wannacry | hxxps://tinyurl[.]com/adasaf0

Analysis

max time kernel
437s
max time network
440s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
23/12/2023, 17:52

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://tinyurl.com/adasaf0

Score

10^/10

wannacry discovery persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDFD8F.tmp	Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Executes dropped EXE 35 IoCs

pid	Process
2576	taskdl.exe
2560	@[email protected]
3004	@[email protected]
1628	taskhsvc.exe
2756	taskdl.exe
2176	taskse.exe
288	@[email protected]
2896	taskdl.exe
896	taskse.exe
2900	@[email protected]
2964	taskdl.exe
676	taskse.exe
2196	@[email protected]
2960	taskse.exe
1176	@[email protected]
2768	taskdl.exe
1136	taskse.exe
2352	@[email protected]
1104	taskdl.exe
1692	taskse.exe
3044	@[email protected]
1736	taskdl.exe
2272	taskse.exe
1836	@[email protected]
2184	taskdl.exe
1784	taskse.exe
2356	@[email protected]
2232	taskdl.exe
2620	taskse.exe
2392	@[email protected]
2788	taskdl.exe
2936	taskse.exe
1552	@[email protected]
2744	taskdl.exe
2556	taskhsvc.exe

Loads dropped DLL 64 IoCs

pid	Process
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1240	cscript.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
2948	cmd.exe
2948	cmd.exe
2560	@[email protected]
2560	@[email protected]
1628	taskhsvc.exe
1628	taskhsvc.exe
1628	taskhsvc.exe
1628	taskhsvc.exe
1628	taskhsvc.exe
1628	taskhsvc.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1624	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ihjahwzyu634 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Request for Quotation (RFQ_196).zip\\tasksche.exe\""	reg.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	Proforma Invoice and Bank swift-REG.PI-0086547654.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1572	vssadmin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = e00928ebc835da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "111"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "808"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\mediafire.com\Total = "124"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com\ = "51"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com\ = "808"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\mediafire.com\Total = "808"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "124"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 203ae6f8c835da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\mediafire.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\mediafire.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\mediafire.com\Total = "51"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002213d23592f6d648a137f9bf65c22cfa0000000002000000000010660000000100002000000034f5bf82d99e2e2826e044a4c2eee2dbb2d90ef48ebb2c3afa12c542b720c443000000000e8000000002000020000000717a696ffa3b745f4eb58bcb56e632156148adf2d2c82633fb5012dda57b49c69000000038ff7fe62dde3bf306d35152d366af495e7e2a0cbe61271091014c2fb8921a7f53d75c586fdafcc1f6e8c5839b86e0c0cfd558fa7acc6ab33d3e4a35312ebe9c73cc31f7a48f0300dd4bf82f870e7d29dd866e978177d1c13bcbe62ca453c12ba4461a8454b976a11204fced454d93e4f13515934c4a08caa6bbffea42988640a10db5d8fe87afabccd488ce2f7bc477400000001d6d832516a16d0f626a9f732d7e46cfd7c575c5b579ac852e4ba629745b62e277eb96426a8cbd5c9868e4a06020e4c64db7eb9774a0e1e0c5c1d903caa8d4d8	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com\ = "111"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com\ = "124"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\mediafire.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002213d23592f6d648a137f9bf65c22cfa0000000002000000000010660000000100002000000027c04a403136ac3b2e2de6f8cb721f517e64924b9886ad002c28e8de10919f35000000000e80000000020000200000000238e2481b44e2409d12444503f81f5875591ce099f306739b0c3895d2385566200000003b6d1904e0ec5a5c08209b94034b5db3c614b1507040fabcf9ad08774eee0fdb400000007c989688becba7d390f79c4a3a0b9deaade750e4e5fdd6d57614911734d61abf9be00ff8b768e1f2d0edcf84aaa110b5816b92e69d2966feccc1e62cc40b24df	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "51"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\mediafire.com\Total = "111"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409515848"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{15E85F91-A1BC-11EE-93E5-4A7F2EE8F0A9} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.mediafire.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1996	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1628	taskhsvc.exe
1628	taskhsvc.exe
1628	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
288	@[email protected]

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1308	vssvc.exe
Token: SeRestorePrivilege	1308	vssvc.exe
Token: SeAuditPrivilege	1308	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1140	WMIC.exe
Token: SeSecurityPrivilege	1140	WMIC.exe
Token: SeTakeOwnershipPrivilege	1140	WMIC.exe
Token: SeLoadDriverPrivilege	1140	WMIC.exe
Token: SeSystemProfilePrivilege	1140	WMIC.exe
Token: SeSystemtimePrivilege	1140	WMIC.exe
Token: SeProfSingleProcessPrivilege	1140	WMIC.exe
Token: SeIncBasePriorityPrivilege	1140	WMIC.exe
Token: SeCreatePagefilePrivilege	1140	WMIC.exe
Token: SeBackupPrivilege	1140	WMIC.exe
Token: SeRestorePrivilege	1140	WMIC.exe
Token: SeShutdownPrivilege	1140	WMIC.exe
Token: SeDebugPrivilege	1140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1140	WMIC.exe
Token: SeRemoteShutdownPrivilege	1140	WMIC.exe
Token: SeUndockPrivilege	1140	WMIC.exe
Token: SeManageVolumePrivilege	1140	WMIC.exe
Token: 33	1140	WMIC.exe
Token: 34	1140	WMIC.exe
Token: 35	1140	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1140	WMIC.exe
Token: SeSecurityPrivilege	1140	WMIC.exe
Token: SeTakeOwnershipPrivilege	1140	WMIC.exe
Token: SeLoadDriverPrivilege	1140	WMIC.exe
Token: SeSystemProfilePrivilege	1140	WMIC.exe
Token: SeSystemtimePrivilege	1140	WMIC.exe
Token: SeProfSingleProcessPrivilege	1140	WMIC.exe
Token: SeIncBasePriorityPrivilege	1140	WMIC.exe
Token: SeCreatePagefilePrivilege	1140	WMIC.exe
Token: SeBackupPrivilege	1140	WMIC.exe
Token: SeRestorePrivilege	1140	WMIC.exe
Token: SeShutdownPrivilege	1140	WMIC.exe
Token: SeDebugPrivilege	1140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1140	WMIC.exe
Token: SeRemoteShutdownPrivilege	1140	WMIC.exe
Token: SeUndockPrivilege	1140	WMIC.exe
Token: SeManageVolumePrivilege	1140	WMIC.exe
Token: 33	1140	WMIC.exe
Token: 34	1140	WMIC.exe
Token: 35	1140	WMIC.exe
Token: SeTcbPrivilege	2176	taskse.exe
Token: SeTcbPrivilege	2176	taskse.exe
Token: SeTcbPrivilege	896	taskse.exe
Token: SeTcbPrivilege	896	taskse.exe
Token: SeTcbPrivilege	676	taskse.exe
Token: SeTcbPrivilege	676	taskse.exe
Token: SeTcbPrivilege	2960	taskse.exe
Token: SeTcbPrivilege	2960	taskse.exe
Token: SeTcbPrivilege	1136	taskse.exe
Token: SeTcbPrivilege	1136	taskse.exe
Token: SeTcbPrivilege	1692	taskse.exe
Token: SeTcbPrivilege	1692	taskse.exe
Token: SeTcbPrivilege	2272	taskse.exe
Token: SeTcbPrivilege	2272	taskse.exe
Token: SeTcbPrivilege	1784	taskse.exe
Token: SeTcbPrivilege	1784	taskse.exe
Token: SeTcbPrivilege	2620	taskse.exe
Token: SeTcbPrivilege	2620	taskse.exe
Token: SeTcbPrivilege	2936	taskse.exe
Token: SeTcbPrivilege	2936	taskse.exe
Token: 33	1124	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2780	iexplore.exe
2780	iexplore.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
2780	iexplore.exe
2780	iexplore.exe
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2560	@[email protected]
2560	@[email protected]
3004	@[email protected]
3004	@[email protected]
288	@[email protected]
288	@[email protected]
2900	@[email protected]
2196	@[email protected]
1176	@[email protected]
2352	@[email protected]
3044	@[email protected]
1836	@[email protected]
2356	@[email protected]
2392	@[email protected]
1552	@[email protected]
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2704	2780	iexplore.exe	28
PID 2780 wrote to memory of 2704	2780	iexplore.exe	28
PID 2780 wrote to memory of 2704	2780	iexplore.exe	28
PID 2780 wrote to memory of 2704	2780	iexplore.exe	28
PID 1532 wrote to memory of 1592	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	34
PID 1532 wrote to memory of 1592	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	34
PID 1532 wrote to memory of 1592	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	34
PID 1532 wrote to memory of 1592	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	34
PID 1532 wrote to memory of 1624	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	35
PID 1532 wrote to memory of 1624	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	35
PID 1532 wrote to memory of 1624	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	35
PID 1532 wrote to memory of 1624	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	35
PID 1532 wrote to memory of 2576	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	38
PID 1532 wrote to memory of 2576	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	38
PID 1532 wrote to memory of 2576	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	38
PID 1532 wrote to memory of 2576	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	38
PID 1532 wrote to memory of 852	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	39
PID 1532 wrote to memory of 852	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	39
PID 1532 wrote to memory of 852	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	39
PID 1532 wrote to memory of 852	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	39
PID 852 wrote to memory of 1240	852	cmd.exe	41
PID 852 wrote to memory of 1240	852	cmd.exe	41
PID 852 wrote to memory of 1240	852	cmd.exe	41
PID 852 wrote to memory of 1240	852	cmd.exe	41
PID 1532 wrote to memory of 2044	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	42
PID 1532 wrote to memory of 2044	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	42
PID 1532 wrote to memory of 2044	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	42
PID 1532 wrote to memory of 2044	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	42
PID 1532 wrote to memory of 2560	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	46
PID 1532 wrote to memory of 2560	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	46
PID 1532 wrote to memory of 2560	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	46
PID 1532 wrote to memory of 2560	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	46
PID 1532 wrote to memory of 2948	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	45
PID 1532 wrote to memory of 2948	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	45
PID 1532 wrote to memory of 2948	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	45
PID 1532 wrote to memory of 2948	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	45
PID 2948 wrote to memory of 3004	2948	cmd.exe	48
PID 2948 wrote to memory of 3004	2948	cmd.exe	48
PID 2948 wrote to memory of 3004	2948	cmd.exe	48
PID 2948 wrote to memory of 3004	2948	cmd.exe	48
PID 2560 wrote to memory of 1628	2560	@[email protected]	49
PID 2560 wrote to memory of 1628	2560	@[email protected]	49
PID 2560 wrote to memory of 1628	2560	@[email protected]	49
PID 2560 wrote to memory of 1628	2560	@[email protected]	49
PID 3004 wrote to memory of 1072	3004	@[email protected]	51
PID 3004 wrote to memory of 1072	3004	@[email protected]	51
PID 3004 wrote to memory of 1072	3004	@[email protected]	51
PID 3004 wrote to memory of 1072	3004	@[email protected]	51
PID 1072 wrote to memory of 1572	1072	cmd.exe	53
PID 1072 wrote to memory of 1572	1072	cmd.exe	53
PID 1072 wrote to memory of 1572	1072	cmd.exe	53
PID 1072 wrote to memory of 1572	1072	cmd.exe	53
PID 1072 wrote to memory of 1140	1072	cmd.exe	55
PID 1072 wrote to memory of 1140	1072	cmd.exe	55
PID 1072 wrote to memory of 1140	1072	cmd.exe	55
PID 1072 wrote to memory of 1140	1072	cmd.exe	55
PID 1532 wrote to memory of 2756	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	57
PID 1532 wrote to memory of 2756	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	57
PID 1532 wrote to memory of 2756	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	57
PID 1532 wrote to memory of 2756	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	57
PID 1532 wrote to memory of 2176	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	58
PID 1532 wrote to memory of 2176	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	58
PID 1532 wrote to memory of 2176	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	58
PID 1532 wrote to memory of 2176	1532	Proforma Invoice and Bank swift-REG.PI-0086547654.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2044	attrib.exe
1592	attrib.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://tinyurl.com/adasaf0
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2704

C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\Proforma Invoice and Bank swift-REG.PI-0086547654.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\Proforma Invoice and Bank swift-REG.PI-0086547654.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:1592
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1624
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 24971703354065.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - Loads dropped DLL
    PID:1240
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - Views/modifies file attributes
  PID:2044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1072
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:1572
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1628
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    PID:2556
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:288
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ihjahwzyu634" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\tasksche.exe\"" /f
  2⤵
  PID:1448
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ihjahwzyu634" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1996
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2196
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1176
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1136
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3044
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1836
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2356
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2392
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1552
- C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1832

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x214
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2125aeab2e7d63a5cb60a27ba0ccb560

SHA1
5a762b4fe211e8435171480c10c86ab734d284c9

SHA256
a4aecaeeeba67e77466de2c1a1d35ef54de06b18d906b697b3939aace09e8a21

SHA512
1d700755921fa7caf7604dd9e0cdc346a58c6facca48893e84bcad1488171dd5211586fb184e4f8c7821cb082361aba4ef6774aa742ecc3baeaa26ce817df2c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6dc8ca81f7ef6c6dd67d289dae64d4a4

SHA1
8730a03fdf9b26ea86758ec90d139ed9d776b625

SHA256
81d5df9f5f5f3dc05e8b40470bad5e6d384cd99364b6d6f8c72cee4884e865c8

SHA512
96e42d7f5b7c78837d450734b94245fb51dd1f8fa0bcdf07cbe3f5eb5db862eb6f2bd02ce42c8dd18f40d23c0943b7eb709ce8bb279484330e8a33743b9082a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
65898372292c7d366622b8cb8555cfb6

SHA1
21d9fa313f4a59388639b9ce55f98cba195722f2

SHA256
4211b260c8d2496585acab1edf139c2c899b408394b6eedce95e999bd177ef72

SHA512
3b50ee12c2ef9e5ed827bb41e1a97095786e7ac4a5b9adee48815b9aee7a9bcdb7344acc88663443c4ac41fc5e759a7c9488e7ab727e3f7a1c56ba603cb21767

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
94ced31f0a598ee015a53f62649e9c73

SHA1
7d2402ab1f609973442ff0b532b8570b866ddbf7

SHA256
fe74d9b02d8e1313a4ebf3f9c04f3f40e83fd7ae4bdf5466379a138f960d219f

SHA512
7454a3ca9e455e0907a9b5ef20fd3bf2c24f466c1e90e44512fd1b6b801ad799b28a54a6697494723f1ac88306ef3f3016b71fbf1f8b3543884c78a5a9709c7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
545ffe205284f1ad7caec79c03aedfe5

SHA1
7ddc419013c5f2a580e17e6803279f82a18c6199

SHA256
7b9c7d92e6aa5040ef482ba32a567971d96f23a66e516c644a19aad6576f6719

SHA512
1aa544a53d64a9173fabff8a0c76c99eac511183fdeee9d3ef63b34f566542145943fc63ae29d62b57d2960a53ac2dd35721f0dbba82e5538b4861b628b55831

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9933750f3543c21b68768bb7ba7d87da

SHA1
f89465fb15d0124831b5bd5c496478291d1770e3

SHA256
8ecb43970e7168cb112f4e6535b5d8dd95809fa5fa2c08c36426125dfb7b5589

SHA512
0a86a736154b230655532336f58ea1b3ffda0f5eef1fc9a4ad73b054185b5ae74a03910ffb71240168ba72754ffd93098da35517047a91cdac9cfdf4777b61a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7969828f948cc394939e9465be8ff3c1

SHA1
0b861731487b7356f583f2e9d13004bb4da3d40a

SHA256
e0911d4f77f65fb3b374ca4bea813d4413a570f4ea4f3c9397c67195c1704691

SHA512
0c5188147f02effc6dcd641e0e8d324e6a5a1e01ea2e26b401b5d765cbf24a3e11007501d73d52e7ef31f7af7a130727e8fc2bfee65256fb21af6e5f557d6e09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
70c8b35e5f97858b417d3d1879e40906

SHA1
6850beadd51b0939ad0746d052b50a96a27b54f7

SHA256
bbbd4f386b8a81f421e58900f082ecd428bf263ceb0c845a0d135162c0b5e4b7

SHA512
7860dad8bc246eb44468f23a5f8aecbf2d92e072b24bdfaefd8a51172de7d218f6be3795cc23d17331b78d21303dbc1061b5a9bbe3236ac06fadb4dfa0bfa8b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d345c46e0963798cc9b8c002b0c58b6b

SHA1
b1ccfa93fd23a79b8bf51f4beebbda4520246630

SHA256
8f7460e6fa34cb52cc4c34b6f71d61a80300b1366c69878b9e93eadd6897d7c6

SHA512
8de209ac3864e0c84e4235b878c9fd61385e0367b237d3a5be2ff4291a556dfd736c1ad6900ac94c372c7558abc00397044e04b85e92417abcb5056b40ccee8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38b8fa90762cd838ffacb511f92f7fea

SHA1
94c1448994ae94e91f342bf073d3753d5c994c4e

SHA256
b0b8d17609e9dae9c6a7d5581d527cdce7c7f2ffae39cc19788ae8626e650d30

SHA512
2fe3c03414bea7b5e5984a1f684a6110139b5e67daf764e382d21e99a3749f68eece6f22f67538767f8e8575c50ad85ed4d619cbfbfc9569ef102d033d2a413a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3df53c51d55288d5ea6b10ed79e4c563

SHA1
9ca6cd3fa713b6ef618be2d1502ba2f2b04e9cf0

SHA256
1dbdffc749c23f9f0851ff0aa424e71178fac397ac5a0b64ef84d71d2e097d3a

SHA512
373587c664a73901427700e6ffa7345cb4b1f3eafd424d07a603f1661998e9efa3674e4ad3518ae0291e210cb00d1d2cc24b0e3f91ef1f7843a4f3958bf540eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97b8ab40f8c1fac34eb4c3c56c4a8bcc

SHA1
8d61a910a67d7e2aef6c0c278004a62d96827bdf

SHA256
7d9ea02c45285c801a551d436f51c1e73d8f6766a9e4f9f5386f1f9168113bc2

SHA512
ddf3eb4c5a9ff293896f53c7b942dfeb09102895cb33c9e4e322a5be30bfe8e447512576fa96066f769636aaa875e7cfaf3846af9d992ae09375da9da728afc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
92bdb18d53c70c76140bbefdbf65d118

SHA1
d43b2cdac293d39a7332b32cd269d695047d7a16

SHA256
fa7eec3badf27b1d587d12397e2f29c165835dbb11049528852ce4f2805f07ac

SHA512
f1f25a1bb1497789b924263811dfe14e0af634a29df7cac1cf05f9888bf99073108ed2d496ac602a7d165d9e638a2b6a95e0fa0c86bb3cc32cd3df18c3c97911

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca1432f1746198c922d1aae0212e69be

SHA1
04373102fc4b860e4bd9408fc5e633bfd6c0cbf9

SHA256
2f786944676412bc490359cc955736168d95db309c73d56a03f70f0b88f6b3a1

SHA512
97b7489396e69b16c5ea4cf6decdcc42ba1fbe6237d6ba5b2c11c3393a44d0fa9d205d99c678e2a48b504110029860efbcfbd9fc9a94b8516da6cd75af6ab2a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b1036273e701a4dd1e69f8b052f877f4

SHA1
2e64a9df83489fbbd163fdbe1dd8245443edcd7e

SHA256
d0c225a1025f01eb30c49701dd6f79a73f7d45c4a7f1fe19f51dad9baa526a1c

SHA512
4d055891250bbbb20753e7148ace5f47f22d7c4d9fefe2f330235b96b53c496339709e4c740a0d4a651a07b101dd6a3d9307d1461c044e7925d7560533a49c12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
df002badf4a862c2cd863037f85b24a1

SHA1
403257055ffa308f949f696e3a4ac758de515da2

SHA256
547b7fe11219910a54fd5ba817704858eb7d710711e181c181e911fcd787fb38

SHA512
723e24f8651186718bff6c111a0374f445ce8a8c56af6e63aa7cdf036657d267e7f4758975c9d170a3b44bfc6b5714a49a0ecd07b2a239c30049c46dfdaedec2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0bb80413f5cc96bf84048f9b0be25857

SHA1
cac539ea960311f4fc2363b02eb46eb925321021

SHA256
63898ee9b8281b09b84a9a3677e953a0fcb883207680503a0661a49930910fac

SHA512
93da6d3460bb0d63c12e87f8d43150921a8fb149512cc1105b05eadb7bab1294cbf9301e92bb85a113e7176807106d406d71306a9cc6620c5a386cf65ea7823d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
79d519b5bbf05ffd1321cd94ebb2e359

SHA1
c6be9cf1d08151b5efd0c90069553babf293ffd5

SHA256
57a945f75677945deaa7b53683abf5bdbd130ff61338263494c2963a43e34df1

SHA512
a6e117caa712fe3822b80e7304e6f49ddd6940c5a63305d0b5283eedcd392c2bce1069f6e7b964a44b2ce623b0c8d954fc6e823d29a70b18e4d9829e6de5c87e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0affabe8dd09e7b84ab26c9113f5d05d

SHA1
a58d1cb9924d4625ac8b02fc4e72c4fe6556c73b

SHA256
e847e2a8c62e28e2d682203e7af58f77a7c342c72e0ea33cd009180b6468d62c

SHA512
fafe6e8d1b6446a025066147d43827a3feb35f776851ea31d03fc53d2bf7704d3b5ee385bd8e2a2abc3d86861f46e73855a47a697fdbe7b098bb177b94bad9c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
02086949c146a376fc334a1002f0350a

SHA1
a4f8d487172c4f48725af9b83ce8ccc91564434e

SHA256
1cf71edfa67f7a5becaeeeeaff76a73aff469597ec90ded7ba5e84225a7533b9

SHA512
d1490a64410a0ceda56a5afb9c5e233fd98ecd4869545b2dcaf3f2b49d0aa5d000aa3dd3a996888caf7ceb1e6023d2a361f84d60d93cd72b72802dc48a7a824c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\8UCH803N\www.mediafire[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\8UCH803N\www.mediafire[1].xml

Filesize
1KB

MD5
81d429d7a58f1ed3216871b9bc678827

SHA1
d845d37a66d995113822479f48a56cb41b48a492

SHA256
8b9d012565d954d10985a8f61e0ad9f18b24d087145d355985867592f89f1957

SHA512
f6fa6d696a7640b1a051a24d1136b106ef869d9a870d06c43b8a35f3a35820285975c1570043f6df38add70df91569ce0d3a0d06b44e34e53c9eafc71a5ae873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t83hqs9\imagestore.dat

Filesize
11KB

MD5
d952271bd0a1f29b721fe3fab48e8833

SHA1
a3dee9a10e3153590bcbd0617d572f199d78e4ae

SHA256
2515634dd4325616afab51ead6e7b6115af1069dff38e4bb627821f5247daab9

SHA512
5018f9e4f18b79c7685c4f4148c57f1780db08aa9a921f875e03ef281f33a9ea101d09f94ba2b6d65c55e3b3bf7edd05b19125aca4c363f0504cf0f24f044f74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E25VF8N4\favicon[1].ico

Filesize
10KB

MD5
a301c91c118c9e041739ad0c85dfe8c5

SHA1
039962373b35960ef2bb5fbbe3856c0859306bf7

SHA256
cdc78cc8b2994712a041a2a4cb02f488afbab00981771bdd3a8036c2dddf540f

SHA512
3a5a2801e0556c96574d8ab5782fc5eab0be2af7003162da819ac99e0737c8876c0db7b42bb7c149c4f4d9cfe61d2878ff1945017708f5f7254071f342a6880a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YT4IJQ91\Request for Quotation (RFQ_196).zip.b1vqg73.partial

Filesize
3.3MB

MD5
d69dc6569b385c0467185d002e252d89

SHA1
25938a66cce0078c76a15f351cbd19c8fcc2b081

SHA256
80239619c4ca44380c6269873a5b6b695585ccfcf278e0f2c72698658a3a6fd8

SHA512
54ebf42bcfd6ae5990309cfebe6b2952de40e64988cdcd3e71db596a69b9cd782b32240c2009d9241ffcd8c7e0476bc36bad40d2443e128afdad3bbb8e55e895

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9511.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9533.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\00000000.res

Filesize
136B

MD5
bc9d79fc44a8da9b0d274914e2112f8f

SHA1
90f41384eb292c95b5a5fb1900f642ce1db852d2

SHA256
d0e88ad10a307d942ab9e006f904f996ac6e7249c88f42c764e26cb83188fab4

SHA512
8b9a96992769757d16d6438f097481542ab99212c66ea9dc5d79d636ba9dfbb4a61525a14133146bcf07db82227fe3e345c6d33e6207b2257fbaecdfdb0d5fda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\24971703354065.bat

Filesize
424B

MD5
eb8accf64257a28afd922f57c2d6dea3

SHA1
d99429a4da358a90f40e77a67d1ddd2b91e87414

SHA256
c1107849e69e4d2f155d98cd85eece0a20f4cbd2c0aa4cb030d55f73031a7251

SHA512
10bb53d57522734f85831f30b437513b39eb070f96e66f5e9210e6c5c813f78e608522cad843517744b3996b425e05f1e00cc67f393e1c2e4a72aeab50878552

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\@[email protected]

Filesize
1KB

MD5
05eb594cb7c3228f4a1da584dc33201c

SHA1
73b6c38ae7b81860fc3154b1f6c882ccba4bc780

SHA256
f32508014b915e9a8541037fa531f14066352b14f4c6e58182b7878f75b69ee6

SHA512
9ea3b40e81f8f443735157b14a1e9cd01bb3750017d0b924628ec60df88d07fa9b6cadd30d88a0c87e3f49ed320031685f7833941e5c317c919b8ea218c17432

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\TaskData\Tor\taskhsvc.exe

Filesize
1.1MB

MD5
54764f900b2349e0d75e9fea754565ff

SHA1
f669af82b30cf7087eab4b95e962a930a886256c

SHA256
053167ac71dd436a733e6923f7df01b59c5e527b6c9c023f91b5970b52275cea

SHA512
51b2275a59adf65951b18ff2fcc1e1ce9273b991acf98279eb995932b55f8a3d6d3c418cd3b0d810013cf30bc72f733ef4072f27201d650cae47b46bd96af907

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\TaskData\Tor\taskhsvc.exe

Filesize
1024KB

MD5
3f23f2cfa64033650434f7914840b48b

SHA1
91b62bbea9e51c8b107cb4b8025005d011426bce

SHA256
160bb465567e1d26f2b0b875553cc206a5331eae5e91f4776afd1620e5903a70

SHA512
e01c137445de9bf36913af24565184f2c0ef02b97371fa1e010df8eaf3881e29765b2f4101e046054134f64226a28078432c3754671e87c839fe0c672b68ebfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\m.vbs

Filesize
303B

MD5
c49b4b0f24fdf47a5d35059373454588

SHA1
c56960f26db4a4e1f2b2900530c5f8a40e4867ef

SHA256
ecbf8415d6f5c0c88571774fd883671b3801f9dadfaa1b99e09c03b406dad7ed

SHA512
b106b8066c7db9db5f4bca2ac28460843a9a3d5f7c9b5e566630726cb6334d81532d0968e55c23078225d2dc3320b444561718f409b1dd0530d1f59dda4dba35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\u.wnry

Filesize
130KB

MD5
f3babc286eea501076f269ee15e0bc08

SHA1
716c3448fcb4badb28f8f4312d9ef53078e43616

SHA256
ed0ba49dde8f2adb1ccb2708f26ac810c78c2b2eeb0d12c9f61aea18ed096c0d

SHA512
0e3d4238eb8e2b925b6944ef6163382c1050c834e0d98d71363c6dc47eabdef07bcee99db1689b371c72dcf200a9908788818c893aa054740bc00486e5ef23e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FV9129D3.txt

Filesize
2KB

MD5
365a4589c99497ef9a453cf62fc8e8ef

SHA1
41833155c4459a3da91ed5d112f785522e84a913

SHA256
ff8933ddb8762a306166fc8d6f4d83081d512c1612cf7c30f69654c02ab02e94

SHA512
898c0c00e9ee0f00ea21aa78fd99c93ed460b5b7c91d790cefe7a2d7c8f3592a1e7b2b8693b810dd40273d26af5484bed0df4c4366e0e327e7c941087870bcdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HZA9XWKA.txt

Filesize
85B

MD5
f987243db55d9b8bbdd4f5f85c29c4e8

SHA1
e96453aca8ce0828e22eed3103718711cae5c1ba

SHA256
2c84cb7eee1ce23e000e4a00db747acf2bd90e2f5181eed55d45ed3be7287a7e

SHA512
43f9e725a6a909dbf6179cdb6b484b036534b4965fef301123a7de311bdcea2ede7b7e6f857db646b562bb4d525b7a1fb3ede08518cc8c2b784468198e48ed60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\R8MK116I.txt

Filesize
213B

MD5
57da518c83c117907ca3187474819bd9

SHA1
98d7afaacb8d4e972d1935d49358e76317fdd1e0

SHA256
547f1629abd717b42848357d676edc3bbdc2c828bcd72bf4b9bd32f06baada24

SHA512
271a457dc3e6c1f1f95e42920110d7ab7137d962c7f90efe9f22e0adbd63ff9a99cbb633608443ab41c4ffdcd88ce3300ce783ca1831c6e04d37251f26a3f085

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
5.4MB

MD5
345d58fb9ce4102af1cee7959be77173

SHA1
ad2e872517482c640af1e2af5028092e1bfca4c5

SHA256
82c9288061b95148b78c27f65c2355518f1362392bcd1662a4fe6608697a9318

SHA512
ff366d6cf746526c474e4e5df23603637244409f2548aebe805256cb16cc96e3ec1e3c9d56de580c488c85e896cb375d1931f0f8a974504951e46b3528dbcf74

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\TaskData\Tor\taskhsvc.exe

Filesize
1.2MB

MD5
cc25056fc776036ec91aa9fdcb5fc754

SHA1
c713607d3bb65a8b00a67e8991449ad92bf4276e

SHA256
2651bc47d78ac8643c15b8aeb9e06a81fe1f32376187ba1d84dd2e38c7f81877

SHA512
b45bf6018c2782c06420d0ad111f5d064b8c58b33d01b6e26a783a4a590577ba3caa84813088c16967df5f74e1e451bab6832fa47e305ca472ad9d352c80a41a

Download Submit
\Users\Admin\AppData\Local\Temp\Temp1_Request for Quotation (RFQ_196).zip\TaskData\Tor\taskhsvc.exe

Filesize
768KB

MD5
575023927c118eb97b26a9b2bc41b058

SHA1
160bd1467894c86d44666ac2d0020936dd9d9a8d

SHA256
aa1e22933a8ff04f7a2749beab887a9deddf579a02fef3275a429ca7fd1f79f1

SHA512
4ac74710cbe6cea287daac238b42a6bc8b89ce7404c0393529fd84e4673ed4d77951a13ee8d5daed9b278febe94f7b6125b4de4b59e8e5ccdb927b1e45a3555c

Download Submit
memory/1532-1767-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1628-2558-0x0000000071910000-0x0000000071992000-memory.dmp

Filesize
520KB

Download
memory/1628-2571-0x00000000000C0000-0x00000000003BE000-memory.dmp

Filesize
3.0MB

Download
memory/1628-2538-0x00000000719A0000-0x0000000071BBC000-memory.dmp

Filesize
2.1MB

Download
memory/1628-2539-0x00000000718E0000-0x0000000071902000-memory.dmp

Filesize
136KB

Download
memory/1628-2537-0x0000000071910000-0x0000000071992000-memory.dmp

Filesize
520KB

Download
memory/1628-2541-0x00000000000C0000-0x00000000003BE000-memory.dmp

Filesize
3.0MB

Download
memory/1628-2543-0x00000000000C0000-0x00000000003BE000-memory.dmp

Filesize
3.0MB

Download
memory/1628-2542-0x00000000718E0000-0x0000000071902000-memory.dmp

Filesize
136KB

Download
memory/1628-2540-0x0000000071910000-0x0000000071992000-memory.dmp

Filesize
520KB

Download
memory/1628-2553-0x00000000000C0000-0x00000000003BE000-memory.dmp

Filesize
3.0MB

Download
memory/1628-2554-0x0000000071C60000-0x0000000071CE2000-memory.dmp

Filesize
520KB

Download
memory/1628-2555-0x0000000071C40000-0x0000000071C5C000-memory.dmp

Filesize
112KB

Download
memory/1628-2556-0x0000000071BC0000-0x0000000071C37000-memory.dmp

Filesize
476KB

Download
memory/1628-2557-0x00000000719A0000-0x0000000071BBC000-memory.dmp

Filesize
2.1MB

Download
memory/1628-2535-0x00000000719A0000-0x0000000071BBC000-memory.dmp

Filesize
2.1MB

Download
memory/1628-2561-0x00000000000C0000-0x00000000003BE000-memory.dmp

Filesize
3.0MB

Download
memory/1628-2536-0x0000000071C60000-0x0000000071CE2000-memory.dmp

Filesize
520KB

Download
memory/1628-2572-0x00000000000C0000-0x00000000003BE000-memory.dmp

Filesize
3.0MB

Download
memory/1628-2565-0x00000000719A0000-0x0000000071BBC000-memory.dmp

Filesize
2.1MB

Download
memory/1628-2576-0x00000000719A0000-0x0000000071BBC000-memory.dmp

Filesize
2.1MB

Download
memory/1628-2583-0x00000000000C0000-0x00000000003BE000-memory.dmp

Filesize
3.0MB

Download
memory/1628-2587-0x00000000719A0000-0x0000000071BBC000-memory.dmp

Filesize
2.1MB

Download
memory/1628-2591-0x00000000000C0000-0x00000000003BE000-memory.dmp

Filesize
3.0MB

Download
memory/1628-2628-0x00000000000C0000-0x00000000003BE000-memory.dmp

Filesize
3.0MB

Download
memory/1628-2634-0x00000000719A0000-0x0000000071BBC000-memory.dmp

Filesize
2.1MB

Download
memory/1628-2638-0x00000000000C0000-0x00000000003BE000-memory.dmp

Filesize
3.0MB

Download
memory/1628-2642-0x00000000719A0000-0x0000000071BBC000-memory.dmp

Filesize
2.1MB

Download
memory/1628-2649-0x00000000000C0000-0x00000000003BE000-memory.dmp

Filesize
3.0MB

Download
memory/1628-2534-0x0000000071C60000-0x0000000071CE2000-memory.dmp

Filesize
520KB

Download
memory/1628-2833-0x00000000719A0000-0x0000000071BBC000-memory.dmp

Filesize
2.1MB

Download
memory/1628-2832-0x00000000000C0000-0x00000000003BE000-memory.dmp

Filesize
3.0MB

Download
memory/1832-2831-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/2632-2847-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads