koxic | d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333

Analysis

max time kernel
151s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Size

158KB
MD5

3c4fa896e819cb8fada88a6fdd7b2cc7
SHA1

0ebf10867534cb472bb98344f80e3a8aac0aa507
SHA256

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333
SHA512

e4486c33fc7bf99700fabec50ead10a6159758603d50eabe650436098a977b8c9dc728d0e8dbc3e3718393a7ba67cca8ea2799ef83e9194f178f04ae9784473e
SSDEEP

3072:Wkb6bwPcmQ1mbTw8Gt189VTG079sTGyAzbnuvXdIR:WkTPcmscw/1ETGgWGy0uvC

Score

10^/10

koxic evasion ransomware trojan

Malware Config

Extracted

Path

C:\Documents and Settings\Admin\WANNA_RECOVER_KOXIC_FILEZ_NOMIO.txt

Ransom Note

--=== Hello ===--- [+] Whats Happen? [+] Your sensitive information and data were downloaded. Your files are encrypted, and currently unavailable just so you can contact us faster. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] We are not interested in distributing information, we are interested in agreeing with you - these are your guarantees. Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should send sample to us to decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise-time is much more valuable than money. [+] How to contact us? [+] Just write us an email to [email protected] [+] Consequences if we do not find a common language [+] 1. The data were irretrievably lost. 2. Leaked data will be published or sold on blmarket (or to competitors). 3. In some cases, DDOS attacks will be applied to your inftastructure. !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!! Your UserID: 96E9709A74D71ABDF825D393D699FD03DD93B0F859C73D89F6CBD1E2721E4205535EC777B15E4485B4 FAADF7F387011B871AC998D2C1F25197B6F3ACCD9532ED5970D1A642DC9B68C437515A31BB73AE9DCE 0C6DAAF16B8A99EEE802FA27356D5F63469D50146F2582C91F2C99CB688D050913F42B820170A656AD D2ADFA92A887989B4B2EA97A54C6A89CE6E449CBA99B571A0A5657ED232F6187BBC477E105105F9EC4 F9DB708509AF82ABC1110F9D80978ACE9406F5A68A653641CCAEF28E7B0606BA05C059585589A6E725 91DDB88821D59CFB45A918CFDEAF12F40DBCD5AA1880AE33AA1458D4E65D18285B6D8B28BA29E6FDB5 4DC4EC479AABC61C4D333082010A0282010100D622B29E49FB50795294EE83AE0CE8A138DBB30A07CE 76F069ABC1CABF1CC01FD53BCB6B6071150D5F1C8E86155865A49514440DDCC42643C62F3C93CE0A2E FB33F21D902B05DDB5EC33FE498A46146C3E6CDA5BC4697D8ACEF63229825476FE2A6838FFC83939FD 1B51DFA3A7A2B43E72647B8FBAF95C16EFE1ECC4233145301334BED1A040494771CFF4B4A8B0FDEAAB 02AF74BA0C0C9FC245C57F462C2DABDEAE1DC91E1D74BD059E903F0395877A89B34DE52DE1D7B4685D 2715DD3AAE2A8ADD0667CCA819DECC28E3F76C6EE50FE1607B128F5B6BCE7DDCCEC90CB35BDB875E3E 37B1E42CB0544B5A200E8DE8A7CAD22428EB173265F88FEE4D2EEA615502030100014443308DE61D1B EEF901F7C4EB4CAB124E4F4D494F

Emails

[email protected]

Signatures

Koxic
A C++ written ransomware first seen in late 2021.
ransomware koxic

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables taskbar notifications via registry modification
evasion

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration\NotificationSuppress = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtectione = "0"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\DisableBlockAtFirstSeen = "1"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\LocalSettingOverrideSpynetReporting = "0"	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

Drops file in Program Files directory 64 IoCs

Processes:

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis.css.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\localizedSettings.css.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152698.WMF.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\WANNA_RECOVER_KOXIC_FILEZ_NOMIO.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\WANNA_RECOVER_KOXIC_FILEZ_NOMIO.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBOX.DPV.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10290_.GIF.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\WANNA_RECOVER_KOXIC_FILEZ_NOMIO.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_zh_CN.jar.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OLKIRM.XML.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\45.png.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic.xml.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_over.png.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\msinfo32.exe.mui.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Swift_Current.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\WANNA_RECOVER_KOXIC_FILEZ_NOMIO.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\WANNA_RECOVER_KOXIC_FILEZ_NOMIO.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBLR6.CHM.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\WANNA_RECOVER_KOXIC_FILEZ_NOMIO.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\WANNA_RECOVER_KOXIC_FILEZ_NOMIO.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\TAB_ON.GIF.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0217698.WMF.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-templates.xml_hidden.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14997_.GIF.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00336_.WMF.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\WMPMediaSharing.dll.mui.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\WANNA_RECOVER_KOXIC_FILEZ_NOMIO.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\WANNA_RECOVER_KOXIC_FILEZ_NOMIO.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADVCMP.DIC.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR22F.GIF.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01179_.WMF.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tripoli.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Gambier.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\gui\WANNA_RECOVER_KOXIC_FILEZ_NOMIO.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCINFO.XML.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Marquesas.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\WANNA_RECOVER_KOXIC_FILEZ_NOMIO.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME51.CSS.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\WANNA_RECOVER_KOXIC_FILEZ_NOMIO.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02094_.WMF.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\WANNA_RECOVER_KOXIC_FILEZ_NOMIO.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\TAB_OFF.GIF.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\WANNA_RECOVER_KOXIC_FILEZ_NOMIO.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02431_.WMF.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Java\jdk1.7.0_80\WANNA_RECOVER_KOXIC_FILEZ_NOMIO.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00610_.WMF.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\gadget.xml.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\localizedStrings.js.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00513_.WMF.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_rainy.png.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\settings.html.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00241_.WMF.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0252669.WMF.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01628_.WMF.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00274_.WMF.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML.KOXIC_NOMIO	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\WANNA_RECOVER_KOXIC_FILEZ_NOMIO.txt	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1472 ipconfig.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1076 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1496 taskkill.exe

pid	process
1472	ipconfig.exe

pid	process
1076	vssadmin.exe

pid	process
1496	taskkill.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exevssvc.exed2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeBackupPrivilege	560	vssvc.exe
Token: SeRestorePrivilege	560	vssvc.exe
Token: SeAuditPrivilege	560	vssvc.exe
Token: SeBackupPrivilege	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Token: SeRestorePrivilege	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Token: SeManageVolumePrivilege	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Token: SeTakeOwnershipPrivilege	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
Token: SeIncreaseQuotaPrivilege	1184	WMIC.exe
Token: SeSecurityPrivilege	1184	WMIC.exe
Token: SeTakeOwnershipPrivilege	1184	WMIC.exe
Token: SeLoadDriverPrivilege	1184	WMIC.exe
Token: SeSystemProfilePrivilege	1184	WMIC.exe
Token: SeSystemtimePrivilege	1184	WMIC.exe
Token: SeProfSingleProcessPrivilege	1184	WMIC.exe
Token: SeIncBasePriorityPrivilege	1184	WMIC.exe
Token: SeCreatePagefilePrivilege	1184	WMIC.exe
Token: SeBackupPrivilege	1184	WMIC.exe
Token: SeRestorePrivilege	1184	WMIC.exe
Token: SeShutdownPrivilege	1184	WMIC.exe
Token: SeDebugPrivilege	1184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1184	WMIC.exe
Token: SeRemoteShutdownPrivilege	1184	WMIC.exe
Token: SeUndockPrivilege	1184	WMIC.exe
Token: SeManageVolumePrivilege	1184	WMIC.exe
Token: 33	1184	WMIC.exe
Token: 34	1184	WMIC.exe
Token: 35	1184	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1184	WMIC.exe
Token: SeSecurityPrivilege	1184	WMIC.exe
Token: SeTakeOwnershipPrivilege	1184	WMIC.exe
Token: SeLoadDriverPrivilege	1184	WMIC.exe
Token: SeSystemProfilePrivilege	1184	WMIC.exe
Token: SeSystemtimePrivilege	1184	WMIC.exe
Token: SeProfSingleProcessPrivilege	1184	WMIC.exe
Token: SeIncBasePriorityPrivilege	1184	WMIC.exe
Token: SeCreatePagefilePrivilege	1184	WMIC.exe
Token: SeBackupPrivilege	1184	WMIC.exe
Token: SeRestorePrivilege	1184	WMIC.exe
Token: SeShutdownPrivilege	1184	WMIC.exe
Token: SeDebugPrivilege	1184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1184	WMIC.exe
Token: SeRemoteShutdownPrivilege	1184	WMIC.exe
Token: SeUndockPrivilege	1184	WMIC.exe
Token: SeManageVolumePrivilege	1184	WMIC.exe
Token: 33	1184	WMIC.exe
Token: 34	1184	WMIC.exe
Token: 35	1184	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1120	WMIC.exe
Token: SeSecurityPrivilege	1120	WMIC.exe
Token: SeTakeOwnershipPrivilege	1120	WMIC.exe
Token: SeLoadDriverPrivilege	1120	WMIC.exe
Token: SeSystemProfilePrivilege	1120	WMIC.exe
Token: SeSystemtimePrivilege	1120	WMIC.exe
Token: SeProfSingleProcessPrivilege	1120	WMIC.exe
Token: SeIncBasePriorityPrivilege	1120	WMIC.exe
Token: SeCreatePagefilePrivilege	1120	WMIC.exe
Token: SeBackupPrivilege	1120	WMIC.exe
Token: SeRestorePrivilege	1120	WMIC.exe
Token: SeShutdownPrivilege	1120	WMIC.exe
Token: SeDebugPrivilege	1120	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1120	WMIC.exe
Token: SeRemoteShutdownPrivilege	1120	WMIC.exe
Token: SeUndockPrivilege	1120	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1764 wrote to memory of 2008	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 2008	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 2008	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 2008	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 2008 wrote to memory of 1496	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1496	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1496	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 1496	2008	cmd.exe	taskkill.exe
PID 1764 wrote to memory of 1356	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 1356	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 1356	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 1356	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1356 wrote to memory of 1076	1356	cmd.exe	vssadmin.exe
PID 1356 wrote to memory of 1076	1356	cmd.exe	vssadmin.exe
PID 1356 wrote to memory of 1076	1356	cmd.exe	vssadmin.exe
PID 1356 wrote to memory of 1076	1356	cmd.exe	vssadmin.exe
PID 1764 wrote to memory of 1100	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 1100	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 1100	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 1100	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 1536	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 1536	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 1536	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 1536	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1536 wrote to memory of 1184	1536	cmd.exe	WMIC.exe
PID 1536 wrote to memory of 1184	1536	cmd.exe	WMIC.exe
PID 1536 wrote to memory of 1184	1536	cmd.exe	WMIC.exe
PID 1536 wrote to memory of 1184	1536	cmd.exe	WMIC.exe
PID 1764 wrote to memory of 1072	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 1072	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 1072	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 1072	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 2044	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 2044	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 2044	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 2044	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 2044 wrote to memory of 1120	2044	cmd.exe	WMIC.exe
PID 2044 wrote to memory of 1120	2044	cmd.exe	WMIC.exe
PID 2044 wrote to memory of 1120	2044	cmd.exe	WMIC.exe
PID 2044 wrote to memory of 1120	2044	cmd.exe	WMIC.exe
PID 1764 wrote to memory of 1492	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 1492	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 1492	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 1492	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 612	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 612	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 612	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 612	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 612 wrote to memory of 1748	612	cmd.exe	WMIC.exe
PID 612 wrote to memory of 1748	612	cmd.exe	WMIC.exe
PID 612 wrote to memory of 1748	612	cmd.exe	WMIC.exe
PID 612 wrote to memory of 1748	612	cmd.exe	WMIC.exe
PID 1764 wrote to memory of 380	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 380	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 380	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 380	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 1864	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 1864	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 1864	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1764 wrote to memory of 1864	1764	d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe	cmd.exe
PID 1864 wrote to memory of 740	1864	cmd.exe	WMIC.exe
PID 1864 wrote to memory of 740	1864	cmd.exe	WMIC.exe
PID 1864 wrote to memory of 740	1864	cmd.exe	WMIC.exe
PID 1864 wrote to memory of 740	1864	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe
"C:\Users\Admin\AppData\Local\Temp\d2203b6d272d44b7abc66e290c3b79767428168b077a16ded1db0babbe34f333.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /F /IM MSASCuiL.exe taskkill /F /IM MSMpeng.exe taskkill /F /IM msseces.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM MSASCuiL.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet sc config browser sc config browser start=enabled sc stop vss sc config vss start=disabled sc stop MongoDB sc config MongoDB start=disabled sc stop SQLWriter sc config SQLWriter start=disabled sc stop MSSQLServerOLAPService sc config MSSQLServerOLAPService start=disabled sc stop MSSQLSERVER sc config MSSQLSERVER start=disabled sc stop MSSQL$SQLEXPRESS sc config MSSQL$SQLEXPRESS start=disabled sc stop ReportServer sc config ReportServer start=disabled sc stop OracleServiceORCL sc config OracleServiceORCL start=disabled sc stop OracleDBConsoleorcl sc config OracleDBConsoleorcl start=disabled sc stop OracleMTSRecoveryService sc config OracleMTSRecoveryService start=disabled sc stop OracleVssWriterORCL sc config OracleVssWriterORCL start=disabled sc stop MySQL sc config MySQL start=disabled
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo OS INFO: > %TEMP%\GGKQNJMVT"
  2⤵
  PID:1100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic OS get Caption,CSDVersion,OSArchitecture,Version >> %TEMP%\GGKQNJMVT"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic OS get Caption,CSDVersion,OSArchitecture,Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo BIOS INFO: >> %TEMP%\GGKQNJMVT"
  2⤵
  PID:1072
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version >> %TEMP%\GGKQNJMVT"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic BIOS get Manufacturer, Name, SMBIOSBIOSVersion, Version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo CPU INFO: >> %TEMP%\GGKQNJMVT"
  2⤵
  PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors >> %TEMP%\GGKQNJMVT"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic CPU get Name, NumberOfCores, NumberOfLogicalProcessors
    3⤵
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMPHYSICAL INFO: >> %TEMP%\GGKQNJMVT"
  2⤵
  PID:380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMPHYSICAL get MaxCapacity >> %TEMP%\GGKQNJMVT"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMPHYSICAL get MaxCapacity
    3⤵
    PID:740
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo MEMORYCHIP: INFO >> %TEMP%\GGKQNJMVT"
  2⤵
  PID:1576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag >> %TEMP%\GGKQNJMVT"
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic MEMORYCHIP get Capacity, DeviceLocator, PartNumber, Tag
    3⤵
    PID:1268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo NIC INFO: >> %TEMP%\GGKQNJMVT"
  2⤵
  PID:1252
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic NIC get Description, MACAddress, NetEnabled, Speed >> %TEMP%\GGKQNJMVT"
  2⤵
  PID:1524
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic NIC get Description, MACAddress, NetEnabled, Speed
    3⤵
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DISKDRIVE INFO: >> %TEMP%\GGKQNJMVT"
  2⤵
  PID:1116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic DISKDRIVE get InterfaceType, Name, Size, Status >> %TEMP%\GGKQNJMVT"
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic DISKDRIVE get InterfaceType, Name, Size, Status
    3⤵
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo USERACCOUNT INFO: >> %TEMP%\GGKQNJMVT"
  2⤵
  PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "wmic USERACCOUNT get Caption, Name, PasswordRequired, Status >> %TEMP%\GGKQNJMVT"
  2⤵
  PID:1040
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic USERACCOUNT get Caption, Name, PasswordRequired, Status
    3⤵
    PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo IPCONFIG: >> %TEMP%\GGKQNJMVT"
  2⤵
  PID:1032
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "ipconfig >> %TEMP%\GGKQNJMVT"
  2⤵
  PID:888
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:1472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "echo DATABASES FILES: >> %TEMP%\GGKQNJMVT"
  2⤵
  PID:1748

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GGKQNJMVT

Filesize
4KB

MD5
d7a5bfa11f7a99d2463e9c1d739a576f

SHA1
47eac23b9a35d5649c8f0ef1a5039cb229664073

SHA256
fec23047d067b7e1d7bd9a679437e8609eadfa9a182baf09ccbc28e1901329f8

SHA512
b5a8b166d0b555dd04a08983c9104d58deef93f579091fd5c04b34684a1b4cc6d491b75e0fec1c666eef5f8fce513f8c0bbd37f45df1014e74b50fe0a3092bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGKQNJMVT

Filesize
4KB

MD5
d7a5bfa11f7a99d2463e9c1d739a576f

SHA1
47eac23b9a35d5649c8f0ef1a5039cb229664073

SHA256
fec23047d067b7e1d7bd9a679437e8609eadfa9a182baf09ccbc28e1901329f8

SHA512
b5a8b166d0b555dd04a08983c9104d58deef93f579091fd5c04b34684a1b4cc6d491b75e0fec1c666eef5f8fce513f8c0bbd37f45df1014e74b50fe0a3092bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGKQNJMVT

Filesize
4KB

MD5
ca7a9625d79a7989b4cdb050320fa299

SHA1
4a68553963a4a2b310c6b5d1ae538e675ba4cc65

SHA256
f4959a75c30806f4deffd0c60b69b319696e91189617d88af927899027a8111c

SHA512
718495340b1c20602875fac7d38cf82eb910d0d3793096ead040a445aed53725c799c8aea003a288cfbc1989b965ff4844a9ac4dd6c83fff489d360c0055af54

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGKQNJMVT

Filesize
11B

MD5
887ae0db192785398c154a027c858317

SHA1
9e1258a3444e7f54d4a2b23bec0c020d67f285b6

SHA256
9841fc54844c86d073907913cfd2fccc49d13db491e790c6aeb30b7159e62bf5

SHA512
65364e8797ecc23d9eac18cfe0c1393e9429ee15cde33b7b936c917608196da7bf53ba7c21d9bb637c9a91797eb58a4dbb2346dc4bd9e6c947a711b381dfcb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGKQNJMVT

Filesize
320B

MD5
e6403f25d17fafd94d88dab8d559f954

SHA1
e17199a85b3f639f7e4958f66a6d11aea472f737

SHA256
4f7cd25d024340380515e1647d23d6bc46c5fec3f437d8c2d7f933eb86eab2b4

SHA512
0b4389edfad1635810fbf3b69d58ba1181147164e033c1ea325dbbb2361eca74c992d1ea3c83355b6a9249600efeea04e58643cdfbc90cd4d1349f42ede88e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGKQNJMVT

Filesize
320B

MD5
e6403f25d17fafd94d88dab8d559f954

SHA1
e17199a85b3f639f7e4958f66a6d11aea472f737

SHA256
4f7cd25d024340380515e1647d23d6bc46c5fec3f437d8c2d7f933eb86eab2b4

SHA512
0b4389edfad1635810fbf3b69d58ba1181147164e033c1ea325dbbb2361eca74c992d1ea3c83355b6a9249600efeea04e58643cdfbc90cd4d1349f42ede88e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGKQNJMVT

Filesize
680B

MD5
b66ab3d18099fc682af15c8ada103017

SHA1
0831e6edf1e8cbca9f3bf3b84320af7c0376dda7

SHA256
ac410b4d08e272e30946c5625a50f7d56c9a10248b214d61fde9948b67993bb0

SHA512
b618c7f384a0e87a9b93d7cab4dc24a139fd4c3d0da244136924887c9a42857e759bbcd0e9eca55f34d43034f52d6615ab4323bd5c984eeab44a684918d62014

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGKQNJMVT

Filesize
692B

MD5
87cf292058eb08c907e2129e15100ed2

SHA1
0533d6387da50f84333707ac6a4165a9e46e6f17

SHA256
3f9f7a3913d2fde0c1cc93c537641f3a5de4fa2859790a5e5defa2522ee38532

SHA512
1da4950cc8fbc1efd84ae92f6419dc92b1ebb0d5211b5bb65d3fdf0ebf1823d447555c12327f83002a7d2b8354e6200af6ec59141774f7551df5acedf2c211d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGKQNJMVT

Filesize
1KB

MD5
8621cba2be1a36f7426779ad8b124c78

SHA1
bbfebdbbc49d1acb0d669ccb2fad80f179339649

SHA256
67b39eb5a4b24ac0caa0f5dcfcb898db357ba03ba6cd6a9d328fcd3364423261

SHA512
a6b7faafe0ac0be17c599b5bbba418dc2df6f292004ffd0ed66faba157c9e45fce86f19c5a8d2bc7a85d836045f5feb6547d8a2b79152c742673e49bcf3be6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGKQNJMVT

Filesize
1KB

MD5
0f2e565e7cd9df67ed466c68285c92f8

SHA1
dac129b57aab5a16b0490fbdaa2bf13d451a7941

SHA256
cc270aa8f1bd55907831d0c54748347f3d81252c1711e878b117b01cdeaed490

SHA512
c3a7713fe3d203e1bed9d468ec3de2b590db8e5a4a9b5486b2e9bea157808aeee19231aba5f7a0c3216fa2118c002bf62ef68ec51dc5349341a92ced205a4435

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGKQNJMVT

Filesize
1KB

MD5
a28aec31cbd38485181a7079419aa66b

SHA1
94aa44c58417a4195fe786679b1feb793e69d135

SHA256
8828e5a883a98217828f794f9405e06e2ef2ca1025288e52b70c477d045e19ad

SHA512
3914be3a8745d604175f208940dba77455e8ad76f8629e1bdf4f3b340b0198a8a1c42f101f4eb70c5f47b8eeca48eceed119175a3641dd37811192cc24661468

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGKQNJMVT

Filesize
1KB

MD5
a28aec31cbd38485181a7079419aa66b

SHA1
94aa44c58417a4195fe786679b1feb793e69d135

SHA256
8828e5a883a98217828f794f9405e06e2ef2ca1025288e52b70c477d045e19ad

SHA512
3914be3a8745d604175f208940dba77455e8ad76f8629e1bdf4f3b340b0198a8a1c42f101f4eb70c5f47b8eeca48eceed119175a3641dd37811192cc24661468

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGKQNJMVT

Filesize
1KB

MD5
7f4ef85a6ca9054885e55a4185aa3d23

SHA1
7691ddefe6f344b335beca9d79657c9c52785050

SHA256
f85c1ee56d5d04e677ae8dfbdf9deb8111a1007f30218a1a2bc0806847c82422

SHA512
a77d1e2aac9711ec873714964b4933057d7a092b591321173e249bf770e22e8f7926179374a6161baa0c92e6cc3ff5846292cd55a58af9d8b8b0bfbff589fe36

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGKQNJMVT

Filesize
1KB

MD5
84fc9373ea5f54c4ed110d319224d35e

SHA1
431978d9a749a7ca3812f73997b8400c2af3be79

SHA256
f59f1a3808b6783a19ba4d4196cbf48acfd42eb8e60b8e9d3ba836e558e3512e

SHA512
4d7c97ae3fe0904d548dc77c05c674d40284b8452dffe5a11411287e0242bb7658f3834b92f4935dcb1b22341c4572891524120d5e8af4a606d71e0b76a6c9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGKQNJMVT

Filesize
3KB

MD5
0f081cb290eaabf47029e482d5df8a17

SHA1
b57afe6949abc92f384e57a8d00adc6a808f9223

SHA256
5470d8ddfb4efaf724a86925040a510e42fb5a10055e14ad0ec5b05d67674501

SHA512
4ce8cc7ee1c8281006a22f792b745e254571b079fd57afc9203f8944d6e34f8517d1bed8553fe65dc7746a84e3a231a3a40af928872dbb29a0c6c22d8ed860a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGKQNJMVT

Filesize
3KB

MD5
0f081cb290eaabf47029e482d5df8a17

SHA1
b57afe6949abc92f384e57a8d00adc6a808f9223

SHA256
5470d8ddfb4efaf724a86925040a510e42fb5a10055e14ad0ec5b05d67674501

SHA512
4ce8cc7ee1c8281006a22f792b745e254571b079fd57afc9203f8944d6e34f8517d1bed8553fe65dc7746a84e3a231a3a40af928872dbb29a0c6c22d8ed860a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGKQNJMVT

Filesize
3KB

MD5
5ab3b87014f757d7bf66a72c7e56a946

SHA1
9e8bb82f895064f84dfba0ee3d75bd9f804a68a8

SHA256
c79f461a5d5a4510b133d56027f8e77fa4199940a92a5df556e6eff19add1060

SHA512
4b12104e1a3e491834ae1dc819f5c5743a9e51b0127fde45d98a460fff810290bb7125198660494fecdbbf43df30f002d4e0e3a91c3ce663db9b234042ae6a7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGKQNJMVT

Filesize
3KB

MD5
5ab3b87014f757d7bf66a72c7e56a946

SHA1
9e8bb82f895064f84dfba0ee3d75bd9f804a68a8

SHA256
c79f461a5d5a4510b133d56027f8e77fa4199940a92a5df556e6eff19add1060

SHA512
4b12104e1a3e491834ae1dc819f5c5743a9e51b0127fde45d98a460fff810290bb7125198660494fecdbbf43df30f002d4e0e3a91c3ce663db9b234042ae6a7e

Download Submit
memory/380-74-0x0000000000000000-mapping.dmp

Download
memory/612-71-0x0000000000000000-mapping.dmp

Download
memory/740-78-0x0000000000000000-mapping.dmp

Download
memory/888-101-0x0000000000000000-mapping.dmp

Download
memory/1012-98-0x0000000000000000-mapping.dmp

Download
memory/1032-99-0x0000000000000000-mapping.dmp

Download
memory/1036-91-0x0000000000000000-mapping.dmp

Download
memory/1040-96-0x0000000000000000-mapping.dmp

Download
memory/1072-64-0x0000000000000000-mapping.dmp

Download
memory/1076-59-0x0000000000000000-mapping.dmp

Download
memory/1100-60-0x0000000000000000-mapping.dmp

Download
memory/1116-89-0x0000000000000000-mapping.dmp

Download
memory/1120-68-0x0000000000000000-mapping.dmp

Download
memory/1184-63-0x0000000000000000-mapping.dmp

Download
memory/1252-84-0x0000000000000000-mapping.dmp

Download
memory/1268-83-0x0000000000000000-mapping.dmp

Download
memory/1356-58-0x0000000000000000-mapping.dmp

Download
memory/1472-103-0x0000000000000000-mapping.dmp

Download
memory/1492-69-0x0000000000000000-mapping.dmp

Download
memory/1496-57-0x0000000000000000-mapping.dmp

Download
memory/1524-86-0x0000000000000000-mapping.dmp

Download
memory/1536-61-0x0000000000000000-mapping.dmp

Download
memory/1576-79-0x0000000000000000-mapping.dmp

Download
memory/1620-94-0x0000000000000000-mapping.dmp

Download
memory/1672-93-0x0000000000000000-mapping.dmp

Download
memory/1700-88-0x0000000000000000-mapping.dmp

Download
memory/1748-73-0x0000000000000000-mapping.dmp

Download
memory/1748-105-0x0000000000000000-mapping.dmp

Download
memory/1764-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1764-55-0x0000000000920000-0x0000000001995000-memory.dmp

Filesize
16.5MB

Download
memory/1864-76-0x0000000000000000-mapping.dmp

Download
memory/2008-56-0x0000000000000000-mapping.dmp

Download
memory/2032-81-0x0000000000000000-mapping.dmp

Download
memory/2044-66-0x0000000000000000-mapping.dmp

Download