asyncrat | 6abc7310211473a511a9e776b103c520d4a49ff7a400c222160af4ae0288a916

Analysis

max time kernel
149s
max time network
144s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
19/07/2023, 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c.exe
Size

214KB
MD5

7007e1d06387b6ca204c98d49c7b07da
SHA1

5fb072d40016d80fed82631f20284b3672b2f965
SHA256

6abc7310211473a511a9e776b103c520d4a49ff7a400c222160af4ae0288a916
SHA512

ef3ca82efb87a0d395b2d0c8520a555eb7027bdb20cfa1932bb557a0323ded994f6bdf13bd020eaaa2b41a628edc4930c301884e79110ff5b3995b95bf5302ff
SSDEEP

6144:KZiai3mTU41O2oV1mD6ArKAenI3YNGDaXCF:KwZWp1OnV0+YKa3ApCF

Score

10^/10

asyncrat stormkitty default evasion ransomware rat stealer trojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6268035721:AAGWwn3ukkEumLQ0BZ43K9ZyUfUcyiD2wF0/sendMessage?chat_id=6119127555

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Path

C:\Users\Admin\Contacts\HELP_DECRYPT_YOUR_FILES.txt

Ransom Note

Oops All Of your important files were encrypted Like document pictures videos etc.. Don't worry, you can return all your files! All your files, documents, photos, databases and other important files are encrypted by a strong encryption. How to recover files? RSA is a asymmetric cryptographic algorithm, you need one key for encryption and one key for decryption so you need private key to recover your files. It’s not possible to recover your files without private key. The only method of recovering files is to purchase an unique private key.Only we can give you this key and only we can recover your files. What guarantees you have? As evidence, you can send us 1 file to decrypt by email We will send you a recovery file Prove that we can decrypt your file Please You must follow these steps carefully to decrypt your files: Send $980 worth of bitcoin to wallet: bc1qzpa3j6qse5xfxft2xy7h2phq04wq9pk66lllz5 after payment,we will send you Decryptor software contact email: [email protected] Your personal ID: TXYqIh238CiVfALkrWqdvehndYnSdxKkyMF1pTO6L4DpAqL4yiwabzt+pG0/oyJgBjtg6IZZYfdHgA5uJgED3m+JJ+/M2sPZEC0AT1YMadcjBSfMrbqmm6EA7/fRcAjXe1xUp6Csk2MxCsQ6wh8DkeSPDSy9tE7c0eEnpfb1tP8=

Emails

[email protected]

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000700000001b02f-133.dat	family_stormkitty
behavioral2/files/0x000700000001b02f-135.dat	family_stormkitty
behavioral2/memory/2844-138-0x00000000009C0000-0x0000000000A00000-memory.dmp	family_stormkitty

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	reg.exe

Async RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/files/0x000700000001b02f-133.dat	asyncrat
behavioral2/files/0x000700000001b02f-135.dat	asyncrat
behavioral2/memory/2844-138-0x00000000009C0000-0x0000000000A00000-memory.dmp	asyncrat

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/868-122-0x0000000000970000-0x00000000009AC000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000\Control Panel\International\Geo\Nation	0.EXE

Executes dropped EXE 3 IoCs

pid	Process
1612	Payload.exe
2844	PryntVirus.exe
2748	0.EXE

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\a184dbf7771d2aa768df4eb2e93bd055\Admin@CXVLSGIX_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\a184dbf7771d2aa768df4eb2e93bd055\Admin@CXVLSGIX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\a184dbf7771d2aa768df4eb2e93bd055\Admin@CXVLSGIX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\a184dbf7771d2aa768df4eb2e93bd055\Admin@CXVLSGIX_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\a184dbf7771d2aa768df4eb2e93bd055\Admin@CXVLSGIX_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	PryntVirus.exe
File created	C:\Users\Admin\AppData\Local\a184dbf7771d2aa768df4eb2e93bd055\Admin@CXVLSGIX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	PryntVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\a184dbf7771d2aa768df4eb2e93bd055\Admin@CXVLSGIX_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	PryntVirus.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1860	2844	WerFault.exe	71

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3716	vssadmin.exe
2156	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 70b34a9241bad901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\AA549154B737EF29C	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "395912121"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e6aef1320fbad901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2393848421-2120571652-2495149697-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5080	reg.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
868	c.exe
868	c.exe
868	c.exe
868	c.exe
868	c.exe
868	c.exe
868	c.exe
868	c.exe
868	c.exe
868	c.exe
868	c.exe
868	c.exe
868	c.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2880	MicrosoftEdgeCP.exe
2880	MicrosoftEdgeCP.exe
2880	MicrosoftEdgeCP.exe
2880	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	c.exe
Token: SeDebugPrivilege	2844	PryntVirus.exe
Token: SeBackupPrivilege	2984	vssvc.exe
Token: SeRestorePrivilege	2984	vssvc.exe
Token: SeAuditPrivilege	2984	vssvc.exe
Token: SeDebugPrivilege	224	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	224	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	224	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	224	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1648	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1648	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1612	Payload.exe
3520	MicrosoftEdge.exe
2880	MicrosoftEdgeCP.exe
224	MicrosoftEdgeCP.exe
2880	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 1612	868	c.exe	70
PID 868 wrote to memory of 1612	868	c.exe	70
PID 868 wrote to memory of 1612	868	c.exe	70
PID 868 wrote to memory of 2844	868	c.exe	71
PID 868 wrote to memory of 2844	868	c.exe	71
PID 868 wrote to memory of 2844	868	c.exe	71
PID 1612 wrote to memory of 2748	1612	Payload.exe	73
PID 1612 wrote to memory of 2748	1612	Payload.exe	73
PID 2748 wrote to memory of 4744	2748	0.EXE	76
PID 2748 wrote to memory of 4744	2748	0.EXE	76
PID 2748 wrote to memory of 4368	2748	0.EXE	74
PID 2748 wrote to memory of 4368	2748	0.EXE	74
PID 4368 wrote to memory of 2156	4368	cmd.exe	78
PID 4368 wrote to memory of 2156	4368	cmd.exe	78
PID 4744 wrote to memory of 5080	4744	cmd.exe	79
PID 4744 wrote to memory of 5080	4744	cmd.exe	79
PID 2748 wrote to memory of 2720	2748	0.EXE	80
PID 2748 wrote to memory of 2720	2748	0.EXE	80
PID 2720 wrote to memory of 3716	2720	cmd.exe	83
PID 2720 wrote to memory of 3716	2720	cmd.exe	83
PID 2880 wrote to memory of 1484	2880	MicrosoftEdgeCP.exe	92
PID 2880 wrote to memory of 1484	2880	MicrosoftEdgeCP.exe	92
PID 2880 wrote to memory of 1484	2880	MicrosoftEdgeCP.exe	92
PID 2880 wrote to memory of 1484	2880	MicrosoftEdgeCP.exe	92
PID 2880 wrote to memory of 1484	2880	MicrosoftEdgeCP.exe	92
PID 2880 wrote to memory of 1484	2880	MicrosoftEdgeCP.exe	92
PID 2880 wrote to memory of 1484	2880	MicrosoftEdgeCP.exe	92
PID 2880 wrote to memory of 1484	2880	MicrosoftEdgeCP.exe	92
PID 2880 wrote to memory of 1484	2880	MicrosoftEdgeCP.exe	92
PID 2880 wrote to memory of 1484	2880	MicrosoftEdgeCP.exe	92
PID 2880 wrote to memory of 1484	2880	MicrosoftEdgeCP.exe	92
PID 2880 wrote to memory of 1484	2880	MicrosoftEdgeCP.exe	92
PID 2880 wrote to memory of 1484	2880	MicrosoftEdgeCP.exe	92
PID 2880 wrote to memory of 1484	2880	MicrosoftEdgeCP.exe	92
PID 2880 wrote to memory of 1484	2880	MicrosoftEdgeCP.exe	92
PID 2880 wrote to memory of 1484	2880	MicrosoftEdgeCP.exe	92
PID 2880 wrote to memory of 1484	2880	MicrosoftEdgeCP.exe	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c.exe
"C:\Users\Admin\AppData\Local\Temp\c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868
- C:\Users\Admin\AppData\Local\Temp\Payload.exe
  "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Users\Admin\AppData\Local\Temp\0.EXE
    C:\Users\Admin\AppData\Local\Temp\0.EXE
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4368
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2156
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4744
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
        5⤵
        UAC bypass
        Modifies registry key
        
        PID:5080
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c vssadmin.exe delete shadows /all /quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:3716
- C:\Users\Admin\AppData\Local\Temp\PryntVirus.exe
  "C:\Users\Admin\AppData\Local\Temp\PryntVirus.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 1556
    3⤵
    - Program crash
    PID:1860

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3520

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2972

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:224

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1484

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3200

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KFR0RUGG\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\L3SCX9CQ\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\XF8GA6F4\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.EXE

Filesize
27KB

MD5
f6d05f1f65b85eb1228f6524bb3773e8

SHA1
2c1a3b5de5d9e34e20fcf39671b4359abd38507c

SHA256
5fef2acf0b0289500ddfcbcbe45c95973c37d30eecdb2f5f20894a5f5b43ef31

SHA512
b8365ac6ef36e8bf133797533cae01b0c1a9646fa87949d28235553e51f7cec3c6ebf77c9eb0764fc43c5e47283e9c579b2b16308adb191cba83ef26cbfa84e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.EXE

Filesize
27KB

MD5
f6d05f1f65b85eb1228f6524bb3773e8

SHA1
2c1a3b5de5d9e34e20fcf39671b4359abd38507c

SHA256
5fef2acf0b0289500ddfcbcbe45c95973c37d30eecdb2f5f20894a5f5b43ef31

SHA512
b8365ac6ef36e8bf133797533cae01b0c1a9646fa87949d28235553e51f7cec3c6ebf77c9eb0764fc43c5e47283e9c579b2b16308adb191cba83ef26cbfa84e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
56KB

MD5
7259a26bdeccbb47b6fa2ce679e85389

SHA1
acf7b33bed1ad3451853006f4ebec0ca954f7c57

SHA256
edafaa8b3025c3fd96da7e30032e30c94cba6f552fecfa96426ec187ab63fbd0

SHA512
82a427d079c009ee4e2f628eba8c91d9960d49f819cf87ea5fa2545038cff8224e5eba8548cee6f1aa8b612d03a6abf0958583e2e9a563f84518837db502214f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
56KB

MD5
7259a26bdeccbb47b6fa2ce679e85389

SHA1
acf7b33bed1ad3451853006f4ebec0ca954f7c57

SHA256
edafaa8b3025c3fd96da7e30032e30c94cba6f552fecfa96426ec187ab63fbd0

SHA512
82a427d079c009ee4e2f628eba8c91d9960d49f819cf87ea5fa2545038cff8224e5eba8548cee6f1aa8b612d03a6abf0958583e2e9a563f84518837db502214f

Download Submit
C:\Users\Admin\AppData\Local\Temp\PryntVirus.exe

Filesize
232KB

MD5
738238ee09dca255d14a587f1d1f5a44

SHA1
91082c851059b0a58f72f9f9131e07d8a0370e67

SHA256
7d407269b23ca6bf23d62169e233f7042638c8b34c406e8d3e8ea36740d93ca9

SHA512
5c06eadca22112fc5f414a29908f3465c07b4700de682702fe058cebec3d38badde052b1e8620054cf72c6fad9994de2164de14ac9de7c39d68ff4c40fe77dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\PryntVirus.exe

Filesize
232KB

MD5
738238ee09dca255d14a587f1d1f5a44

SHA1
91082c851059b0a58f72f9f9131e07d8a0370e67

SHA256
7d407269b23ca6bf23d62169e233f7042638c8b34c406e8d3e8ea36740d93ca9

SHA512
5c06eadca22112fc5f414a29908f3465c07b4700de682702fe058cebec3d38badde052b1e8620054cf72c6fad9994de2164de14ac9de7c39d68ff4c40fe77dd1

Download Submit
C:\Users\Admin\Contacts\HELP_DECRYPT_YOUR_FILES.txt

Filesize
1KB

MD5
f8a092c0285d4d03c7fb42de79b59728

SHA1
3f3fc6e68154c1e4005335f2203682de21100322

SHA256
1ba695549cff3059cf26c5e9d700f5da0a32684c429e386c14e14508ca74c9df

SHA512
068fe0be58b1a946aa0d7988d3aa3f430a3b7715d01de8b7baaf824bb239e5324a407bfded90c467ec5cf82dd5d8c3a51357415c2038856a90d695b0fd02b1fc

Download Submit
C:\Users\Admin\Documents\HELP_DECRYPT_YOUR_FILES.txt

Filesize
1KB

MD5
f8a092c0285d4d03c7fb42de79b59728

SHA1
3f3fc6e68154c1e4005335f2203682de21100322

SHA256
1ba695549cff3059cf26c5e9d700f5da0a32684c429e386c14e14508ca74c9df

SHA512
068fe0be58b1a946aa0d7988d3aa3f430a3b7715d01de8b7baaf824bb239e5324a407bfded90c467ec5cf82dd5d8c3a51357415c2038856a90d695b0fd02b1fc

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\HELP_DECRYPT_YOUR_FILES.txt

Filesize
1KB

MD5
f8a092c0285d4d03c7fb42de79b59728

SHA1
3f3fc6e68154c1e4005335f2203682de21100322

SHA256
1ba695549cff3059cf26c5e9d700f5da0a32684c429e386c14e14508ca74c9df

SHA512
068fe0be58b1a946aa0d7988d3aa3f430a3b7715d01de8b7baaf824bb239e5324a407bfded90c467ec5cf82dd5d8c3a51357415c2038856a90d695b0fd02b1fc

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\HELP_DECRYPT_YOUR_FILES.txt

Filesize
1KB

MD5
f8a092c0285d4d03c7fb42de79b59728

SHA1
3f3fc6e68154c1e4005335f2203682de21100322

SHA256
1ba695549cff3059cf26c5e9d700f5da0a32684c429e386c14e14508ca74c9df

SHA512
068fe0be58b1a946aa0d7988d3aa3f430a3b7715d01de8b7baaf824bb239e5324a407bfded90c467ec5cf82dd5d8c3a51357415c2038856a90d695b0fd02b1fc

Download Submit
C:\Users\Admin\Pictures\Camera Roll\HELP_DECRYPT_YOUR_FILES.txt

Filesize
1KB

MD5
f8a092c0285d4d03c7fb42de79b59728

SHA1
3f3fc6e68154c1e4005335f2203682de21100322

SHA256
1ba695549cff3059cf26c5e9d700f5da0a32684c429e386c14e14508ca74c9df

SHA512
068fe0be58b1a946aa0d7988d3aa3f430a3b7715d01de8b7baaf824bb239e5324a407bfded90c467ec5cf82dd5d8c3a51357415c2038856a90d695b0fd02b1fc

Download Submit
C:\Users\Admin\Pictures\HELP_DECRYPT_YOUR_FILES.txt

Filesize
1KB

MD5
f8a092c0285d4d03c7fb42de79b59728

SHA1
3f3fc6e68154c1e4005335f2203682de21100322

SHA256
1ba695549cff3059cf26c5e9d700f5da0a32684c429e386c14e14508ca74c9df

SHA512
068fe0be58b1a946aa0d7988d3aa3f430a3b7715d01de8b7baaf824bb239e5324a407bfded90c467ec5cf82dd5d8c3a51357415c2038856a90d695b0fd02b1fc

Download Submit
C:\Users\Admin\Pictures\Saved Pictures\HELP_DECRYPT_YOUR_FILES.txt

Filesize
1KB

MD5
f8a092c0285d4d03c7fb42de79b59728

SHA1
3f3fc6e68154c1e4005335f2203682de21100322

SHA256
1ba695549cff3059cf26c5e9d700f5da0a32684c429e386c14e14508ca74c9df

SHA512
068fe0be58b1a946aa0d7988d3aa3f430a3b7715d01de8b7baaf824bb239e5324a407bfded90c467ec5cf82dd5d8c3a51357415c2038856a90d695b0fd02b1fc

Download Submit
C:\Users\Admin\Videos\HELP_DECRYPT_YOUR_FILES.txt

Filesize
1KB

MD5
316b2e10731b9e2e00c65b74a967a054

SHA1
852ae90a6986f2eacc4169a157ad26e3bbe9741c

SHA256
88112c6f05b9cc1ae52928252e2cf792bdaee60b7e4c9514ba6a1c5b638b24f8

SHA512
42bb6c7579c3fc12a54578b33e7d164a9d768c540812b4f31ba4d326f6ee84ede5c7134ee71156823a61997ea7a4bd8e4d95597de44aaf3f8c38c954da05d872

Download Submit
memory/868-139-0x00007FFA63BF0000-0x00007FFA645DC000-memory.dmp

Filesize
9.9MB

Download
memory/868-123-0x00007FFA63BF0000-0x00007FFA645DC000-memory.dmp

Filesize
9.9MB

Download
memory/868-122-0x0000000000970000-0x00000000009AC000-memory.dmp

Filesize
240KB

Download
memory/868-124-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/1484-365-0x00000220E6020000-0x00000220E6120000-memory.dmp

Filesize
1024KB

Download
memory/1484-406-0x00000220E4420000-0x00000220E4422000-memory.dmp

Filesize
8KB

Download
memory/1484-618-0x00000220D2AF0000-0x00000220D2B00000-memory.dmp

Filesize
64KB

Download
memory/1484-493-0x00000220E75C0000-0x00000220E75C2000-memory.dmp

Filesize
8KB

Download
memory/1484-619-0x00000220D2AF0000-0x00000220D2B00000-memory.dmp

Filesize
64KB

Download
memory/1484-625-0x00000220D2AF0000-0x00000220D2B00000-memory.dmp

Filesize
64KB

Download
memory/1484-624-0x00000220D2AF0000-0x00000220D2B00000-memory.dmp

Filesize
64KB

Download
memory/1484-623-0x00000220D2AF0000-0x00000220D2B00000-memory.dmp

Filesize
64KB

Download
memory/1484-627-0x00000220D2AF0000-0x00000220D2B00000-memory.dmp

Filesize
64KB

Download
memory/1484-626-0x00000220D2AF0000-0x00000220D2B00000-memory.dmp

Filesize
64KB

Download
memory/1484-622-0x00000220D2AF0000-0x00000220D2B00000-memory.dmp

Filesize
64KB

Download
memory/1484-352-0x00000220E44A0000-0x00000220E44C0000-memory.dmp

Filesize
128KB

Download
memory/1484-362-0x00000220D32D0000-0x00000220D32D2000-memory.dmp

Filesize
8KB

Download
memory/1484-489-0x00000220E7520000-0x00000220E7522000-memory.dmp

Filesize
8KB

Download
memory/1484-368-0x00000220E52D0000-0x00000220E52D2000-memory.dmp

Filesize
8KB

Download
memory/1484-376-0x00000220E3D60000-0x00000220E3D62000-memory.dmp

Filesize
8KB

Download
memory/1484-380-0x00000220E3D80000-0x00000220E3D82000-memory.dmp

Filesize
8KB

Download
memory/1484-383-0x00000220E3F20000-0x00000220E3F22000-memory.dmp

Filesize
8KB

Download
memory/1484-386-0x00000220E3F40000-0x00000220E3F42000-memory.dmp

Filesize
8KB

Download
memory/1484-391-0x00000220E4210000-0x00000220E4212000-memory.dmp

Filesize
8KB

Download
memory/1484-394-0x00000220E4250000-0x00000220E4252000-memory.dmp

Filesize
8KB

Download
memory/1484-400-0x00000220E4270000-0x00000220E4272000-memory.dmp

Filesize
8KB

Download
memory/1484-628-0x00000220D2AF0000-0x00000220D2B00000-memory.dmp

Filesize
64KB

Download
memory/1484-444-0x00000220E6800000-0x00000220E6900000-memory.dmp

Filesize
1024KB

Download
memory/1484-445-0x00000220E6800000-0x00000220E6900000-memory.dmp

Filesize
1024KB

Download
memory/1484-621-0x00000220D2AF0000-0x00000220D2B00000-memory.dmp

Filesize
64KB

Download
memory/1484-620-0x00000220D2AF0000-0x00000220D2B00000-memory.dmp

Filesize
64KB

Download
memory/2748-154-0x000000001BFB0000-0x000000001BFC0000-memory.dmp

Filesize
64KB

Download
memory/2748-307-0x00007FFA63BF0000-0x00007FFA645DC000-memory.dmp

Filesize
9.9MB

Download
memory/2748-148-0x00007FFA63BF0000-0x00007FFA645DC000-memory.dmp

Filesize
9.9MB

Download
memory/2748-147-0x00000000008E0000-0x00000000008EC000-memory.dmp

Filesize
48KB

Download
memory/2844-306-0x0000000073350000-0x0000000073A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2844-308-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/2844-158-0x0000000005BB0000-0x0000000005C42000-memory.dmp

Filesize
584KB

Download
memory/2844-157-0x0000000005FD0000-0x00000000064CE000-memory.dmp

Filesize
5.0MB

Download
memory/2844-142-0x00000000052C0000-0x00000000052D0000-memory.dmp

Filesize
64KB

Download
memory/2844-141-0x0000000005200000-0x0000000005266000-memory.dmp

Filesize
408KB

Download
memory/2844-140-0x0000000073350000-0x0000000073A3E000-memory.dmp

Filesize
6.9MB

Download
memory/2844-138-0x00000000009C0000-0x0000000000A00000-memory.dmp

Filesize
256KB

Download
memory/3520-460-0x00000205717C0000-0x00000205717C1000-memory.dmp

Filesize
4KB

Download
memory/3520-457-0x00000205717B0000-0x00000205717B1000-memory.dmp

Filesize
4KB

Download
memory/3520-304-0x000002056ADD0000-0x000002056ADD2000-memory.dmp

Filesize
8KB

Download
memory/3520-285-0x000002056B440000-0x000002056B450000-memory.dmp

Filesize
64KB

Download
memory/3520-269-0x000002056AC20000-0x000002056AC30000-memory.dmp

Filesize
64KB

Download