
6060	reg.exe
6276	reg.exe
7020	reg.exe
5896	reg.exe
2408	reg.exe
6012	reg.exe
5840	reg.exe
5804	reg.exe
6084	reg.exe
6972	reg.exe
4132	reg.exe
4852	reg.exe
5992	reg.exe
4664	reg.exe
6004	reg.exe
5916	reg.exe
6092	reg.exe
6248	reg.exe
6456	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1100	rundll32.exe
1100	rundll32.exe
1100	rundll32.exe
1100	rundll32.exe
1756	[email protected]
1756	[email protected]
1756	[email protected]
1756	[email protected]
3696	[email protected]
3696	[email protected]
3696	[email protected]
3696	[email protected]
4460	30D4.tmp
4460	30D4.tmp
4460	30D4.tmp
4460	30D4.tmp
4460	30D4.tmp
4460	30D4.tmp
4460	30D4.tmp
4276	[email protected]
4276	[email protected]
4276	[email protected]
4276	[email protected]
4872	[email protected]
4872	[email protected]
4872	[email protected]
4872	[email protected]
2404	[email protected]
2404	[email protected]
2404	[email protected]
2404	[email protected]
5352	[email protected]
5352	[email protected]
5352	[email protected]
5352	[email protected]
5380	[email protected]
5380	[email protected]
5380	[email protected]
5380	[email protected]
5540	[email protected]
5540	[email protected]
5540	[email protected]
5540	[email protected]
5528	[email protected]
5528	[email protected]
5528	[email protected]
5528	[email protected]
5644	[email protected]
5644	[email protected]
5644	[email protected]
5644	[email protected]
5736	[email protected]
5736	[email protected]
5736	[email protected]
5736	[email protected]
6648	[email protected]
6648	[email protected]
6648	[email protected]
6648	[email protected]
6852	[email protected]
6852	[email protected]
6852	[email protected]
6852	[email protected]
4152	[email protected]

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe
Token: SeShutdownPrivilege	1100	rundll32.exe
Token: SeDebugPrivilege	1100	rundll32.exe
Token: SeTcbPrivilege	1100	rundll32.exe
Token: SeDebugPrivilege	4004	Fantom.exe
Token: SeSystemtimePrivilege	2040	[email protected]
Token: SeDebugPrivilege	3132	taskkill.exe
Token: SeShutdownPrivilege	3064	[email protected]
Token: SeDebugPrivilege	4460	30D4.tmp
Token: SeShutdownPrivilege	876	[email protected]
Token: SeCreatePagefilePrivilege	876	[email protected]
Token: SeDebugPrivilege	1172	[email protected]

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
6952	[email protected]
5492	[email protected]
5492	[email protected]
5492	[email protected]

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
6952	[email protected]
6952	[email protected]
6952	[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 4516	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	84
PID 3420 wrote to memory of 4516	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	84
PID 3420 wrote to memory of 4516	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	84
PID 3420 wrote to memory of 3432	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	86
PID 3420 wrote to memory of 3432	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	86
PID 3420 wrote to memory of 3432	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	86
PID 4516 wrote to memory of 1100	4516	[email protected]	87
PID 4516 wrote to memory of 1100	4516	[email protected]	87
PID 4516 wrote to memory of 1100	4516	[email protected]	87
PID 3420 wrote to memory of 876	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	88
PID 3420 wrote to memory of 876	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	88
PID 3420 wrote to memory of 876	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	88
PID 3420 wrote to memory of 1172	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	89
PID 3420 wrote to memory of 1172	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	89
PID 3420 wrote to memory of 1172	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	89
PID 3420 wrote to memory of 4004	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	90
PID 3420 wrote to memory of 4004	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	90
PID 3420 wrote to memory of 4004	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	90
PID 1100 wrote to memory of 956	1100	rundll32.exe	91
PID 1100 wrote to memory of 956	1100	rundll32.exe	91
PID 1100 wrote to memory of 956	1100	rundll32.exe	91
PID 3420 wrote to memory of 2872	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	93
PID 3420 wrote to memory of 2872	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	93
PID 3420 wrote to memory of 2872	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	93
PID 3432 wrote to memory of 3132	3432	[email protected]	97
PID 3432 wrote to memory of 3132	3432	[email protected]	97
PID 3432 wrote to memory of 3132	3432	[email protected]	97
PID 3420 wrote to memory of 2040	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	96
PID 3420 wrote to memory of 2040	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	96
PID 3420 wrote to memory of 2040	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	96
PID 3420 wrote to memory of 4152	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	95
PID 3420 wrote to memory of 4152	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	95
PID 3420 wrote to memory of 4152	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	95
PID 3420 wrote to memory of 3064	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	100
PID 3420 wrote to memory of 3064	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	100
PID 3420 wrote to memory of 3064	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	100
PID 956 wrote to memory of 4440	956	cmd.exe	98
PID 956 wrote to memory of 4440	956	cmd.exe	98
PID 956 wrote to memory of 4440	956	cmd.exe	98
PID 1100 wrote to memory of 768	1100	rundll32.exe	99
PID 1100 wrote to memory of 768	1100	rundll32.exe	99
PID 1100 wrote to memory of 768	1100	rundll32.exe	99
PID 876 wrote to memory of 1740	876	[email protected]	102
PID 876 wrote to memory of 1740	876	[email protected]	102
PID 876 wrote to memory of 1740	876	[email protected]	102
PID 3420 wrote to memory of 1756	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	104
PID 3420 wrote to memory of 1756	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	104
PID 3420 wrote to memory of 1756	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	104
PID 768 wrote to memory of 4404	768	cmd.exe	105
PID 768 wrote to memory of 4404	768	cmd.exe	105
PID 768 wrote to memory of 4404	768	cmd.exe	105
PID 3420 wrote to memory of 3816	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	107
PID 3420 wrote to memory of 3816	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	107
PID 3420 wrote to memory of 3816	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	107
PID 876 wrote to memory of 4836	876	[email protected]	108
PID 876 wrote to memory of 4836	876	[email protected]	108
PID 876 wrote to memory of 4836	876	[email protected]	108
PID 1756 wrote to memory of 2780	1756	[email protected]	109
PID 1756 wrote to memory of 2780	1756	[email protected]	109
PID 1756 wrote to memory of 2780	1756	[email protected]	109
PID 3420 wrote to memory of 3696	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	110
PID 3420 wrote to memory of 3696	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	110
PID 3420 wrote to memory of 3696	3420	Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe	110
PID 1100 wrote to memory of 1792	1100	rundll32.exe	112

System policy modification 1 TTPs 37 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1"	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1"	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1"	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1"	[email protected]

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
5772	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Zerber.gdcx-4a8031fc97753e95eb440a1f0f100ddcfbca0bca0bb2271dbc775e129282f304.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Users\Admin\AppData\Local\Temp\dca3hed1.ypt\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\dca3hed1.ypt\[email protected]"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      Suspicious use of WriteProcessMemory
      PID:956
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        
        PID:4440
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 424208606 && exit"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 424208606 && exit"
        5⤵
        Creates scheduled task(s)
        
        PID:4404
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:56:00
      4⤵
      PID:1792
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:56:00
        5⤵
        Creates scheduled task(s)
        
        PID:1012
  - - C:\Windows\30D4.tmp
      "C:\Windows\30D4.tmp" \\.\pipe\{64DE3FDC-E086-4E13-8B24-EAD03D77FE52}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4460
- C:\Users\Admin\AppData\Local\Temp\bdnsgvhk.4zp\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\bdnsgvhk.4zp\[email protected]"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3432
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
- C:\Users\Admin\AppData\Local\Temp\2bsvwnlm.skc\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\2bsvwnlm.skc\[email protected]"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    PID:1740
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\system32\netsh.exe advfirewall reset
    3⤵
    - Modifies Windows Firewall
    PID:4836
- C:\Users\Admin\AppData\Local\Temp\qdcqpxbd.eju\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\qdcqpxbd.eju\[email protected]"
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  PID:1172
- C:\Users\Admin\AppData\Local\Temp\wcv1fovy.rkl\Fantom.exe
  "C:\Users\Admin\AppData\Local\Temp\wcv1fovy.rkl\Fantom.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4004
- C:\Users\Admin\AppData\Local\Temp\ef5lhrfq.phc\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\ef5lhrfq.phc\[email protected]"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Checks processor information in registry
  PID:2872
- C:\Users\Admin\AppData\Local\Temp\l1moufuu.2ks\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\l1moufuu.2ks\[email protected]"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:4152
- C:\Users\Admin\AppData\Local\Temp\5cfwklw1.st5\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\5cfwklw1.st5\[email protected]"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2040
- C:\Users\Admin\AppData\Local\Temp\bdu0r3ga.hhv\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\bdu0r3ga.hhv\[email protected]"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Users\Admin\XosUgMoc\PkAUIAQo.exe
    "C:\Users\Admin\XosUgMoc\PkAUIAQo.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2780
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /FI "USERNAME eq Admin" /F /IM voQQsQwA.exe
      4⤵
      Kills process with taskkill
      PID:6388
  - - C:\ProgramData\qekgkMEU\voQQsQwA.exe
      "C:\ProgramData\qekgkMEU\voQQsQwA.exe"
      4⤵
      Executes dropped EXE
      PID:4664
- - C:\ProgramData\qekgkMEU\voQQsQwA.exe
    "C:\ProgramData\qekgkMEU\voQQsQwA.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom"
    3⤵
    PID:4960
  - - C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]
      C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4276
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom"
        5⤵
        
        PID:3836
      - C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom"
        7⤵
        
        PID:5452
        
        C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom"
        9⤵
        
        PID:5592
        
        C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom"
        11⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:6648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom"
        13⤵
        
        PID:6828
        
        C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom
        14⤵
        Executes dropped EXE
        
        PID:5540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom"
        15⤵
        
        PID:6448
        
        C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom
        16⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        Modifies registry key
        
        PID:5868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        Modifies registry key
        
        PID:5896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        Modifies registry key
        
        PID:5992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GKcEEAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]""
        15⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies registry key
        
        PID:6924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        Modifies registry key
        
        PID:6972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hSMsQkcs.bat" "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]""
        13⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        Modifies registry key
        
        PID:7020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies registry key
        
        PID:5924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKQQEoMU.bat" "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]""
        11⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        Modifies registry key
        
        PID:6092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        Modifies registry key
        
        PID:6084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        Modifies registry key
        
        PID:5916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies registry key
        
        PID:5816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKAsQIcI.bat" "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]""
        9⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        Modifies registry key
        
        PID:6060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkkckUEo.bat" "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]""
        7⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        Modifies registry key
        
        PID:6020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies registry key
        
        PID:6012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies registry key
        
        PID:5840
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:1504
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:2408
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:4664
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgosIoww.bat" "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]""
        5⤵
        
        PID:1736
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:5844
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3896
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:4100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSsUYAoo.bat" "C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]""
    3⤵
    PID:1128
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:6624
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:4336
- C:\Users\Admin\AppData\Local\Temp\crxot4hv.hea\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\crxot4hv.hea\[email protected]"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3816
- C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock"
    3⤵
    PID:4108
  - - C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]
      C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4872
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock"
        5⤵
        
        PID:4164
      - C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock"
        7⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock"
        9⤵
        
        PID:5436
        
        C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock"
        11⤵
        
        PID:5660
        
        C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock"
        13⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:6852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock"
        15⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]
        
        C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock
        16⤵
        Executes dropped EXE
        
        PID:5936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock"
        17⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        Modifies registry key
        
        PID:4548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        Modifies registry key
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meMwsoIg.bat" "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]""
        17⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        Modifies registry key
        
        PID:1688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        Modifies registry key
        
        PID:5544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        Modifies registry key
        
        PID:5644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oiocsogw.bat" "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]""
        15⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        Modifies registry key
        
        PID:6284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies registry key
        
        PID:6248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WqwUggYI.bat" "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]""
        13⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        Modifies registry key
        
        PID:6456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        Modifies registry key
        
        PID:6276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies registry key
        
        PID:5848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        Modifies registry key
        
        PID:6004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcIEMkEU.bat" "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]""
        11⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        Modifies registry key
        
        PID:6124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies registry key
        
        PID:5828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOkwUYMw.bat" "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]""
        9⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        Modifies registry key
        
        PID:5140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        Modifies registry key
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        Modifies registry key
        
        PID:5984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies registry key
        
        PID:5804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DYAUAUYs.bat" "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]""
        7⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        Modifies registry key
        
        PID:6100
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies registry key
        
        PID:4132
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:4852
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:4908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUEEAsMs.bat" "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]""
        5⤵
        
        PID:2264
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:5880
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1076
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:3536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\meEcggYg.bat" "C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]""
    3⤵
    PID:1628
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      PID:6508
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:3148
- C:\Users\Admin\AppData\Local\Temp\vx54l0ju.sww\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\vx54l0ju.sww\[email protected]"
  2⤵
  - Executes dropped EXE
  PID:5904
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - Views/modifies file attributes
    PID:5772
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4440
- C:\Users\Admin\AppData\Local\Temp\1bxez3qz.sfc\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\1bxez3qz.sfc\[email protected]"
  2⤵
  - Executes dropped EXE
  PID:6464
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 448
    3⤵
    - Program crash
    PID:2568
- C:\Users\Admin\AppData\Local\Temp\q5ggvv33.1sv\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\q5ggvv33.1sv\[email protected]"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:6952
- C:\Users\Admin\AppData\Local\Temp\rjhil340.ybm\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\rjhil340.ybm\[email protected]"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1600
- C:\Users\Admin\AppData\Local\Temp\oeluqcax.mv0\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\oeluqcax.mv0\[email protected]"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of FindShellTrayWindow
  PID:5492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 804
    3⤵
    - Program crash
    PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 6464 -ip 6464
1⤵
PID:6656

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 496 -p 2416 -ip 2416
1⤵
PID:5308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2568 -ip 2568
1⤵
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5492 -ip 5492
1⤵
PID:5172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Bootkit

T1067

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Network Service Scanning

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qekgkMEU\voQQsQwA.exe

Filesize
202KB

MD5
1aa93b711cd536b32ec3573c46a9afc6

SHA1
b5ec054af12d407e56d2f4c41216094755414b5f

SHA256
f249a3a3c9e662abda29d3f38f84e82d22d52b1413c21f047053b43e8940d412

SHA512
2a117becce6651c5940b2ee22fffa618cc2994350401a2c2b64dcf721c870ee59176b78c42f158ab9e32c43b65e70b377778a1fcebb6cbd38fbe0ae050362152

Download Submit
C:\ProgramData\qekgkMEU\voQQsQwA.exe

Filesize
202KB

MD5
1aa93b711cd536b32ec3573c46a9afc6

SHA1
b5ec054af12d407e56d2f4c41216094755414b5f

SHA256
f249a3a3c9e662abda29d3f38f84e82d22d52b1413c21f047053b43e8940d412

SHA512
2a117becce6651c5940b2ee22fffa618cc2994350401a2c2b64dcf721c870ee59176b78c42f158ab9e32c43b65e70b377778a1fcebb6cbd38fbe0ae050362152

Download Submit
C:\ProgramData\qekgkMEU\voQQsQwA.inf

Filesize
4B

MD5
8e93ff7439640abe97ccd045878ca3bc

SHA1
11166c68dcb6b8cb3b4d7d8b120e2b30c2d66726

SHA256
beb1caf816194847dab9d955a969ab803789bc1e3d85c59863372bbf8dee5fa5

SHA512
3b9eb4fa49a02b40e701dea729aada9e532f9441277eb28a221f10fd73115de147b57f0be3bc3a6c8c2da2492df2eff5c9106c28e6286e0f13a4b99cc1378685

Download Submit
C:\ProgramData\qekgkMEU\voQQsQwA.inf

Filesize
4B

MD5
7c2df293c40ce4ae167211c0dc4c69de

SHA1
0c6108ba602e316e67f3229213121bf9fad630dd

SHA256
e68ff70ed271d3c5c0e7070c2e2eeef2aca4062abfa4d24d096f0be247f3db49

SHA512
068353e8333ff79a718e0891896b55ef4ea779d87aa40ae1f2c0050f31a498d0f6d4d2f1314b0a0678de28f543d62f051299e744d17506957de3668713617ea4

Download Submit
C:\ProgramData\qekgkMEU\voQQsQwA.inf

Filesize
4B

MD5
bde706b8ebf862324207e3b40f53da47

SHA1
e248a68dae46bd8ac012fbfc5465492a13cf1ed0

SHA256
39007a2ccd3b5f1b50fde75fefc7041ae83890b733986b76638b43985452b158

SHA512
8ef9675db13434ef1dee0ba072e2daafe6ee3e3f5bd757efc57b3365802b5693d701687d20343fc3696e93a7170c97d37d6fdf5186141864d9c791cf2a379c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bxez3qz.sfc\[email protected]

Filesize
84KB

MD5
9d15a3b314600b4c08682b0202700ee7

SHA1
208e79cdb96328d5929248bb8a4dd622cf0684d1

SHA256
3ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15

SHA512
9916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bxez3qz.sfc\[email protected]

Filesize
84KB

MD5
9d15a3b314600b4c08682b0202700ee7

SHA1
208e79cdb96328d5929248bb8a4dd622cf0684d1

SHA256
3ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15

SHA512
9916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bsvwnlm.skc\[email protected]

Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bsvwnlm.skc\[email protected]

Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cfwklw1.st5\[email protected]

Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cfwklw1.st5\[email protected]

Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSsUYAoo.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUEEAsMs.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdnsgvhk.4zp\[email protected]

Filesize
116KB

MD5
41789c704a0eecfdd0048b4b4193e752

SHA1
fb1e8385691fa3293b7cbfb9b2656cf09f20e722

SHA256
b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

SHA512
76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\bdu0r3ga.hhv\[email protected]

Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\crxot4hv.hea\[email protected]

Filesize
2.4MB

MD5
dbfbf254cfb84d991ac3860105d66fc6

SHA1
893110d8c8451565caa591ddfccf92869f96c242

SHA256
68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c

SHA512
5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d

Download Submit
C:\Users\Admin\AppData\Local\Temp\crxot4hv.hea\[email protected]

Filesize
2.4MB

MD5
dbfbf254cfb84d991ac3860105d66fc6

SHA1
893110d8c8451565caa591ddfccf92869f96c242

SHA256
68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c

SHA512
5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dca3hed1.ypt\[email protected]

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\dca3hed1.ypt\[email protected]

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef5lhrfq.phc\[email protected]

Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef5lhrfq.phc\[email protected]

Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\Endermanch@ViraLock

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]

Filesize
194KB

MD5
8803d517ac24b157431d8a462302b400

SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]

Filesize
194KB

MD5
8803d517ac24b157431d8a462302b400

SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]

Filesize
194KB

MD5
8803d517ac24b157431d8a462302b400

SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]

Filesize
194KB

MD5
8803d517ac24b157431d8a462302b400

SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]

Filesize
194KB

MD5
8803d517ac24b157431d8a462302b400

SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]

Filesize
194KB

MD5
8803d517ac24b157431d8a462302b400

SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]

Filesize
194KB

MD5
8803d517ac24b157431d8a462302b400

SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwoecftx.vvq\[email protected]

Filesize
194KB

MD5
8803d517ac24b157431d8a462302b400

SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgosIoww.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\l1moufuu.2ks\[email protected]

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\l1moufuu.2ks\[email protected]

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\meEcggYg.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom

Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom

Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom

Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom

Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\Endermanch@PolyRansom

Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\na0lu52m.jaq\[email protected]

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qdcqpxbd.eju\[email protected]

Filesize
484KB

MD5
0a7b70efba0aa93d4bc0857b87ac2fcb

SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\qdcqpxbd.eju\[email protected]

Filesize
484KB

MD5
0a7b70efba0aa93d4bc0857b87ac2fcb

SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\vx54l0ju.sww\[email protected]

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcv1fovy.rkl\Fantom.exe

Filesize
261KB

MD5
7d80230df68ccba871815d68f016c282

SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6

SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcv1fovy.rkl\Fantom.exe

Filesize
261KB

MD5
7d80230df68ccba871815d68f016c282

SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6

SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Download Submit
C:\Users\Admin\AppData\Local\Temp\zKAsQIcI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\XosUgMoc\PkAUIAQo.exe

Filesize
192KB

MD5
7aa488a5b5d477b907a39b1c365f1625

SHA1
c237532a6d69504d00592424a066f5630092c540

SHA256
50aaf8cecb5aa23761b2f30e486fb7dbe98bcf53b7969fdd36fcfd98d3313016

SHA512
5b8cee6f49e82a3a038b6a5505e49264867f9be8c60bf6c529f9964be931b2068f5de71a0aa90c744c0fed05c8d714957f9fc9c378bda65ce8ef6f4b7533d911

Download Submit
C:\Users\Admin\XosUgMoc\PkAUIAQo.exe

Filesize
192KB

MD5
7aa488a5b5d477b907a39b1c365f1625

SHA1
c237532a6d69504d00592424a066f5630092c540

SHA256
50aaf8cecb5aa23761b2f30e486fb7dbe98bcf53b7969fdd36fcfd98d3313016

SHA512
5b8cee6f49e82a3a038b6a5505e49264867f9be8c60bf6c529f9964be931b2068f5de71a0aa90c744c0fed05c8d714957f9fc9c378bda65ce8ef6f4b7533d911

Download Submit
C:\Users\Admin\XosUgMoc\PkAUIAQo.inf

Filesize
4B

MD5
8e93ff7439640abe97ccd045878ca3bc

SHA1
11166c68dcb6b8cb3b4d7d8b120e2b30c2d66726

SHA256
beb1caf816194847dab9d955a969ab803789bc1e3d85c59863372bbf8dee5fa5

SHA512
3b9eb4fa49a02b40e701dea729aada9e532f9441277eb28a221f10fd73115de147b57f0be3bc3a6c8c2da2492df2eff5c9106c28e6286e0f13a4b99cc1378685

Download Submit
C:\Users\Admin\XosUgMoc\PkAUIAQo.inf

Filesize
4B

MD5
7c2df293c40ce4ae167211c0dc4c69de

SHA1
0c6108ba602e316e67f3229213121bf9fad630dd

SHA256
e68ff70ed271d3c5c0e7070c2e2eeef2aca4062abfa4d24d096f0be247f3db49

SHA512
068353e8333ff79a718e0891896b55ef4ea779d87aa40ae1f2c0050f31a498d0f6d4d2f1314b0a0678de28f543d62f051299e744d17506957de3668713617ea4

Download Submit
C:\Windows\30D4.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\30D4.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/876-202-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/876-177-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/876-173-0x00000000014C0000-0x00000000014F1000-memory.dmp

Filesize
196KB

Download
memory/876-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-150-0x0000000000A70000-0x0000000000AD8000-memory.dmp

Filesize
416KB

Download
memory/1100-158-0x0000000000A70000-0x0000000000AD8000-memory.dmp

Filesize
416KB

Download
memory/1172-164-0x0000000000D10000-0x0000000000D92000-memory.dmp

Filesize
520KB

Download
memory/1172-167-0x0000000005630000-0x00000000056CC000-memory.dmp

Filesize
624KB

Download
memory/1172-181-0x0000000005830000-0x0000000005886000-memory.dmp

Filesize
344KB

Download
memory/1172-169-0x0000000005C80000-0x0000000006224000-memory.dmp

Filesize
5.6MB

Download
memory/1172-174-0x00000000056D0000-0x0000000005762000-memory.dmp

Filesize
584KB

Download
memory/1756-258-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1756-193-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2404-259-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2404-299-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2780-207-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2872-168-0x00000000008C0000-0x00000000008FC000-memory.dmp

Filesize
240KB

Download
memory/2872-179-0x0000000005200000-0x000000000520A000-memory.dmp

Filesize
40KB

Download
memory/3064-279-0x0000000002040000-0x0000000002052000-memory.dmp

Filesize
72KB

Download
memory/3064-198-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-199-0x0000000002040000-0x0000000002052000-memory.dmp

Filesize
72KB

Download
memory/3420-132-0x000001F4CC7E0000-0x000001F4CC80C000-memory.dmp

Filesize
176KB

Download
memory/3420-332-0x00007FFA98630000-0x00007FFA990F1000-memory.dmp

Filesize
10.8MB

Download
memory/3420-133-0x00007FFA98630000-0x00007FFA990F1000-memory.dmp

Filesize
10.8MB

Download
memory/3420-194-0x00007FFA98630000-0x00007FFA990F1000-memory.dmp

Filesize
10.8MB

Download
memory/3432-148-0x0000000002030000-0x0000000002036000-memory.dmp

Filesize
24KB

Download
memory/3432-146-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3432-172-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3432-145-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3432-197-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3696-253-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3696-211-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3704-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4152-188-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4152-189-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4152-204-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4152-186-0x00000000022D0000-0x000000000239E000-memory.dmp

Filesize
824KB

Download
memory/4276-254-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4276-233-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4664-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-257-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4872-234-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5352-297-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5352-281-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5380-282-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5380-300-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5492-336-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/5492-329-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/5492-328-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/5492-334-0x0000000000400000-0x0000000000A06000-memory.dmp

Filesize
6.0MB

Download
memory/5528-283-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5528-296-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5540-326-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5540-284-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5540-321-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5540-298-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5644-295-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5736-312-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5736-307-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5904-323-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/5936-330-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5936-333-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6464-314-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/6464-313-0x0000000000550000-0x0000000000553000-memory.dmp

Filesize
12KB

Download
memory/6648-320-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6648-316-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6852-322-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6852-319-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download