medusalocker | cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad

Analysis

max time kernel
131s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2022 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
Size

710KB
MD5

674a54ed8c9614aea4808f6a09cc2236
SHA1

10e78765c5b245a6d19e77f54cb40bcdbb91ddcd
SHA256

cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad
SHA512

fb513afef9f44834e6461645a7f3121a343f07074f91b1e999faabeca332898f45426a67e70944ad979f80aa149eff5006547cc7b2ccb06af1a08b08df537ae1
SSDEEP

12288:XA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8DXKD/KeXQF:wuf4wTuV2Ux3uIZeUBi2Te6HWCKrKea

Score

10^/10

medusalocker neshta evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Detect Neshta payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\svhost.exe	family_neshta
C:\Users\Admin\AppData\Roaming\svhost.exe	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

MedusaLocker payload 7 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3582-490\cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe	family_medusalocker
C:\Users\Admin\AppData\Local\Temp\3582-490\cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe	family_medusalocker
C:\Users\Admin\AppData\Roaming\svhost.exe	family_medusalocker
C:\Users\Admin\AppData\Roaming\svhost.exe	family_medusalocker
C:\Users\Admin\AppData\Roaming\svhost.exe	family_medusalocker
C:\Users\Admin\AppData\Local\Temp\3582-490\svhost.exe	family_medusalocker
C:\Users\Admin\AppData\Local\Temp\3582-490\svhost.exe	family_medusalocker

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe

Executes dropped EXE 4 IoCs

Processes:

cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exesvhost.exesvchost.comsvhost.exe

pid process

1192 cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
4112 svhost.exe
1700 svchost.com
4108 svhost.exe

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SwitchSplit.tiff => C:\Users\Admin\Pictures\SwitchSplit.tiff.netlock12	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File renamed	C:\Users\Admin\Pictures\WaitExpand.png => C:\Users\Admin\Pictures\WaitExpand.png.netlock12	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File renamed	C:\Users\Admin\Pictures\CloseRedo.raw => C:\Users\Admin\Pictures\CloseRedo.raw.netlock12	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File renamed	C:\Users\Admin\Pictures\DisableWait.tif => C:\Users\Admin\Pictures\DisableWait.tif.netlock12	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\Users\Admin\Pictures\SkipMeasure.tiff	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File renamed	C:\Users\Admin\Pictures\SkipMeasure.tiff => C:\Users\Admin\Pictures\SkipMeasure.tiff.netlock12	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File renamed	C:\Users\Admin\Pictures\CloseInvoke.crw => C:\Users\Admin\Pictures\CloseInvoke.crw.netlock12	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File renamed	C:\Users\Admin\Pictures\CompareSkip.png => C:\Users\Admin\Pictures\CompareSkip.png.netlock12	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File renamed	C:\Users\Admin\Pictures\CompleteSync.png => C:\Users\Admin\Pictures\CompleteSync.png.netlock12	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\Users\Admin\Pictures\SwitchSplit.tiff	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exesvhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	svhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-929662420-1054238289-2961194603-1000\desktop.ini	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe

description	ioc	process
File opened (read-only)	\??\H:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\J:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\L:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\T:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\U:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\Z:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\X:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\A:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\E:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\F:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\G:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\K:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\N:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\S:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\B:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\M:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\O:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\P:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\Q:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\R:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\I:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\V:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\W:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened (read-only)	\??\Y:	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe

Drops file in Program Files directory 64 IoCs

Processes:

cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13167~1.21\MICROS~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmplayer.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~4.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI9C33~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MIA062~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~2.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MI391D~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13167~1.21\MICROS~3.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe

Drops file in Windows directory 4 IoCs

Processes:

svchost.comcbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exesvhost.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
File opened for modification	C:\Windows\svchost.com	svhost.exe
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exesvhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	svhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe

pid	process
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

wmic.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1280	wmic.exe
Token: SeSecurityPrivilege	1280	wmic.exe
Token: SeTakeOwnershipPrivilege	1280	wmic.exe
Token: SeLoadDriverPrivilege	1280	wmic.exe
Token: SeSystemProfilePrivilege	1280	wmic.exe
Token: SeSystemtimePrivilege	1280	wmic.exe
Token: SeProfSingleProcessPrivilege	1280	wmic.exe
Token: SeIncBasePriorityPrivilege	1280	wmic.exe
Token: SeCreatePagefilePrivilege	1280	wmic.exe
Token: SeBackupPrivilege	1280	wmic.exe
Token: SeRestorePrivilege	1280	wmic.exe
Token: SeShutdownPrivilege	1280	wmic.exe
Token: SeDebugPrivilege	1280	wmic.exe
Token: SeSystemEnvironmentPrivilege	1280	wmic.exe
Token: SeRemoteShutdownPrivilege	1280	wmic.exe
Token: SeUndockPrivilege	1280	wmic.exe
Token: SeManageVolumePrivilege	1280	wmic.exe
Token: 33	1280	wmic.exe
Token: 34	1280	wmic.exe
Token: 35	1280	wmic.exe
Token: 36	1280	wmic.exe
Token: SeIncreaseQuotaPrivilege	4180	wmic.exe
Token: SeSecurityPrivilege	4180	wmic.exe
Token: SeTakeOwnershipPrivilege	4180	wmic.exe
Token: SeLoadDriverPrivilege	4180	wmic.exe
Token: SeSystemProfilePrivilege	4180	wmic.exe
Token: SeSystemtimePrivilege	4180	wmic.exe
Token: SeProfSingleProcessPrivilege	4180	wmic.exe
Token: SeIncBasePriorityPrivilege	4180	wmic.exe
Token: SeCreatePagefilePrivilege	4180	wmic.exe
Token: SeBackupPrivilege	4180	wmic.exe
Token: SeRestorePrivilege	4180	wmic.exe
Token: SeShutdownPrivilege	4180	wmic.exe
Token: SeDebugPrivilege	4180	wmic.exe
Token: SeSystemEnvironmentPrivilege	4180	wmic.exe
Token: SeRemoteShutdownPrivilege	4180	wmic.exe
Token: SeUndockPrivilege	4180	wmic.exe
Token: SeManageVolumePrivilege	4180	wmic.exe
Token: 33	4180	wmic.exe
Token: 34	4180	wmic.exe
Token: 35	4180	wmic.exe
Token: 36	4180	wmic.exe
Token: SeIncreaseQuotaPrivilege	4352	wmic.exe
Token: SeSecurityPrivilege	4352	wmic.exe
Token: SeTakeOwnershipPrivilege	4352	wmic.exe
Token: SeLoadDriverPrivilege	4352	wmic.exe
Token: SeSystemProfilePrivilege	4352	wmic.exe
Token: SeSystemtimePrivilege	4352	wmic.exe
Token: SeProfSingleProcessPrivilege	4352	wmic.exe
Token: SeIncBasePriorityPrivilege	4352	wmic.exe
Token: SeCreatePagefilePrivilege	4352	wmic.exe
Token: SeBackupPrivilege	4352	wmic.exe
Token: SeRestorePrivilege	4352	wmic.exe
Token: SeShutdownPrivilege	4352	wmic.exe
Token: SeDebugPrivilege	4352	wmic.exe
Token: SeSystemEnvironmentPrivilege	4352	wmic.exe
Token: SeRemoteShutdownPrivilege	4352	wmic.exe
Token: SeUndockPrivilege	4352	wmic.exe
Token: SeManageVolumePrivilege	4352	wmic.exe
Token: 33	4352	wmic.exe
Token: 34	4352	wmic.exe
Token: 35	4352	wmic.exe
Token: 36	4352	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.execbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exesvhost.exesvchost.com

description	pid	process	target process
PID 640 wrote to memory of 1192	640	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
PID 640 wrote to memory of 1192	640	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
PID 640 wrote to memory of 1192	640	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
PID 1192 wrote to memory of 1280	1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe	wmic.exe
PID 1192 wrote to memory of 1280	1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe	wmic.exe
PID 1192 wrote to memory of 1280	1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe	wmic.exe
PID 1192 wrote to memory of 4180	1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe	wmic.exe
PID 1192 wrote to memory of 4180	1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe	wmic.exe
PID 1192 wrote to memory of 4180	1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe	wmic.exe
PID 1192 wrote to memory of 4352	1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe	wmic.exe
PID 1192 wrote to memory of 4352	1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe	wmic.exe
PID 1192 wrote to memory of 4352	1192	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe	wmic.exe
PID 4112 wrote to memory of 1700	4112	svhost.exe	svchost.com
PID 4112 wrote to memory of 1700	4112	svhost.exe	svchost.com
PID 4112 wrote to memory of 1700	4112	svhost.exe	svchost.com
PID 1700 wrote to memory of 4108	1700	svchost.com	svhost.exe
PID 1700 wrote to memory of 4108	1700	svchost.com	svhost.exe
PID 1700 wrote to memory of 4108	1700	svchost.com	svhost.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe

C:\Users\Admin\AppData\Local\Temp\cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
"C:\Users\Admin\AppData\Local\Temp\cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Local\Temp\3582-490\cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Modifies extensions of user files
  - Checks whether UAC is enabled
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1192
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4180
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4352

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Users\Admin\AppData\Local\Temp\3582-490\svhost.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\svhost.exe
    3⤵
    - Executes dropped EXE
    PID:4108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WindowsApps\

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe

Filesize
669KB

MD5
ac546514c037b432430bebc8e3884dad

SHA1
f4e2e0eea53546e9a2b1cf136eb8a5ce7015f06d

SHA256
b00be4dda45f8670b0e65d37cc7770fa791d869c7e567ea316d84d16283f8009

SHA512
b4f703141e1fc471df35e968977535e4b64cddebc9bba66037b259265234ed254249d9b451f0856cc902919cce77062c6242d49752dcd5e488f7c3d486bc5d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad.exe

Filesize
669KB

MD5
ac546514c037b432430bebc8e3884dad

SHA1
f4e2e0eea53546e9a2b1cf136eb8a5ce7015f06d

SHA256
b00be4dda45f8670b0e65d37cc7770fa791d869c7e567ea316d84d16283f8009

SHA512
b4f703141e1fc471df35e968977535e4b64cddebc9bba66037b259265234ed254249d9b451f0856cc902919cce77062c6242d49752dcd5e488f7c3d486bc5d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\svhost.exe

Filesize
669KB

MD5
ac546514c037b432430bebc8e3884dad

SHA1
f4e2e0eea53546e9a2b1cf136eb8a5ce7015f06d

SHA256
b00be4dda45f8670b0e65d37cc7770fa791d869c7e567ea316d84d16283f8009

SHA512
b4f703141e1fc471df35e968977535e4b64cddebc9bba66037b259265234ed254249d9b451f0856cc902919cce77062c6242d49752dcd5e488f7c3d486bc5d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\svhost.exe

Filesize
669KB

MD5
ac546514c037b432430bebc8e3884dad

SHA1
f4e2e0eea53546e9a2b1cf136eb8a5ce7015f06d

SHA256
b00be4dda45f8670b0e65d37cc7770fa791d869c7e567ea316d84d16283f8009

SHA512
b4f703141e1fc471df35e968977535e4b64cddebc9bba66037b259265234ed254249d9b451f0856cc902919cce77062c6242d49752dcd5e488f7c3d486bc5d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
2eb1f83b03271e42c9fbcf6092435088

SHA1
0a834c6d6dae42dc108d8884f37a0b38288d4d0f

SHA256
246351ce4f313487b65dbbc03c6109d934943e230794bdb17509b3007466285b

SHA512
ac2ddf8c14e5c58efcd2897d76080acf79fe2cdb1e9475c0bb398dbffa57e97faeaacaec721a51855222b5220c3a8477883b290dbd6d99344a64dcf0f43b7409

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
710KB

MD5
f80a0f5400ca81250c66efe2e927ddcd

SHA1
b489cb6aae676c9d5510a69d2f856d2102994b71

SHA256
2a42544a17aee8744980b0c637346a5003b4cd8cdd0e3209423421ff17efaffe

SHA512
46d0826b1ca83c3c7f6e2385e1f5a341354eede5f575f43ee4cebcc2eb20ff1837467b1386a019a5af6b06065dae0225f80d2f16943d5fb42167fbcd10dc41f4

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
710KB

MD5
674a54ed8c9614aea4808f6a09cc2236

SHA1
10e78765c5b245a6d19e77f54cb40bcdbb91ddcd

SHA256
cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad

SHA512
fb513afef9f44834e6461645a7f3121a343f07074f91b1e999faabeca332898f45426a67e70944ad979f80aa149eff5006547cc7b2ccb06af1a08b08df537ae1

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
710KB

MD5
674a54ed8c9614aea4808f6a09cc2236

SHA1
10e78765c5b245a6d19e77f54cb40bcdbb91ddcd

SHA256
cbdfaf7c90928949e71d8666a296fa211bb42f47cf33b41b1f8c6e439323f2ad

SHA512
fb513afef9f44834e6461645a7f3121a343f07074f91b1e999faabeca332898f45426a67e70944ad979f80aa149eff5006547cc7b2ccb06af1a08b08df537ae1

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
memory/1192-132-0x0000000000000000-mapping.dmp

Download
memory/1280-135-0x0000000000000000-mapping.dmp

Download
memory/1700-142-0x0000000000000000-mapping.dmp

Download
memory/4108-147-0x0000000000000000-mapping.dmp

Download
memory/4180-136-0x0000000000000000-mapping.dmp

Download
memory/4352-137-0x0000000000000000-mapping.dmp

Download