88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a

Resubmissions

01/03/2024, 13:18

240301-qj37qagc71 7

28/12/2023, 16:27

231228-tygh2sheh8 10

Analysis

max time kernel
501s
max time network
459s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2023, 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a.exe
Size

1.7MB
MD5

5f1977ff2e710323036df5bf5fd7df2b
SHA1

cf856ca9dfee5a3935d5e7ad192044438ab6c500
SHA256

88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a
SHA512

8cc6808e0285a73ca90f4247982e1ee635f492a54929bad49c55ebe45f3ba45eba80777043085b811e91ceb72fab744af6e9bc93185b7450a44323886efa743a
SSDEEP

49152:2svcOp7uaMh54agPw0Ic02gRotHcBWJz9FNFU:2s0KCHDdg40I9LsFQ

Score

10^/10

evasion ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\FILE RECOVERY_ID_180870197840.txt

Ransom Note

Hello Your file has been encrypted and cannot be used When you see this letter, your privacy data has been backed up by us. If you do not handle it, we will publish your privacy data after the 7th. Don't try to change or restore the file yourself, which will destroy them If necessary, you can decrypt a test file for free. Free test decryption is only available for files less than 3MB in size. To restore files, you need a decryption tool. Please contact us by email. Please add the file name of this document to the email and send it to me. ��FILE RECOVERY_ID xxxxxx�� I will tell you the amount you need to pay. After the payment is completed, we will make the decryption tool and send it to you. Customer service mailbox: [email protected] Spare mailbox: (use this mailbox after no reply in 24 hours) [email protected] You can also contact us through intermediary agencies (such as data recovery companies) If you refuse to pay, you will be attacked constantly. Your privacy -sensitive data will also be announced on Internet. !! We are a team that pays attention to credibility, so you can pay safely and restore data. LIVE TEAM

Emails

[email protected]

Signatures

Clears Windows event logs 1 TTPs 3 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
64	wevtutil.exe
2104	wevtutil.exe
3676	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1252	bcdedit.exe
3196	bcdedit.exe
3764	bcdedit.exe
636	bcdedit.exe

Renames multiple (1817) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4796	wbadmin.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a.exe

Executes dropped EXE 1 IoCs

pid	Process
1000	windows_encryptor_180870197840.exe

Loads dropped DLL 6 IoCs

pid	Process
1000	windows_encryptor_180870197840.exe
1000	windows_encryptor_180870197840.exe
1000	windows_encryptor_180870197840.exe
1000	windows_encryptor_180870197840.exe
1000	windows_encryptor_180870197840.exe
1000	windows_encryptor_180870197840.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	Conhost.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	Conhost.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	Conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3676	vssadmin.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
1272	taskkill.exe
4516	taskkill.exe
1408	taskkill.exe
4232	taskkill.exe
1384	taskkill.exe
3136	taskkill.exe
4184	taskkill.exe
3356	taskkill.exe
932	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeBackupPrivilege	5044	vssvc.exe
Token: SeRestorePrivilege	5044	vssvc.exe
Token: SeAuditPrivilege	5044	vssvc.exe
Token: SeBackupPrivilege	2284	wbengine.exe
Token: SeRestorePrivilege	2284	wbengine.exe
Token: SeSecurityPrivilege	2284	wbengine.exe
Token: SeDebugPrivilege	1384	taskkill.exe
Token: SeDebugPrivilege	3136	taskkill.exe
Token: SeDebugPrivilege	1272	taskkill.exe
Token: SeDebugPrivilege	3356	taskkill.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	4516	taskkill.exe
Token: SeDebugPrivilege	1408	net.exe
Token: SeDebugPrivilege	4232	net.exe
Token: SeDebugPrivilege	4184	taskkill.exe
Token: SeSecurityPrivilege	64	wevtutil.exe
Token: SeBackupPrivilege	64	wevtutil.exe
Token: SeSecurityPrivilege	2104	wevtutil.exe
Token: SeBackupPrivilege	2104	wevtutil.exe
Token: SeSecurityPrivilege	3676	wevtutil.exe
Token: SeBackupPrivilege	3676	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 1000	4332	88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a.exe	91
PID 4332 wrote to memory of 1000	4332	88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a.exe	91
PID 1000 wrote to memory of 492	1000	windows_encryptor_180870197840.exe	94
PID 1000 wrote to memory of 492	1000	windows_encryptor_180870197840.exe	94
PID 492 wrote to memory of 1516	492	cmd.exe	95
PID 492 wrote to memory of 1516	492	cmd.exe	95
PID 1516 wrote to memory of 1252	1516	cmd.exe	96
PID 1516 wrote to memory of 1252	1516	cmd.exe	96
PID 1000 wrote to memory of 3768	1000	windows_encryptor_180870197840.exe	182
PID 1000 wrote to memory of 3768	1000	windows_encryptor_180870197840.exe	182
PID 3768 wrote to memory of 2960	3768	Conhost.exe	121
PID 3768 wrote to memory of 2960	3768	Conhost.exe	121
PID 2960 wrote to memory of 636	2960	cmd.exe	186
PID 2960 wrote to memory of 636	2960	cmd.exe	186
PID 1000 wrote to memory of 2948	1000	windows_encryptor_180870197840.exe	99
PID 1000 wrote to memory of 2948	1000	windows_encryptor_180870197840.exe	99
PID 2948 wrote to memory of 568	2948	cmd.exe	118
PID 2948 wrote to memory of 568	2948	cmd.exe	118
PID 568 wrote to memory of 3764	568	cmd.exe	111
PID 568 wrote to memory of 3764	568	cmd.exe	111
PID 1000 wrote to memory of 64	1000	windows_encryptor_180870197840.exe	101
PID 1000 wrote to memory of 64	1000	windows_encryptor_180870197840.exe	101
PID 64 wrote to memory of 1828	64	cmd.exe	135
PID 64 wrote to memory of 1828	64	cmd.exe	135
PID 1828 wrote to memory of 3196	1828	cmd.exe	109
PID 1828 wrote to memory of 3196	1828	cmd.exe	109
PID 1000 wrote to memory of 4876	1000	windows_encryptor_180870197840.exe	104
PID 1000 wrote to memory of 4876	1000	windows_encryptor_180870197840.exe	104
PID 4876 wrote to memory of 4484	4876	cmd.exe	107
PID 4876 wrote to memory of 4484	4876	cmd.exe	107
PID 4484 wrote to memory of 3676	4484	cmd.exe	105
PID 4484 wrote to memory of 3676	4484	cmd.exe	105
PID 1000 wrote to memory of 3492	1000	windows_encryptor_180870197840.exe	112
PID 1000 wrote to memory of 3492	1000	windows_encryptor_180870197840.exe	112
PID 3492 wrote to memory of 1244	3492	cmd.exe	116
PID 3492 wrote to memory of 1244	3492	cmd.exe	116
PID 1244 wrote to memory of 4796	1244	cmd.exe	175
PID 1244 wrote to memory of 4796	1244	cmd.exe	175
PID 1000 wrote to memory of 3420	1000	windows_encryptor_180870197840.exe	123
PID 1000 wrote to memory of 3420	1000	windows_encryptor_180870197840.exe	123
PID 3420 wrote to memory of 1388	3420	cmd.exe	125
PID 3420 wrote to memory of 1388	3420	cmd.exe	125
PID 1388 wrote to memory of 1384	1388	cmd.exe	124
PID 1388 wrote to memory of 1384	1388	cmd.exe	124
PID 1000 wrote to memory of 2724	1000	windows_encryptor_180870197840.exe	128
PID 1000 wrote to memory of 2724	1000	windows_encryptor_180870197840.exe	128
PID 2724 wrote to memory of 4060	2724	cmd.exe	164
PID 2724 wrote to memory of 4060	2724	cmd.exe	164
PID 4060 wrote to memory of 3136	4060	cmd.exe	130
PID 4060 wrote to memory of 3136	4060	cmd.exe	130
PID 1000 wrote to memory of 4368	1000	windows_encryptor_180870197840.exe	163
PID 1000 wrote to memory of 4368	1000	windows_encryptor_180870197840.exe	163
PID 4368 wrote to memory of 4020	4368	cmd.exe	138
PID 4368 wrote to memory of 4020	4368	cmd.exe	138
PID 4020 wrote to memory of 1272	4020	cmd.exe	133
PID 4020 wrote to memory of 1272	4020	cmd.exe	133
PID 1000 wrote to memory of 1828	1000	windows_encryptor_180870197840.exe	135
PID 1000 wrote to memory of 1828	1000	windows_encryptor_180870197840.exe	135
PID 1828 wrote to memory of 3604	1828	cmd.exe	137
PID 1828 wrote to memory of 3604	1828	cmd.exe	137
PID 3604 wrote to memory of 3356	3604	cmd.exe	136
PID 3604 wrote to memory of 3356	3604	cmd.exe	136
PID 1000 wrote to memory of 272	1000	windows_encryptor_180870197840.exe	140
PID 1000 wrote to memory of 272	1000	windows_encryptor_180870197840.exe	140

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a.exe
"C:\Users\Admin\AppData\Local\Temp\88880508fdcc246011c53f8a652d295e9cb95202bb92c7a02e463c405862e86a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Users\Admin\AppData\Local\Temp\windows_encryptor_180870197840.exe
  "C:\Users\Admin\AppData\Local\Temp\windows_encryptor_180870197840.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c "bcdedit /set {current} recoveryenabled no"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:492
  - - C:\Windows\system32\cmd.exe
      cmd /c "bcdedit /set {current} recoveryenabled no"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {current} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c "bcdedit /set {default} recoveryenabled no"
    3⤵
    PID:3768
  - - C:\Windows\system32\cmd.exe
      cmd /c "bcdedit /set {default} recoveryenabled no"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c "bcdedit /set {current} bootstatuspolicy ignoreallfailures"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\system32\cmd.exe
      cmd /c "bcdedit /set {current} bootstatuspolicy ignoreallfailures"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:64
  - - C:\Windows\system32\cmd.exe
      cmd /c "bcdedit /set {default} bootstatuspolicy ignoreallfailures"
      4⤵
      PID:1828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c "vssadmin Delete Shadows /All /Quiet"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Windows\system32\cmd.exe
      cmd /c "vssadmin Delete Shadows /All /Quiet"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c "wbadmin DELETE BACKUP -keepVersions:0 -quiet"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3492
  - - C:\Windows\system32\cmd.exe
      cmd /c "wbadmin DELETE BACKUP -keepVersions:0 -quiet"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c "taskkill /F /IM postgresql*"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Windows\system32\cmd.exe
      cmd /c "taskkill /F /IM postgresql*"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c "taskkill /F /IM sqlbrowser*"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\system32\cmd.exe
      cmd /c "taskkill /F /IM sqlbrowser*"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c "taskkill /F /IM sqlservr*"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\system32\cmd.exe
      cmd /c "taskkill /F /IM sqlservr*"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c "taskkill /F /IM sqlceip*"
    3⤵
    PID:272
  - - C:\Windows\system32\cmd.exe
      cmd /c "taskkill /F /IM sqlceip*"
      4⤵
      PID:3016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c "taskkill /F /IM SQLAGENT*"
    3⤵
    PID:2576
  - - C:\Windows\system32\cmd.exe
      cmd /c "taskkill /F /IM SQLAGENT*"
      4⤵
      PID:4640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c "taskkill /F /IM sqlservr*"
    3⤵
    PID:3416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c "taskkill /F /IM pg_ctl*"
    3⤵
    PID:2104
  - - C:\Windows\system32\cmd.exe
      cmd /c "taskkill /F /IM pg_ctl*"
      4⤵
      PID:3144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c "taskkill /F /IM postgres*"
    3⤵
    PID:1892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c net stop "service_name" /y
    3⤵
    PID:3368
  - - C:\Windows\system32\cmd.exe
      cmd /c net stop "service_name" /y
      4⤵
      PID:1940
    - - C:\Windows\system32\net.exe
        
        net stop "service_name" /y
        5⤵
        
        PID:636
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "service_name" /y
        6⤵
        
        PID:1012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c "taskkill /F /IM sqlwriter*"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c net stop "service_name" /y
    3⤵
    PID:4468
  - - C:\Windows\system32\cmd.exe
      cmd /c net stop "service_name" /y
      4⤵
      PID:288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c net stop "service_name" /y
    3⤵
    PID:3380
  - - C:\Windows\system32\cmd.exe
      cmd /c net stop "service_name" /y
      4⤵
      PID:436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c net stop "service_name" /y
    3⤵
    PID:3740
  - - C:\Windows\system32\cmd.exe
      cmd /c net stop "service_name" /y
      4⤵
      PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c net stop "service_name" /y
    3⤵
    PID:2896
  - - C:\Windows\system32\cmd.exe
      cmd /c net stop "service_name" /y
      4⤵
      PID:4140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c net stop "service_name" /y
    3⤵
    PID:4416
  - - C:\Windows\system32\cmd.exe
      cmd /c net stop "service_name" /y
      4⤵
      PID:1436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c net stop "service_name" /y
    3⤵
    PID:1132
  - - C:\Windows\system32\cmd.exe
      cmd /c net stop "service_name" /y
      4⤵
      PID:4396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c net stop "service_name" /y
    3⤵
    PID:3684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c net stop "service_name" /y
    3⤵
    PID:4340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c "wevtutil cl application"
    3⤵
    PID:2596
  - - C:\Windows\system32\cmd.exe
      cmd /c "wevtutil cl application"
      4⤵
      PID:2184
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil cl application
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:64
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c "wevtutil cl security"
    3⤵
    PID:4536
  - - C:\Windows\system32\cmd.exe
      cmd /c "wevtutil cl security"
      4⤵
      PID:3568
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil cl security
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cmd /c "wevtutil cl system"
    3⤵
    PID:932
  - - C:\Windows\system32\cmd.exe
      cmd /c "wevtutil cl system"
      4⤵
      PID:2952
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil cl system
        5⤵
        Clears Windows event logs
        Suspicious use of AdjustPrivilegeToken
        
        PID:3676

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
1⤵
- Interacts with shadow copies
PID:3676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Modifies boot configuration data using bcdedit
PID:3196

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} bootstatuspolicy ignoreallfailures
1⤵
- Modifies boot configuration data using bcdedit
PID:3764

C:\Windows\system32\wbadmin.exe
wbadmin DELETE BACKUP -keepVersions:0 -quiet
1⤵
- Deletes system backups
PID:4796

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1132

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3636

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Modifies boot configuration data using bcdedit
PID:636

C:\Windows\system32\taskkill.exe
taskkill /F /IM postgresql*
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\system32\taskkill.exe
taskkill /F /IM sqlbrowser*
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\system32\taskkill.exe
taskkill /F /IM sqlwriter*
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\taskkill.exe
taskkill /F /IM sqlservr*
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\system32\cmd.exe
cmd /c "taskkill /F /IM sqlwriter*"
1⤵
- Suspicious use of WriteProcessMemory
PID:4020

C:\Windows\system32\taskkill.exe
taskkill /F /IM sqlceip*
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\system32\taskkill.exe
taskkill /F /IM SQLAGENT*
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\system32\taskkill.exe
taskkill /F /IM sqlservr*
1⤵
- Kills process with taskkill
PID:1408
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "service_name" /y
  2⤵
  PID:2108

C:\Windows\system32\cmd.exe
cmd /c "taskkill /F /IM sqlservr*"
1⤵
PID:2108

C:\Windows\system32\taskkill.exe
taskkill /F /IM pg_ctl*
1⤵
- Kills process with taskkill
PID:4232
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "service_name" /y
  2⤵
  PID:3144

C:\Windows\system32\taskkill.exe
taskkill /F /IM postgres*
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\system32\cmd.exe
cmd /c "taskkill /F /IM postgres*"
1⤵
PID:728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Drops file in Windows directory
PID:4796

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\system32\net.exe
net stop "service_name" /y
1⤵
PID:2660
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "service_name" /y
  2⤵
  PID:4372

C:\Windows\system32\net.exe
net stop "service_name" /y
1⤵
PID:1012
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "service_name" /y
  2⤵
  PID:636

C:\Windows\system32\cmd.exe
cmd /c net stop "service_name" /y
1⤵
PID:1784

C:\Windows\system32\cmd.exe
cmd /c net stop "service_name" /y
1⤵
PID:3084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "service_name" /y
1⤵
PID:1608

C:\Windows\system32\net.exe
net stop "service_name" /y
1⤵
PID:3056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "service_name" /y
1⤵
PID:728

C:\Windows\system32\net.exe
net stop "service_name" /y
1⤵
PID:1056

C:\Windows\system32\net.exe
net stop "service_name" /y
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\system32\net.exe
net stop "service_name" /y
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "service_name" /y
1⤵
PID:3828

C:\Windows\system32\net.exe
net stop "service_name" /y
1⤵
PID:3700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "service_name" /y
1⤵
PID:1488

C:\Windows\system32\net.exe
net stop "service_name" /y
1⤵
PID:1404

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\FILE RECOVERY_ID_180870197840.txt

Filesize
1KB

MD5
3928a12e66aeda453c53e0ec73e209ad

SHA1
87c981e0510f830e1c506e27dce96021daa33676

SHA256
aadf3b421251fd6609c2cd93c1467c3b5df1c7cd8a3aee9a04d5ebadc5c656fe

SHA512
6153ad19f6b49f19783d39ff4f7ce12307abe6261ca0508d3ea00ac998432fff53e617951e6203c16a8921022fae942d0c80aa9dc5d434eaf9fd3f794407eb5d

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USSres00002.jrs

Filesize
153KB

MD5
e2b6d576342e72b7767d121ba7df3432

SHA1
36b1d5052efd38a103e5cc2a118310b47803b2af

SHA256
a9958eb736d255bcf9ee7dbd6b57ff4a3df9daf47cadf84fb349020dcfe9ecb7

SHA512
b88b7ebaee69985eb078597d4786a58fcc025f1eb2cad8da736a9676b78d08a5539055e4811a085851d2972f1a6e0d33172dd1cddd0f482b8a4fe97ee81ec241

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\CURRENT

Filesize
16B

MD5
6571921a2bfe756e9b4013f7ec5e728a

SHA1
a5952d5c5c524b0d60c822eb1253a44d322b1785

SHA256
c04d45e9d7fc9d3837371ee6ad329cdfd945071148f740b79cb495a1a95e26bd

SHA512
60e73787d0e0dbaf05c67e7c3bff9e28541c3475bb163dab9f2331f6f5c4b618a1475ba49ca7177aed30072c938287ec46a505d3ff9044ec405ad23844f479ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
ee47cf0b0133fad4b0f1316a10842f91

SHA1
08f01c6d8c67e4156923875cb6df639cbd2833a0

SHA256
9b39fe4c6bad593a6a579ce4ebaf03d9510c42372223afb9fbe8a55c87789df5

SHA512
8812a663edf13e80334bfdf67567b5f914e3600b48b39eb82ff8e075746842392e534e42faf68d6776fc603e8159496365fff82cd83e5bb329cecfd852c9fce0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index

Filesize
24B

MD5
80cadab775bc993039dd8592e96de7c8

SHA1
6ccfc9a6f3ef97d852036d37f12c6e5f23037260

SHA256
e40f1b8e914da98338cdc84d6501e793b89872dd0b9f93bd9a9c7fe41a185d0b

SHA512
d92fab7f065b92a95a6fc9c9a99302d95cf4e381d7189b7139dbe35de51a9616cd1bdfef975a3079429453d0a7b361e764f36cb89be3c432547d667edab08981

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_0

Filesize
8KB

MD5
eab21b7886b03b97619e6a074c079c92

SHA1
5592d6f506de2a06e01bbf01bf328852cff35e11

SHA256
00f9277d82469b944eed2ab09d95aadd1c2a4f2e9e2e34a74c3d91298d9f460d

SHA512
0264c1c846c127fb5dd44ea28445f0401eef23a46df483107c4e943a80891fbd8b5c12a27b92d7ca04f916b8a373059e976bc960570368670d6ac08d1188e9df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_1

Filesize
264KB

MD5
3dcdf5c4181b45ef627a364753915fd7

SHA1
a16500f7ad5721457aa3f69b09c30c46cbc4f3b7

SHA256
8c5692cf49713eb0ef6f0d3100cdc83088ea10fa3eef00be2ef810c8fe7af1a5

SHA512
d8a7e84821a9e0baf38b7fcbc2a55ff3e98ecc7f4b1136045966a2b7e24000bba6b6d90351f870fe24eb4d7a880a3efb88f574bf1ebb2a47b17dab982e710ae9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_2

Filesize
8KB

MD5
17c9bb1c0dea77fc017c207313f2dbc7

SHA1
1a54be92c3a3ad3c56635b4501b5c7c328efab8b

SHA256
16e8733353b32295a417ff3e02879e2313c4cf3629359b6fd6b7bad5f1c6c40c

SHA512
7bbf26cc9bb5a84c4e119c5c1dc230656b5ac105f8e43c37ce4d20fa9f62f005a27515a517109dd24fc6f9d2968470d3e730ccc58883ec2f60312b7afe40e737

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache\data_3

Filesize
8KB

MD5
0cb9a1bb9a60db0d872d9da3d606589d

SHA1
68e7d39e173ac5d9b2119c0d2d5ccb2260a859cd

SHA256
24e3d571ac47900bd8a19835b91856885b761598c9c56dc876749b45efb6105e

SHA512
2098df3c1996ee621fd3a8eb7f64899f19c41dc3da0d0f2b84f3bb07f7ce42a1facade41bf2724a1af86ff9cce9443d1cf20caa97f217b4e130a0adf69f425a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml.LIVE

Filesize
340KB

MD5
f4ac543e92fd17bfe2bd2d67da6bca07

SHA1
1bb73c18119f8c6369da3a3321bad6740c3bf0d5

SHA256
b8f503d5f9ead820ac40d892f7850d622f1972a208d8d13213d52904c0b91f66

SHA512
6386e748a4644b1413a00e1d462d73ce6902d800dc4969564c34431289c802449403d2a2a9fe08b0af297a6ee24d7e9ab5e3478f752a975e21392f6f053fb361

Download Submit
C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat

Filesize
8KB

MD5
130a921e5d5343c2347e7b55be66a76c

SHA1
0e5c63fb736c3d18d3c8121bf6349c72ec8c3bd5

SHA256
8b6a44e53795219b3481b3a8d18de42a2b362b4b864b4d2abaacf57b66c96d93

SHA512
47a4421d4356e3a0d87ea895d92c2e3760f9501fada55b3b4d37d0653eb39afe515b04e14b3989316de5cb33802bb53eca209868b38f790e5c1de32990f581f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_help

Filesize
36KB

MD5
6b79cd038522f9d3ef083160db3d743c

SHA1
e006cf0ce24b82c1c6e372069b50e57239c0bc14

SHA256
e9bfc13ad218575328a957d658fc2eba7399e53f31f857ed7633623753a075e5

SHA512
62e2102c163bcc3f7fa370c575e13fe5135a697dc452f84fec14621d9dc4b771c97d69bc6c5052ba15b11f8add92ddda25a7352cdbc61bb504e64ec476dc3940

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe

Filesize
36KB

MD5
958eb2422c0f48496c087c68f3f318d4

SHA1
26f8e305842666f3df615587c19e6da090632ec9

SHA256
82c59ecd6989484cc738f4b56d7275dd2b3110599bf8e44c8eaea75a0219a346

SHA512
b150da514393f5ffddb2060c2379ebc2de0f89b623dbaefa260a7ba0a2dcae69f1e8c24122ae68ceed35f372f53737fdb60349d9930692347f9ecf7477afb300

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_VideoLAN Website_url

Filesize
36KB

MD5
ff94347c511c17efc39f760d6a8af604

SHA1
53143a5c551f3a7f84a7b6f36dc4420b1f48d3d5

SHA256
ff8790de9505a85affa31d3ea14b4465f2039f8bfc822d659d7ceebd2e42821e

SHA512
27459179fe2e53d994043d8b5d1b981d7b9c4b3cce4274dd85b682fa81b0895d5c67f9feece119a4d7dd303d6a570be5646bf830d41d8148fd336d39cd9568c4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D809377-6AF0-444B-8957-A3773F02200E}_VideoLAN_VLC_vlc_exe

Filesize
36KB

MD5
888019a34bfbccefdba8fc7c0092e41c

SHA1
1598c89b5362ddc31000cc6550b067540a29c363

SHA256
2ef0ca3843b10dea2eb2a496cc9a5d4cc1205aa4e5750f7ccfd53b33b3c78c3b

SHA512
2e8dc8cd23694891e34c6c37c79078c57b69d65c8e60f870e3c41f01bab68c6087931857d4096b5fba4578f0c44bb1bf5d57c97677fee9079d7e6a92d744142a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{59cfaf65-1173-4d71-9f40-99b78c7e7ab3}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
34bd1dfb9f72cf4f86e6df6da0a9e49a

SHA1
5f96d66f33c81c0b10df2128d3860e3cb7e89563

SHA256
8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

SHA512
e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{59cfaf65-1173-4d71-9f40-99b78c7e7ab3}\0.2.filtertrie.intermediate.txt

Filesize
5B

MD5
c204e9faaf8565ad333828beff2d786e

SHA1
7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

SHA256
d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

SHA512
e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{59cfaf65-1173-4d71-9f40-99b78c7e7ab3}\Apps.index

Filesize
1.0MB

MD5
a6cae8a3506be7a9976ead29e4cfe21e

SHA1
f26c769fb43fa38793ff735987dca7633f580d70

SHA256
714f05e717287293b773a282957215546a1d3ebdbadc7d4bd9bd7b38fcc0c3b8

SHA512
661b12e72039bc0c48e1eb50dba0da0c6141cab8e8319d1fe19af15a55a587cab68c7cc4518c148731049d0a198dd30fe2ce57135d26a3b416952b905987cbd4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{740cfbb6-b517-48d8-b8cd-255a47ceb59c}\0.0.filtertrie.intermediate.txt

Filesize
28KB

MD5
8040f9b2550c411abff409d8cac0db1b

SHA1
58ad9333ce0ffe7192defaca82e17d3212797775

SHA256
8d75290f7ce49c7924bad343a924c0b0a0bbc1f1ee9b5b31e5aa4a5013e301f9

SHA512
53296aec1253475abba70f66a02a59a8525742fbc8e682b478eb5ba801e4ad221b2fdf1f676c46d4fdc9fcf3018991854d222f033e4ac44c7000c4a71fd6a02b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{740cfbb6-b517-48d8-b8cd-255a47ceb59c}\Apps.ft

Filesize
38KB

MD5
f515f3c32f5a716a1415b93684908b83

SHA1
810000358139645b0392dd4c25fc482d3157356e

SHA256
3b921a6b69e2055aa1af7b0cd12eea49285a9a1505318cd6187bcd6bb6f770bb

SHA512
304d75b34bc6064f0fd8f3933316b8d30ff77001f8c2f55d7b9ce34e9700c93da25494a0418194a41391a5a0d37e3cff01ea5def139037ee5c6a70972ce0cf0f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133471186354726728.txt

Filesize
77KB

MD5
9a660b2d048d2ffd7017db85d08118d9

SHA1
7b7b3bd3bbda738df40d6b226a5c7b19db0fbfd8

SHA256
20aa05726f54122b0490cb7187e06ac8ac1355f7afb03e6c8b7860e0a8747b9b

SHA512
c77eb70bcde0a3ed162fe511753d01f8a7ba4290eefbc41c70a4a90fae64b4efae61e55ca7a1a921debb597493a48daf58a7c508b665f8bda3110e55f25b4e2f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133471186805983355.txt

Filesize
48KB

MD5
5398cd45bfbd9889bc082898daa2a609

SHA1
c0b6413460f7ecc1debdcad795e77307acb68b80

SHA256
48968cdd751d503bad9efb640f497304d683b88e05a118f17beb3ab4d7808a49

SHA512
df3d21935f22854260974963acd2c1fd1fd181ad82e0e131f0d33ec2a600519956a39df4159740871f5f2f0b89e4409cca2570e0ba4ec0d04864c5384c45c274

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133471194338965306.txt

Filesize
63KB

MD5
8e5d3767ffa75a289a3e86018137ee07

SHA1
905fabd52bb65a42702979b886bccc1efbed7fcc

SHA256
3fb697167431285c0524903480bbbd68d746a811c1e76e7d020a16c5217bef2a

SHA512
3fae80f668a94f4cf40ce62be109c52014695acc0da16ab427eab9b660143919a728a65afb92a28ed35a0b4b695ea8a52f03829d93a1cf5385135a16d61592f4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133471198121055742.txt

Filesize
74KB

MD5
1ae8f674bf780cf122be39bcbd4f64a4

SHA1
abcd921021ae0dce384006d72d0290ef2a7575b5

SHA256
b0a5cfc59e92e2d96c872a00a6ed39428fb37d894a09b5c9e26d48acf70bb54a

SHA512
682143d333d73a2d49b0c32d2ef7f6a6220c71c25896c73db247c300c87a1c636b10a52f56a6696617b58aa39f9444b560aeae6c1a69e01d93072948040c4f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\libffi-8.dll

Filesize
32KB

MD5
c262a0d445f9e205965d67c8371a69f5

SHA1
1debd5d11a0b01033028c7ea987cdc8fc47b8e57

SHA256
e689c781dd0619b02f2a06f9a5648c3246927be14eb3475afde74830545df7f3

SHA512
6463003d821e9146ef891d19f0d67e70053ff5f598a5ff76f0cb9b8afffdc4c546f17d73847d901107898b56be034871db6d9171b22a40059c07cc4b7c939300

Download Submit
C:\Users\Admin\AppData\Local\Temp\libglib-2.0-0.dll

Filesize
3KB

MD5
e0652fd9ddb4c96af5bf33d49197eb6d

SHA1
7d4a14e05d8a04ca30210f5b6313fef723732ad5

SHA256
822e7265328c8be45f52ca5e41d8628e60b656483c1e7bc016a2a3656b77e74c

SHA512
c926b9630c367f045c02799245d1ff241101f5209495638aacadf8c5721408d0ad1afcf26ee965b22d681648a5a9a410650168490a63aab185f06ca016577701

Download Submit
C:\Users\Admin\AppData\Local\Temp\libglib-2.0-0.dll

Filesize
278KB

MD5
05b4f7da38251983895580a75750c9ba

SHA1
c2df3d76b71063666a80144e6b79b5f97e0bd4b8

SHA256
c68cbd9ba31d372497d61552de67338890ed82eec5255e7d34ec4e5e119c13d2

SHA512
6875fa92629acc3d109efa5fd8e02659c3293c4d5d60cf29c174af70bc716bd46bb3f2493983f1638d68743fe9d2bf05e529f14fa8584d0e25b83a6e61e3757e

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgobject-2.0-0.dll

Filesize
177KB

MD5
2bb9b0be85315467cd696d7f91e06d81

SHA1
814da91d4e017b6be123f808e43feac5b13c8831

SHA256
7c31e225c79ed90a896745ca270a7fb9fec18700f73ad338b68399558f86d6b3

SHA512
57c8941430ea59293efaa46fe459514d44db0e438502641f07020572523eccb3c6b285432690b259ef5617e816004d88a721b47facd1d589262a6314e2aac735

Download Submit
C:\Users\Admin\AppData\Local\Temp\libgobject-2.0-0.dll

Filesize
43KB

MD5
4b76ba38d35101701a1269e3379a5945

SHA1
e32d6a8a7eab05b23ff08666cd450e108b9df75e

SHA256
b14b0df91ce90af9ad9bf61d19773fe0190f2dd9103d3bfe666b897530e09946

SHA512
0ea8547ed419b2f814c0c5d177c25448bd5acd13043321203fa80f0ac387848560b19d3b955731ed29d563b3e3806ffece45b1c302a1f579477f89f72b21ea0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\libiconv-2.dll

Filesize
36KB

MD5
0cdd1e8fb8bbc943ca89480e5a5d5a2e

SHA1
052a92a21926a9c0f7701a1d8d1e2e027ffa8a2f

SHA256
98540e6e50c5ea41feb7c1b4162f8cb199a32712fc26c57c7361d93b40b7c757

SHA512
95c1d861735a980b24b7309ee4956453eed72dd45a3edbc60794387e83a3fc2c6b9caf3b5b4551dfa2b1d3661bef4aef87268dd0cb02925a81d7bb9b50211aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\libiconv-2.dll

Filesize
19KB

MD5
892fa62f2ac0f7238234efa189ae89c7

SHA1
583c8bc53ce61df4bb31afd15572e2fd734cd29d

SHA256
c7467a78b6eae28f2478ef1b5ba162e8f90db91a4dc2f428235cccaf0c27cea5

SHA512
8309f3bb550a289038a375bc8d854f1d4079377a8c9c1ddb305bbee210998fa35cf99ee23704dd68ea0b336269c444b73e839517b0dbf29b85d1d7a5afd6f0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\libintl-8.dll

Filesize
20KB

MD5
2ceb2f62da03366a0fbf6232b59ffb85

SHA1
43c05a18b6708f3eac52110b84ca32e13236dcbc

SHA256
5efff4f84c015379b507059355f2695caf7691ed0cbeda41821964e8244f183e

SHA512
a0d015b5f7f247bb83c2d77ed00f2992babc482a34ed7e69bee0054bf2e61d0ffbd8e2b90e1b4c955f7b94a450f499d130b6a200f18073f46d7fc17a1bc1028a

Download Submit
C:\Users\Admin\AppData\Local\Temp\libintl-8.dll

Filesize
51KB

MD5
7cdc4b00063517bcc92284072f194a0d

SHA1
af2a1fa3d2db81870e24adb9caf83f3a547e5028

SHA256
73b238d275d16a950f7595734fb06316967524e838403227ea8edfdc0e2f27a8

SHA512
ce67e3f9281644f631c7a99937b5c6e440f3c6e00bb34bb61fa072f9a0f7aed9e89d625a62e212cb54b56bfb82e8f69b6d376491303fb894a6ddfcd9d69fee86

Download Submit
C:\Users\Admin\AppData\Local\Temp\libpcre2-8-0.dll

Filesize
14KB

MD5
4601b6c3a6f805499a88fc5f247d5686

SHA1
3028623f949c9df4c77d464f2c47276811bc390b

SHA256
8aa3f841d4f06d28c69e047360b90c95ec07cf27f861019fda0a42807e2c31d5

SHA512
ae34da161f4db45c649068c69ce18d30fb8592af8ab91a37735ce42e907e6f37df1d5b72c130f6df40e5eaae544f7c48e9bfe6f3a6531a3ae994d5db787536da

Download Submit
C:\Users\Admin\AppData\Local\Temp\libpcre2-8-0.dll

Filesize
71KB

MD5
c4cb0e72b7d452a674df54f160517325

SHA1
03caa7278bda9ca57f99007157e655aacff53c12

SHA256
baa30e6b1d251f8f586a4a8057fba3b9a57fe1c792bd44c0d22f9e521e8c9d1d

SHA512
7ee2fb1f2552763e7a8553b82cd3c5959d359428ccbfbb67b83cdfdd462339492fdf88c190da78b9ecf6f66b7e0a237fd3bccd96807ad19d47d46782af124311

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct6050.tmp

Filesize
63KB

MD5
cda6113dcb4caaeea8fcf9fbd478ef4c

SHA1
4b509a68bd54c5b9381e6a75ec1ffd06f7737d20

SHA256
e99c345a12887706ea9bf0b96365ad5aeedfdcebfa5459572017d1638dfafe55

SHA512
d7c9becb5ad2ca4051c87109fa0c6fbfda409f2e591653b330ae103e1f8874d1211887306452671d8e6cb0f3db35da437ec4c4f9a8faebcaf6c2491d2832f234

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows_encryptor_180870197840.exe

Filesize
105KB

MD5
185e254ce5c3c8814879c444dd688fa8

SHA1
58a3aaa7940bc9a1bb746dfa8145bc837c28b6ae

SHA256
a9820f015ae9856d51faabc753923dac77852056c3a5a4405eddd8d91102d114

SHA512
b74559fb7fbb8c695a3eda94297b05fb099dddf497750e2b1c95a0d894b17cbad40d204c8acdf04c0b8df090a768cdebfe949bbe4b9648c454691ce03198e0c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows_encryptor_180870197840.exe

Filesize
221KB

MD5
5f36adcdf0f5a9544517c78f0bd5235b

SHA1
5b19edc08277afc25847f71da8fcef2bb332dda8

SHA256
fe98b794d34ed2e9f301aa98587903a080e90585b1947ddf974b57953d95eed7

SHA512
fb21079c6fdbc54e8d0aa748e256d61ed28fe5fcc2c697cfb6ce9659da818f0a677121f19d1a1718befb92285161255bcf15eb9185011040f7ddb4d43e6f7e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows_encryptor_180870197840.exe

Filesize
16KB

MD5
ea338830604dc497c7d697355ddcf8a4

SHA1
f8471554cb809517f1ec36d316aa4bc989b9056f

SHA256
f4a3e6be39316ce04b237edd4a6b527e83daa13d6649aa371264ad2be7aa9905

SHA512
2a72cd45dd54dc724491ba6fadd725e840442210e1dcf2be28143fa52b18f44e537ee0ff3d30648e1b1e1c26711ad38a43fbd103427053f58bbd6571bdaeb46c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eypn1lcs.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite

Filesize
48KB

MD5
339a3516df5297d0f0dc71e358588116

SHA1
0ddc805cda48e31ad66e686f0ed86607bb13fbfb

SHA256
06004fdcb8e93536eaec17ac6dd433410ce066bff73666c753d634276a5e0fc7

SHA512
9af316c3f5214a6f0fe0f18acf6da9566729cb8095f65419aa9e69461133008741f5bde55c09735baee66ac4c19b697a8155ff6013514d54fd5d7809e822c5f9

Download Submit
C:\vcredist2010_x86.log.html

Filesize
81KB

MD5
cea50b26829c3403e4923414fe412e72

SHA1
4a9bc4bd694d5bd000c51f7b07ab6f81d63d9254

SHA256
60b3a9fcfee9e951796fb0b7ac7ad6205266029eff59fc9a1035b50df7b10f0d

SHA512
f95fdccb35b0da29bbacb77045c5c4b931c448c1e1e1182aa0fec7fd0066548102b64cf676d11814768d3d60ae5fd2a230f9409b5ef7d3e54a15b6034d2671b0

Download Submit
memory/1000-1370-0x00007FFA2D750000-0x00007FFA2D8B5000-memory.dmp

Filesize
1.4MB

Download
memory/1000-37-0x00007FFA40C20000-0x00007FFA40C30000-memory.dmp

Filesize
64KB

Download
memory/1000-39-0x00007FFA2D630000-0x00007FFA2D749000-memory.dmp

Filesize
1.1MB

Download
memory/1000-38-0x00007FFA3CDA0000-0x00007FFA3CE07000-memory.dmp

Filesize
412KB

Download
memory/1000-35-0x00007FFA3CED0000-0x00007FFA3CF2A000-memory.dmp

Filesize
360KB

Download
memory/1000-33-0x00007FF71E120000-0x00007FF71E16F000-memory.dmp

Filesize
316KB

Download
memory/1000-34-0x00007FFA2D750000-0x00007FFA2D8B5000-memory.dmp

Filesize
1.4MB

Download
memory/1000-36-0x00007FFA3D2B0000-0x00007FFA3D2D9000-memory.dmp

Filesize
164KB

Download
memory/1000-871-0x00007FFA2D750000-0x00007FFA2D8B5000-memory.dmp

Filesize
1.4MB

Download
memory/1000-873-0x00007FFA3D2B0000-0x00007FFA3D2D9000-memory.dmp

Filesize
164KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads