crypvault | 1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6

Analysis

max time kernel
150s
max time network
134s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-09-2023 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe
Size

179KB
MD5

6ecdfd76e99ac7bf571dd21bf4d85fe4
SHA1

3b622b03e700c8f5115e0706e7bd510ba18daaab
SHA256

1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6
SHA512

42355f470974b0f9ffc3e65331d7384d850858e7c32986d5b004d7384282d9d20c85c5b58e6f0f94784f0ac09c5a669e9241b7a62825fe4b08cbe575df00025f
SSDEEP

3072:kuWvdwxYVLSroutnDnQiREOjijPwAhFbwALCYmgBO8ja+8ewQ0UM44Fn3fzT45:kuAwxVoSnDQi7kRtLCY88ja+8ewQStFI

Score

10^/10

crypvault evasion ransomware spyware stealer trojan upx

Malware Config

Signatures

CrypVault
Ransomware family which makes encrypted files look like they have been quarantined by AV.
ransomware crypvault
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 2376 cmd.exe
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2784 bcdedit.exe
2796 bcdedit.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2376	cmd.exe

pid	process
2784	bcdedit.exe
2796	bcdedit.exe

Drops startup file 2 IoCs

Processes:

F2BFD3CE9C25.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta	F2BFD3CE9C25.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta	F2BFD3CE9C25.exe

Executes dropped EXE 2 IoCs

Processes:

F2BFD3CE9C25.exeF2BFD3CE9C25.exe

pid process

1368 F2BFD3CE9C25.exe
1944 F2BFD3CE9C25.exe

Loads dropped DLL 3 IoCs

Processes:

1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exeF2BFD3CE9C25.exe

pid	process
2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe
2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe
1368	F2BFD3CE9C25.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2960-0-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1944-15-0x0000000000400000-0x0000000000978000-memory.dmp	upx
behavioral1/memory/1944-16-0x0000000000400000-0x0000000000978000-memory.dmp	upx
behavioral1/memory/1944-17-0x0000000000400000-0x0000000000978000-memory.dmp	upx
behavioral1/memory/1944-18-0x0000000000400000-0x0000000000978000-memory.dmp	upx
behavioral1/memory/1944-21-0x0000000000400000-0x0000000000978000-memory.dmp	upx
behavioral1/memory/1944-24-0x0000000000400000-0x0000000000978000-memory.dmp	upx
behavioral1/memory/1944-25-0x0000000000400000-0x0000000000978000-memory.dmp	upx
behavioral1/memory/1944-26-0x0000000000400000-0x0000000000978000-memory.dmp	upx
behavioral1/memory/2960-27-0x0000000000400000-0x000000000042C000-memory.dmp	upx
behavioral1/memory/1944-28-0x0000000000400000-0x0000000000978000-memory.dmp	upx
behavioral1/memory/1944-95-0x0000000000400000-0x0000000000978000-memory.dmp	upx
behavioral1/memory/1944-132-0x0000000000400000-0x0000000000978000-memory.dmp	upx
behavioral1/memory/1848-141-0x0000000140000000-0x00000001405E8000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

mshta.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mshta.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

F2BFD3CE9C25.exe

description pid process target process

PID 1368 set thread context of 1944 1368 F2BFD3CE9C25.exe F2BFD3CE9C25.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1244 vssadmin.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mshta.exe

description	pid	process	target process
PID 1368 set thread context of 1944	1368	F2BFD3CE9C25.exe	F2BFD3CE9C25.exe

pid	process
1244	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEWINWORD.EXEmshta.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3E7C6FC1-50B1-11EE-B1CA-5EF5C936A496} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac200000000020000000000106600000001000020000000b857314495c3e891e9e0a5815d0c9309dbbd8b468322f5745c62c9fe0788ca0c000000000e800000000200002000000069d19a97c9df69ae47622f1a7ead1aac9e0f628575a5a2aed669380aa5b2e6bc90000000456b65470da8acef0315efbc843089a7724dbf29df397e8541c855b6164a07f1830046b110ecf99e6dd0885d0a7e08b6168aaff72f9e45a647b2c39cde7122af21a9087cceef7fbd180b062378c40a6bb54414a02c1bb96d29365d65cad37d48216727798919a2d7a0df97c9ae025f8be196f6fca766d26c69c90f59e9fc7fb5d33128741a4207b19151aa0ac9959eca40000000be976de163c035146b0f145ec0af3d48bedd3428e4c99fc23944bb60e43b9104b1a828a0dc09c19c3c7fc5df72c1516ff39f104d804b83e73a9ab2728c0235de	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac200000000020000000000106600000001000020000000b060a85f2fe855e1cfd601dacf5226bb8c3b2deea80a16e6f6084b3c1f6498f7000000000e800000000200002000000095202e701a7986b7a6bc94815c7f937e2ad8f2eac8d889829f2b1fe44f77876020000000e7aa8d0745d1277fd284b22d61e73268c72cc41483923fe18ebd11b8a06e447a40000000ff62fbbb4dad8009c360d43fc15f0f7547b2a6ffb11564f6ad8edda627d8ffae95c33cac5e94eeb1ec31eb610bda595d697a12f08333ae1ef3836ad5e9cafad9	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40388614bee4d901	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2644 WINWORD.EXE

pid	process
2644	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

F2BFD3CE9C25.exeF2BFD3CE9C25.exetaskmgr.exe

pid	process
1368	F2BFD3CE9C25.exe
1944	F2BFD3CE9C25.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

1848 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

WMIC.exetaskmgr.exevssvc.exeAUDIODG.EXE

description	pid	process
Token: SeIncreaseQuotaPrivilege	2284	WMIC.exe
Token: SeSecurityPrivilege	2284	WMIC.exe
Token: SeTakeOwnershipPrivilege	2284	WMIC.exe
Token: SeLoadDriverPrivilege	2284	WMIC.exe
Token: SeSystemProfilePrivilege	2284	WMIC.exe
Token: SeSystemtimePrivilege	2284	WMIC.exe
Token: SeProfSingleProcessPrivilege	2284	WMIC.exe
Token: SeIncBasePriorityPrivilege	2284	WMIC.exe
Token: SeCreatePagefilePrivilege	2284	WMIC.exe
Token: SeBackupPrivilege	2284	WMIC.exe
Token: SeRestorePrivilege	2284	WMIC.exe
Token: SeShutdownPrivilege	2284	WMIC.exe
Token: SeDebugPrivilege	2284	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2284	WMIC.exe
Token: SeRemoteShutdownPrivilege	2284	WMIC.exe
Token: SeUndockPrivilege	2284	WMIC.exe
Token: SeManageVolumePrivilege	2284	WMIC.exe
Token: 33	2284	WMIC.exe
Token: 34	2284	WMIC.exe
Token: 35	2284	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2284	WMIC.exe
Token: SeSecurityPrivilege	2284	WMIC.exe
Token: SeTakeOwnershipPrivilege	2284	WMIC.exe
Token: SeLoadDriverPrivilege	2284	WMIC.exe
Token: SeSystemProfilePrivilege	2284	WMIC.exe
Token: SeSystemtimePrivilege	2284	WMIC.exe
Token: SeProfSingleProcessPrivilege	2284	WMIC.exe
Token: SeIncBasePriorityPrivilege	2284	WMIC.exe
Token: SeCreatePagefilePrivilege	2284	WMIC.exe
Token: SeBackupPrivilege	2284	WMIC.exe
Token: SeRestorePrivilege	2284	WMIC.exe
Token: SeShutdownPrivilege	2284	WMIC.exe
Token: SeDebugPrivilege	2284	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2284	WMIC.exe
Token: SeRemoteShutdownPrivilege	2284	WMIC.exe
Token: SeUndockPrivilege	2284	WMIC.exe
Token: SeManageVolumePrivilege	2284	WMIC.exe
Token: 33	2284	WMIC.exe
Token: 34	2284	WMIC.exe
Token: 35	2284	WMIC.exe
Token: SeDebugPrivilege	1848	taskmgr.exe
Token: SeBackupPrivilege	1568	vssvc.exe
Token: SeRestorePrivilege	1568	vssvc.exe
Token: SeAuditPrivilege	1568	vssvc.exe
Token: 33	1772	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1772	AUDIODG.EXE
Token: 33	1772	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1772	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exeiexplore.exe

pid	process
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
3040	iexplore.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

F2BFD3CE9C25.exeWINWORD.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1368	F2BFD3CE9C25.exe
2644	WINWORD.EXE
2644	WINWORD.EXE
2644	WINWORD.EXE
3040	iexplore.exe
3040	iexplore.exe
2552	IEXPLORE.EXE
2552	IEXPLORE.EXE
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exeF2BFD3CE9C25.exeF2BFD3CE9C25.execmd.exe

description	pid	process	target process
PID 2960 wrote to memory of 2956	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2956	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2956	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2956	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2096	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2096	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2096	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2096	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2776	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2776	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2776	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2776	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2892	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2892	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2892	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2892	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2896	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2896	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2896	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2896	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 1368	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	F2BFD3CE9C25.exe
PID 2960 wrote to memory of 1368	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	F2BFD3CE9C25.exe
PID 2960 wrote to memory of 1368	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	F2BFD3CE9C25.exe
PID 2960 wrote to memory of 1368	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	F2BFD3CE9C25.exe
PID 2960 wrote to memory of 2528	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2528	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2528	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2528	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2492	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2492	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2492	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2492	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2700	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2700	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2700	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 2700	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 1368 wrote to memory of 1944	1368	F2BFD3CE9C25.exe	F2BFD3CE9C25.exe
PID 1368 wrote to memory of 1944	1368	F2BFD3CE9C25.exe	F2BFD3CE9C25.exe
PID 1368 wrote to memory of 1944	1368	F2BFD3CE9C25.exe	F2BFD3CE9C25.exe
PID 1368 wrote to memory of 1944	1368	F2BFD3CE9C25.exe	F2BFD3CE9C25.exe
PID 1368 wrote to memory of 1944	1368	F2BFD3CE9C25.exe	F2BFD3CE9C25.exe
PID 1368 wrote to memory of 1944	1368	F2BFD3CE9C25.exe	F2BFD3CE9C25.exe
PID 1368 wrote to memory of 1944	1368	F2BFD3CE9C25.exe	F2BFD3CE9C25.exe
PID 1368 wrote to memory of 1944	1368	F2BFD3CE9C25.exe	F2BFD3CE9C25.exe
PID 1368 wrote to memory of 1944	1368	F2BFD3CE9C25.exe	F2BFD3CE9C25.exe
PID 1368 wrote to memory of 1944	1368	F2BFD3CE9C25.exe	F2BFD3CE9C25.exe
PID 1368 wrote to memory of 1944	1368	F2BFD3CE9C25.exe	F2BFD3CE9C25.exe
PID 2960 wrote to memory of 2644	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	WINWORD.EXE
PID 2960 wrote to memory of 2644	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	WINWORD.EXE
PID 2960 wrote to memory of 2644	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	WINWORD.EXE
PID 2960 wrote to memory of 2644	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	WINWORD.EXE
PID 2960 wrote to memory of 1092	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 1092	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 1092	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 2960 wrote to memory of 1092	2960	1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe	cmd.exe
PID 1944 wrote to memory of 2284	1944	F2BFD3CE9C25.exe	WMIC.exe
PID 1944 wrote to memory of 2284	1944	F2BFD3CE9C25.exe	WMIC.exe
PID 1944 wrote to memory of 2284	1944	F2BFD3CE9C25.exe	WMIC.exe
PID 1944 wrote to memory of 2284	1944	F2BFD3CE9C25.exe	WMIC.exe
PID 1944 wrote to memory of 1084	1944	F2BFD3CE9C25.exe	mshta.exe
PID 1944 wrote to memory of 1084	1944	F2BFD3CE9C25.exe	mshta.exe
PID 1944 wrote to memory of 1084	1944	F2BFD3CE9C25.exe	mshta.exe
PID 1944 wrote to memory of 1084	1944	F2BFD3CE9C25.exe	mshta.exe
PID 1292 wrote to memory of 1244	1292	cmd.exe	vssadmin.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe
"C:\Users\Admin\AppData\Local\Temp\1dcd0f079a72ddd82f144ded212c4c844768474acf59e1cde6ca1194e80fa3a6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo F2BFD3CE9C25
  2⤵
  PID:2956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo DCFF019CDE
  2⤵
  PID:2096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25" F2BFD3CE9C25.exe
  2⤵
  PID:2776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo DCFF019CDE
  2⤵
  PID:2892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo F2BFD3CE9C25
  2⤵
  PID:2896
- C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe
  "C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe
    "C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\VAULT.hta"
      4⤵
      Checks whether UAC is enabled
      Modifies Internet Explorer settings
      PID:1084
  - - C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2284
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ren "C:\Users\Admin\AppData\Local\Temp\DCFF019CDE" DCFF019CDE.doc
  2⤵
  PID:2528
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo DCFF019CDE
  2⤵
  PID:2492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo F2BFD3CE9C25
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\DCFF019CDE.doc"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo F2BFD3CE9C25DCFF019CDE
  2⤵
  PID:1092

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1848

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1244
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2784
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2796

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3040
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2552
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:1848323 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2600

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1656

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DV38LGVA\favicon[1].ico

Filesize
3B

MD5
8a80554c91d9fca8acb82f023de02f11

SHA1
5f36b2ea290645ee34d943220a14b54ee5ea5be5

SHA256
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

SHA512
ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAE.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCFF019CDE

Filesize
22KB

MD5
903cdb04837bfbbdcf04865d6a9636cc

SHA1
973b5ff90f2ba32848661e209b15f5344a081428

SHA256
70649a3e84b9df3b2af94a7c4f8fe433a71ec8321f41ead0518b824df1522454

SHA512
c034610eba204fbeac363ead9ce1068b78f80715962857c7402fd4c655076e17f87b150272ea81ca3f5dd22d0559f29652e2759f7ef6bd87f8833aac92ef5228

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25

Filesize
152KB

MD5
78c0fd404013b383118911009d0384db

SHA1
75535aa0caef3a54ae373be8f91b521cf640e0b4

SHA256
002c428f1eb592b922fb31d11d71d4a8a95ac2804274f969709a2549740a633a

SHA512
213edf2156aed06778f72f81bc0b26bbfcd8ca132e02f88994443277c44e9de91ed6935fb1a38a646c328b552324beafe5beaf7b3d7a830de55a822770222b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe

Filesize
152KB

MD5
78c0fd404013b383118911009d0384db

SHA1
75535aa0caef3a54ae373be8f91b521cf640e0b4

SHA256
002c428f1eb592b922fb31d11d71d4a8a95ac2804274f969709a2549740a633a

SHA512
213edf2156aed06778f72f81bc0b26bbfcd8ca132e02f88994443277c44e9de91ed6935fb1a38a646c328b552324beafe5beaf7b3d7a830de55a822770222b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe

Filesize
152KB

MD5
78c0fd404013b383118911009d0384db

SHA1
75535aa0caef3a54ae373be8f91b521cf640e0b4

SHA256
002c428f1eb592b922fb31d11d71d4a8a95ac2804274f969709a2549740a633a

SHA512
213edf2156aed06778f72f81bc0b26bbfcd8ca132e02f88994443277c44e9de91ed6935fb1a38a646c328b552324beafe5beaf7b3d7a830de55a822770222b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFF4B83FB48921CE45.TMP

Filesize
16KB

MD5
06e55a8b8e00781ff9f6c26a152b5b4c

SHA1
8cd02426a0123f3e6a3af435a624f6235e34f144

SHA256
503d9c5af3fd659e7f4ed8456fa34f9c9ca85c1b8bfbd26620877aeb756177be

SHA512
9613cdbb2a3273c8b1c238ce285cd838532b01a736840147339d3a9fba61acb90ead7e42cd50b48d12fe3bf667d16e710cb841dcd108fd8d66f56f617427c700

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VAULT.hta

Filesize
4KB

MD5
bd8577184fec08569ac3b53c8fea8644

SHA1
e80067fb4b329df6a4067ecc82f78f810a103068

SHA256
8c3b5663c3b4de4788d70835a71cd828df92a956cd51f0b4cd576a48cf81a820

SHA512
99736d92862e67f6bdb18df86b0504ba0e049260fe73aea5e8641092d096e4f668808584373fea03d8eef61e3627fa6827787a90385fd7d6147cd66e8d8c8300

Download Submit
C:\Users\Admin\Desktop\VAULT.hta

Filesize
4KB

MD5
bd8577184fec08569ac3b53c8fea8644

SHA1
e80067fb4b329df6a4067ecc82f78f810a103068

SHA256
8c3b5663c3b4de4788d70835a71cd828df92a956cd51f0b4cd576a48cf81a820

SHA512
99736d92862e67f6bdb18df86b0504ba0e049260fe73aea5e8641092d096e4f668808584373fea03d8eef61e3627fa6827787a90385fd7d6147cd66e8d8c8300

Download Submit
C:\VAULT.KEY

Filesize
1KB

MD5
64a18ce60fa7843f9c828cffd339bad9

SHA1
58c50a7bc361de9df764cac7da491fd6d19a91aa

SHA256
f8bcc2ebf43c1be01a57de0ee9783d06f1627e5d4273d6f6ebbcd0edca770e5e

SHA512
9d9b398c3e28e75cf66f6e34f697804d490371a840dabeeb0dc9e74cf079dce5f6d8f49abd8f258657bbd04d7f7f03aa4453a83e566372ebf4c4f3b3d2bcb4b9

Download Submit
C:\VAULT.KEY

Filesize
1KB

MD5
d32314d0f3bdc752286263cf0199bdee

SHA1
14ba33f922fe7972b8b725796de17cb326e9a4b0

SHA256
c00154744bed4f46ac7afec536d37f2964cb40b3542a787daba4cd358aee3977

SHA512
e1b77ede0cc01ea59d8e93a8b075ddd0a20d049b0f4ec1f28b2cf904c927d097507abc626d46ba37df7edb4387e421b542a179f49c9cbc4f76a5714c3d422c6c

Download Submit
C:\VAULT.KEY

Filesize
1KB

MD5
64a18ce60fa7843f9c828cffd339bad9

SHA1
58c50a7bc361de9df764cac7da491fd6d19a91aa

SHA256
f8bcc2ebf43c1be01a57de0ee9783d06f1627e5d4273d6f6ebbcd0edca770e5e

SHA512
9d9b398c3e28e75cf66f6e34f697804d490371a840dabeeb0dc9e74cf079dce5f6d8f49abd8f258657bbd04d7f7f03aa4453a83e566372ebf4c4f3b3d2bcb4b9

Download Submit
C:\VAULT.KEY

Filesize
1KB

MD5
64a18ce60fa7843f9c828cffd339bad9

SHA1
58c50a7bc361de9df764cac7da491fd6d19a91aa

SHA256
f8bcc2ebf43c1be01a57de0ee9783d06f1627e5d4273d6f6ebbcd0edca770e5e

SHA512
9d9b398c3e28e75cf66f6e34f697804d490371a840dabeeb0dc9e74cf079dce5f6d8f49abd8f258657bbd04d7f7f03aa4453a83e566372ebf4c4f3b3d2bcb4b9

Download Submit
\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe

Filesize
152KB

MD5
78c0fd404013b383118911009d0384db

SHA1
75535aa0caef3a54ae373be8f91b521cf640e0b4

SHA256
002c428f1eb592b922fb31d11d71d4a8a95ac2804274f969709a2549740a633a

SHA512
213edf2156aed06778f72f81bc0b26bbfcd8ca132e02f88994443277c44e9de91ed6935fb1a38a646c328b552324beafe5beaf7b3d7a830de55a822770222b95

Download Submit
\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe

Filesize
152KB

MD5
78c0fd404013b383118911009d0384db

SHA1
75535aa0caef3a54ae373be8f91b521cf640e0b4

SHA256
002c428f1eb592b922fb31d11d71d4a8a95ac2804274f969709a2549740a633a

SHA512
213edf2156aed06778f72f81bc0b26bbfcd8ca132e02f88994443277c44e9de91ed6935fb1a38a646c328b552324beafe5beaf7b3d7a830de55a822770222b95

Download Submit
\Users\Admin\AppData\Local\Temp\F2BFD3CE9C25.exe

Filesize
152KB

MD5
78c0fd404013b383118911009d0384db

SHA1
75535aa0caef3a54ae373be8f91b521cf640e0b4

SHA256
002c428f1eb592b922fb31d11d71d4a8a95ac2804274f969709a2549740a633a

SHA512
213edf2156aed06778f72f81bc0b26bbfcd8ca132e02f88994443277c44e9de91ed6935fb1a38a646c328b552324beafe5beaf7b3d7a830de55a822770222b95

Download Submit
memory/1084-154-0x0000000003640000-0x0000000003642000-memory.dmp

Filesize
8KB

Download
memory/1368-11-0x00000000001E0000-0x00000000001E5000-memory.dmp

Filesize
20KB

Download
memory/1848-153-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1848-141-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1848-143-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1848-149-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1848-151-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1848-152-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1944-16-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1944-17-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1944-95-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1944-12-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/1944-13-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1944-15-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1944-132-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1944-28-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1944-26-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1944-25-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1944-24-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1944-18-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1944-21-0x0000000000400000-0x0000000000978000-memory.dmp

Filesize
5.5MB

Download
memory/1944-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2644-150-0x00000000704CD000-0x00000000704D8000-memory.dmp

Filesize
44KB

Download
memory/2644-148-0x000000002F5B0000-0x000000002F70D000-memory.dmp

Filesize
1.4MB

Download
memory/2644-134-0x00000000704CD000-0x00000000704D8000-memory.dmp

Filesize
44KB

Download
memory/2644-133-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2644-29-0x000000002F5B0000-0x000000002F70D000-memory.dmp

Filesize
1.4MB

Download
memory/2960-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2960-27-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download