chaos | 90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67

Analysis

max time kernel
109s
max time network
112s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-03-2024 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe
Size

957KB
MD5

0ba90c8d8c655ee822f19820c7641b6c
SHA1

94b09919d77c1760a003bcd3eee8745f79b5cd25
SHA256

90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67
SHA512

8c591016ea0edd78b00ad8cfcf6856e2f2902cbfd7208a3ca2367c0bcfbfdb89a473264d75f742706506e38e3edb0d42bfc627eb16191fe064464ce379c955f4
SSDEEP

24576:Y5pOT/MvD8Un1s2nZkFXfRMwpb645ADkMU:nFYnepM4br5hM

Score

10^/10

chaos revengerat evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\OPEN_ME.txt

Ransom Note

----------National Office of Security Enforcement [N.O.O.S.E] Report---------- *Introduction: National Office of Security Enforcement [N.O.O.S.E] You were infected by a ransomware made by N.O.O.S.E No need to Google us, we only exist when we want to. *What happened? You are infected with the NOOSE ransomware. This version does have an antidot. Your unique ID is: NOOSEVariant2ID3754865400 *I want my data back: To get your data back, you need our decryption software. Which only N.O.O.S.E have. Our software is worth 1540 USD. *About the decryption software: To decrypt your files and data you'll need a private key. Without it, you can't have anything back. Our software uses your safely stored private key to decrypt your precious data. No other softwares can decrypt your data without the private key. *Payment currency: We only accept Monero XMR as a payment method. *Payment information: Price: 9.7 XMR Monero address: 476cVjnoiK2Ghv1JfFiSBchuKwfFrU9aD4uDCAYe4Sab13hy5cYTKSd7CuF4LZJ76ZcDDt1WZZvpdZDuzbgPBPVs3yBBJ32 *After the payment: -Send us a mail to malignant@tuta.io in the correct following format: -Subject: [Your country name] Device/user name (Example: [USA] John Doe) -My unique ID: [Your unique ID]. -Transaction ID: [Transaction ID] and an attached screenshot of the payment. *Verification and confirmation: Once we verify and confirm your payment, we recognize your device and send you the decryption software. *Important notes: -We might give you a discount if you contact us within 24 hours. -Due to our busy emails, we may take up to 24 hours to respond. -All of our clients got their data back after the payment. -Failure to write in the correct form will get your mail ignored. -Any attempt to fake a transaction ID or screenshot will lead to a permanent loss of data.

Emails

malignant@tuta.io

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3032-433-0x0000000000B70000-0x0000000000BBC000-memory.dmp	family_chaos
behavioral1/memory/2712-432-0x0000000000F30000-0x0000000000F82000-memory.dmp	family_chaos
C:\Users\Admin\AppData\Roaming\svchost.exe	family_chaos
behavioral1/memory/2016-440-0x0000000000A10000-0x0000000000A62000-memory.dmp	family_chaos

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Detects command variations typically used by ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3032-433-0x0000000000B70000-0x0000000000BBC000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/memory/2712-432-0x0000000000F30000-0x0000000000F82000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware
C:\Users\Admin\AppData\Roaming\svchost.exe	INDICATOR_SUSPICIOUS_GENRansomware
behavioral1/memory/2016-440-0x0000000000A10000-0x0000000000A62000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

700 bcdedit.exe
2196 bcdedit.exe

pid	process
700	bcdedit.exe
2196	bcdedit.exe

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Win32NT.exe	revengerat

Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2612 wbadmin.exe

pid	process
2612	wbadmin.exe

Drops startup file 12 IoCs

Processes:

InstallUtil.exevbc.exesvchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Script.vbs.vbs	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java.js.js	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win32NT.ink.lnk	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win32NT.exe	vbc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Win32NT.ink.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OPEN_ME.txt	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java.js.js	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Script.vbs.vbs	svchost.exe

Executes dropped EXE 5 IoCs

Processes:

Win32NT.exe47936297.exe8262284.exesvchost.exeWin32NT.exe

pid process

812 Win32NT.exe
2712 47936297.exe
3032 8262284.exe
2016 svchost.exe
2768 Win32NT.exe
Loads dropped DLL 5 IoCs

Processes:

InstallUtil.exeInstallUtil.exe

pid process

2596 InstallUtil.exe
1768 InstallUtil.exe
1768 InstallUtil.exe
1768 InstallUtil.exe
1768 InstallUtil.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
812	Win32NT.exe
2712	47936297.exe
3032	8262284.exe
2016	svchost.exe
2768	Win32NT.exe

pid	process
2596	InstallUtil.exe
1768	InstallUtil.exe
1768	InstallUtil.exe
1768	InstallUtil.exe
1768	InstallUtil.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

InstallUtil.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win32NT = "C:\\Windows\\SysWOW64\\Win32NT.exe"	InstallUtil.exe

Drops desktop.ini file(s) 34 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	F:\FinalCancer\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe

Drops file in System32 directory 2 IoCs

Processes:

InstallUtil.exeInstallUtil.exe

description ioc process

File created C:\Windows\SysWOW64\Win32NT.exe InstallUtil.exe
File created C:\Windows\SysWOW64\Win32NT.exe InstallUtil.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Win32NT.exe	InstallUtil.exe
File created	C:\Windows\SysWOW64\Win32NT.exe	InstallUtil.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\n2053o5f2.jpg"	svchost.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exeInstallUtil.exeWin32NT.exeInstallUtil.exeWin32NT.exeInstallUtil.exe

description	pid	process	target process
PID 2376 set thread context of 2596	2376	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 2596 set thread context of 2776	2596	InstallUtil.exe	InstallUtil.exe
PID 812 set thread context of 1768	812	Win32NT.exe	InstallUtil.exe
PID 1768 set thread context of 1656	1768	InstallUtil.exe	InstallUtil.exe
PID 2768 set thread context of 2840	2768	Win32NT.exe	InstallUtil.exe
PID 2840 set thread context of 2764	2840	InstallUtil.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1588 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1640 vssadmin.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1136 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

svchost.exe

pid process

2016 svchost.exe

pid	process
1588	schtasks.exe

pid	process
1640	vssadmin.exe

pid	process
1136	NOTEPAD.EXE

pid	process
2016	svchost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

47936297.exe8262284.exesvchost.exe

pid	process
2712	47936297.exe
3032	8262284.exe
2712	47936297.exe
2712	47936297.exe
3032	8262284.exe
3032	8262284.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exeInstallUtil.exeWin32NT.exeInstallUtil.exe47936297.exe8262284.exesvchost.exevssvc.exeWMIC.exewbengine.exeWin32NT.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	2376	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe
Token: SeDebugPrivilege	2596	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	2596	InstallUtil.exe
Token: SeDebugPrivilege	812	Win32NT.exe
Token: SeDebugPrivilege	1768	InstallUtil.exe
Token: SeIncBasePriorityPrivilege	1768	InstallUtil.exe
Token: SeDebugPrivilege	2712	47936297.exe
Token: SeDebugPrivilege	3032	8262284.exe
Token: SeDebugPrivilege	2016	svchost.exe
Token: SeBackupPrivilege	2716	vssvc.exe
Token: SeRestorePrivilege	2716	vssvc.exe
Token: SeAuditPrivilege	2716	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1572	WMIC.exe
Token: SeSecurityPrivilege	1572	WMIC.exe
Token: SeTakeOwnershipPrivilege	1572	WMIC.exe
Token: SeLoadDriverPrivilege	1572	WMIC.exe
Token: SeSystemProfilePrivilege	1572	WMIC.exe
Token: SeSystemtimePrivilege	1572	WMIC.exe
Token: SeProfSingleProcessPrivilege	1572	WMIC.exe
Token: SeIncBasePriorityPrivilege	1572	WMIC.exe
Token: SeCreatePagefilePrivilege	1572	WMIC.exe
Token: SeBackupPrivilege	1572	WMIC.exe
Token: SeRestorePrivilege	1572	WMIC.exe
Token: SeShutdownPrivilege	1572	WMIC.exe
Token: SeDebugPrivilege	1572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1572	WMIC.exe
Token: SeRemoteShutdownPrivilege	1572	WMIC.exe
Token: SeUndockPrivilege	1572	WMIC.exe
Token: SeManageVolumePrivilege	1572	WMIC.exe
Token: 33	1572	WMIC.exe
Token: 34	1572	WMIC.exe
Token: 35	1572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1572	WMIC.exe
Token: SeSecurityPrivilege	1572	WMIC.exe
Token: SeTakeOwnershipPrivilege	1572	WMIC.exe
Token: SeLoadDriverPrivilege	1572	WMIC.exe
Token: SeSystemProfilePrivilege	1572	WMIC.exe
Token: SeSystemtimePrivilege	1572	WMIC.exe
Token: SeProfSingleProcessPrivilege	1572	WMIC.exe
Token: SeIncBasePriorityPrivilege	1572	WMIC.exe
Token: SeCreatePagefilePrivilege	1572	WMIC.exe
Token: SeBackupPrivilege	1572	WMIC.exe
Token: SeRestorePrivilege	1572	WMIC.exe
Token: SeShutdownPrivilege	1572	WMIC.exe
Token: SeDebugPrivilege	1572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1572	WMIC.exe
Token: SeRemoteShutdownPrivilege	1572	WMIC.exe
Token: SeUndockPrivilege	1572	WMIC.exe
Token: SeManageVolumePrivilege	1572	WMIC.exe
Token: 33	1572	WMIC.exe
Token: 34	1572	WMIC.exe
Token: 35	1572	WMIC.exe
Token: SeBackupPrivilege	2076	wbengine.exe
Token: SeRestorePrivilege	2076	wbengine.exe
Token: SeSecurityPrivilege	2076	wbengine.exe
Token: SeDebugPrivilege	2768	Win32NT.exe
Token: SeDebugPrivilege	2840	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exeInstallUtil.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process	target process
PID 2376 wrote to memory of 2596	2376	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 2376 wrote to memory of 2596	2376	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 2376 wrote to memory of 2596	2376	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 2376 wrote to memory of 2596	2376	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 2376 wrote to memory of 2596	2376	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 2376 wrote to memory of 2596	2376	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 2376 wrote to memory of 2596	2376	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 2376 wrote to memory of 2596	2376	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 2376 wrote to memory of 2596	2376	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 2376 wrote to memory of 2596	2376	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 2376 wrote to memory of 2596	2376	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 2376 wrote to memory of 2596	2376	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 2376 wrote to memory of 2596	2376	90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe	InstallUtil.exe
PID 2596 wrote to memory of 2776	2596	InstallUtil.exe	InstallUtil.exe
PID 2596 wrote to memory of 2776	2596	InstallUtil.exe	InstallUtil.exe
PID 2596 wrote to memory of 2776	2596	InstallUtil.exe	InstallUtil.exe
PID 2596 wrote to memory of 2776	2596	InstallUtil.exe	InstallUtil.exe
PID 2596 wrote to memory of 2776	2596	InstallUtil.exe	InstallUtil.exe
PID 2596 wrote to memory of 2776	2596	InstallUtil.exe	InstallUtil.exe
PID 2596 wrote to memory of 2776	2596	InstallUtil.exe	InstallUtil.exe
PID 2596 wrote to memory of 2776	2596	InstallUtil.exe	InstallUtil.exe
PID 2596 wrote to memory of 2776	2596	InstallUtil.exe	InstallUtil.exe
PID 2596 wrote to memory of 2776	2596	InstallUtil.exe	InstallUtil.exe
PID 2596 wrote to memory of 2776	2596	InstallUtil.exe	InstallUtil.exe
PID 2596 wrote to memory of 2776	2596	InstallUtil.exe	InstallUtil.exe
PID 2596 wrote to memory of 328	2596	InstallUtil.exe	vbc.exe
PID 2596 wrote to memory of 328	2596	InstallUtil.exe	vbc.exe
PID 2596 wrote to memory of 328	2596	InstallUtil.exe	vbc.exe
PID 2596 wrote to memory of 328	2596	InstallUtil.exe	vbc.exe
PID 328 wrote to memory of 2476	328	vbc.exe	cvtres.exe
PID 328 wrote to memory of 2476	328	vbc.exe	cvtres.exe
PID 328 wrote to memory of 2476	328	vbc.exe	cvtres.exe
PID 328 wrote to memory of 2476	328	vbc.exe	cvtres.exe
PID 2596 wrote to memory of 2728	2596	InstallUtil.exe	vbc.exe
PID 2596 wrote to memory of 2728	2596	InstallUtil.exe	vbc.exe
PID 2596 wrote to memory of 2728	2596	InstallUtil.exe	vbc.exe
PID 2596 wrote to memory of 2728	2596	InstallUtil.exe	vbc.exe
PID 2728 wrote to memory of 1644	2728	vbc.exe	cvtres.exe
PID 2728 wrote to memory of 1644	2728	vbc.exe	cvtres.exe
PID 2728 wrote to memory of 1644	2728	vbc.exe	cvtres.exe
PID 2728 wrote to memory of 1644	2728	vbc.exe	cvtres.exe
PID 2596 wrote to memory of 2136	2596	InstallUtil.exe	vbc.exe
PID 2596 wrote to memory of 2136	2596	InstallUtil.exe	vbc.exe
PID 2596 wrote to memory of 2136	2596	InstallUtil.exe	vbc.exe
PID 2596 wrote to memory of 2136	2596	InstallUtil.exe	vbc.exe
PID 2136 wrote to memory of 2328	2136	vbc.exe	cvtres.exe
PID 2136 wrote to memory of 2328	2136	vbc.exe	cvtres.exe
PID 2136 wrote to memory of 2328	2136	vbc.exe	cvtres.exe
PID 2136 wrote to memory of 2328	2136	vbc.exe	cvtres.exe
PID 2596 wrote to memory of 784	2596	InstallUtil.exe	vbc.exe
PID 2596 wrote to memory of 784	2596	InstallUtil.exe	vbc.exe
PID 2596 wrote to memory of 784	2596	InstallUtil.exe	vbc.exe
PID 2596 wrote to memory of 784	2596	InstallUtil.exe	vbc.exe
PID 784 wrote to memory of 1440	784	vbc.exe	cvtres.exe
PID 784 wrote to memory of 1440	784	vbc.exe	cvtres.exe
PID 784 wrote to memory of 1440	784	vbc.exe	cvtres.exe
PID 784 wrote to memory of 1440	784	vbc.exe	cvtres.exe
PID 2596 wrote to memory of 700	2596	InstallUtil.exe	vbc.exe
PID 2596 wrote to memory of 700	2596	InstallUtil.exe	vbc.exe
PID 2596 wrote to memory of 700	2596	InstallUtil.exe	vbc.exe
PID 2596 wrote to memory of 700	2596	InstallUtil.exe	vbc.exe
PID 700 wrote to memory of 836	700	vbc.exe	cvtres.exe
PID 700 wrote to memory of 836	700	vbc.exe	cvtres.exe
PID 700 wrote to memory of 836	700	vbc.exe	cvtres.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe
"C:\Users\Admin\AppData\Local\Temp\90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:2776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cgpqm50v\cgpqm50v.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE02.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEF7273931F71463B84070DDAEAACAFB.TMP"
4⤵
PID:2476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1u2foiob\1u2foiob.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF49.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE12C61B1AFAB4F78A317C51D4C7046A1.TMP"
4⤵
PID:1644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1vakq5fu\1vakq5fu.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC043.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD284C408BF443BFBDB5D5592F8ABB42.TMP"
4⤵
PID:2328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sfhyxags\sfhyxags.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC14C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc20D610C2C143496981121C1F84A51BB7.TMP"
4⤵
PID:1440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\di3vtgdb\di3vtgdb.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC294.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD6A39A5738DA45DB9A777C76DE6FDE12.TMP"
4⤵
PID:836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zub2r50e\zub2r50e.cmdline"
3⤵
PID:3020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC33F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3AF549D4E9C646A5B5861EECEE2A2A9F.TMP"
4⤵
PID:2292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gw03hshl\gw03hshl.cmdline"
3⤵
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3FB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc539D3778783443D49B81BC5837BEBF24.TMP"
4⤵
PID:2600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vlzauywb\vlzauywb.cmdline"
3⤵
PID:900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc94799B8B3EBF47918E3DD89376B05415.TMP"
4⤵
PID:1328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ufuwoti0\ufuwoti0.cmdline"
3⤵
PID:1540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5BA791617E164CAEABDFC79308BE68E.TMP"
4⤵
PID:1084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0xqy4xro\0xqy4xro.cmdline"
3⤵
PID:1076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC6E7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc98CE14622724A3AB5A39D206CE47574.TMP"
4⤵
PID:744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sikxynlf\sikxynlf.cmdline"
3⤵
PID:2132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7C2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE3230C85161F4F328DFED4A13CEF16AD.TMP"
4⤵
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5hshyg0b\5hshyg0b.cmdline"
3⤵
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC86D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc42C7128A0DA46848D442A193994DE16.TMP"
4⤵
PID:1744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\v42nqlik\v42nqlik.cmdline"
3⤵
PID:1592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC977.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5CC50286F7EB479EB5C3DEDB5073E7C.TMP"
4⤵
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ha21cjqi\ha21cjqi.cmdline"
3⤵
PID:2544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc96385818C9814D9484E7592A6089D4BD.TMP"
4⤵
PID:752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zeqamb51\zeqamb51.cmdline"
3⤵
PID:2648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBB8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc69BA00A314F24024A9AA76A1196A1778.TMP"
4⤵
PID:2844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\iw0psqin\iw0psqin.cmdline"
3⤵
PID:2532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCCD1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc558969E8846348FCBD975CEC2DC8ACF.TMP"
4⤵
PID:2128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0h0ev42w\0h0ev42w.cmdline"
3⤵
PID:1560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE09.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE39046E427F4FA7A2B83BFC6E3B4AF.TMP"
4⤵
PID:2900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\za44iqqg\za44iqqg.cmdline"
3⤵
PID:2392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF02.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC61CF0ABC0764367BB3EACC11A5AC86.TMP"
4⤵
PID:2656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4e2ecfbu\4e2ecfbu.cmdline"
3⤵
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFCD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5C299466E8B7407D9067EAC2A23F9063.TMP"
4⤵
PID:1012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bvcrzre4\bvcrzre4.cmdline"
3⤵
PID:1912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD079.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc60C60AB336794AF2B415DDFD8BA071C0.TMP"
4⤵
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\khbnc0w2\khbnc0w2.cmdline"
3⤵
PID:1980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD143.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE2E26A6987384882B815E3C40EAC05F.TMP"
4⤵
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\igsq42zm\igsq42zm.cmdline"
3⤵
PID:564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD1FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9284E49C6859453C9EA592F761A523D8.TMP"
4⤵
PID:1440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m0oho2wd\m0oho2wd.cmdline"
3⤵
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2F8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD85F802935346718BC7475C11AA5E4C.TMP"
4⤵
PID:1428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nnsod43n\nnsod43n.cmdline"
3⤵
PID:2832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD3F2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7B54199B5538484EBB88ABA2CE149C.TMP"
4⤵
PID:1700

C:\Windows\SysWOW64\Win32NT.exe
"C:\Windows\system32\Win32NT.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
5⤵
PID:1656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tbcgszz5\tbcgszz5.cmdline"
5⤵
- Drops startup file
PID:2200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES901F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9BDC82E22E45406ABEF7C1E319C7DDEE.TMP"
6⤵
PID:2816

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "explorer" /tr "C:\Windows\SysWOW64\Win32NT.exe"
5⤵
- Creates scheduled task(s)
PID:1588

C:\Users\Admin\AppData\Local\Temp\47936297.exe
"C:\Users\Admin\AppData\Local\Temp\47936297.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
6⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
7⤵
PID:748

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
8⤵
- Interacts with shadow copies
PID:1640

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
7⤵
PID:1364

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
8⤵
- Modifies boot configuration data using bcdedit
PID:700

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
8⤵
- Modifies boot configuration data using bcdedit
PID:2196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
7⤵
PID:1332

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
8⤵
- Deletes backup catalog
PID:2612

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\OPEN_ME.txt
7⤵
- Opens file in notepad (likely ransom note)
PID:1136

C:\Users\Admin\AppData\Local\Temp\8262284.exe
"C:\Users\Admin\AppData\Local\Temp\8262284.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3032 -s 568
6⤵
PID:1528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0cmexbbi\0cmexbbi.cmdline"
5⤵
PID:744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA32.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7B57E6E81504916917E27C2A782C2C2.TMP"
6⤵
PID:1076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1904

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2156

C:\Windows\system32\taskeng.exe
taskeng.exe {BE2CB3CE-AB13-4C25-BA7A-7EE2FAA90408} S-1-5-21-1658372521-4246568289-2509113762-1000:PIRBKNPS\Admin:Interactive:[1]
1⤵
PID:1524

C:\Windows\SysWOW64\Win32NT.exe
C:\Windows\SysWOW64\Win32NT.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
PID:2764

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scripting

T1064

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Scripting

T1064

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FinalCancer\vcredist2010_x64.log-MSI_vc_red.msi.ico
Filesize
4KB

MD5
c398ae0c9782f218c0068cd155cb676c

SHA1
7c5bb00a34d55518a401cd3c60c8821ed58eb433

SHA256
9806476e9e8d001a2c6e1f0ceef24ec928e8d207c67888485df831e69deec2d3

SHA512
85f2b00101e4b3406f1e79033114b5ef4b9c3f6e9a0153da9cd5dff438f73ac90a29df05900061d0467c367e7aaa64a59b966d69530004e3a0517beb8cacbbb8

Download Submit
C:\ProgramData\FinalCancer\vcredist2010_x64.log.ico
Filesize
4KB

MD5
cef770e695edef796b197ce9b5842167

SHA1
b0ef9613270fe46cd789134c332b622e1fbf505b

SHA256
a14f7534dcd9eac876831c5c1416cee3ab0f9027cf20185c1c9965df91dea063

SHA512
95c7392ffcf91eaa02c41c70a577f9f66aff4e6a83e4d0c80dbd3a2725f89f90de7ab6484497bf6e0a0802fd8ced042647b67c5ea4bee09e1b2be30b0db1f12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0xqy4xro\0xqy4xro.0.vb
Filesize
381B

MD5
e12c96de46debdd20e91958031bfcc54

SHA1
be562249eb536b4f772b719a798d136b39bc07d7

SHA256
d4c706d54244d4a4525f728baeba2f0c43a3a1d4971f99a291fe2d16f9348bef

SHA512
f5441352ba29b8f00a86d9f67c7eef9425d09a67fb4c2e88173c4012bfe16401ed942a182c5f8e4bd87551430764f661acabbed032ff219e5e5c3b09ff136353

Download Submit
C:\Users\Admin\AppData\Local\Temp\0xqy4xro\0xqy4xro.cmdline
Filesize
284B

MD5
7d8b00448eea9c89b90ff7309c82ed6c

SHA1
ba256d075948ec1c2024211f39394f6e5a6e02af

SHA256
70fda0ec4c3e15d531040eda1ea2b018aa29ffc27a7de90a78e93bb0c47fd1b1

SHA512
47d82c6a4741a2c30ed1c0abd494a65075c8e485c2314012351ca67fd346b2967330968df5b8d9d44f19d575a57d626d68d39b2fe287945b37b3736a167f73e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1u2foiob\1u2foiob.0.vb
Filesize
358B

MD5
947bbeb4c36d980bb08d825efea9e864

SHA1
c0851e8f24dabfcc47b43cbe42a94902f5c91ef2

SHA256
23f3eb806036137b81e92672f88d3e011038301285a60a128bae6bf29e5a035a

SHA512
2589f015c969ab95d87e49da85128b93e1e0197f40be26becd534468c86b53b82e56f43d742276d3bd22393f37c0f5739d6c4552b027b5b02e5adf1877960ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1u2foiob\1u2foiob.cmdline
Filesize
237B

MD5
4b96f7b2524902d3d9649b95d37da7f0

SHA1
676c6a0d56369714021b8c7ef585eb5f346c2f82

SHA256
2b0fc4d7d119298f99d00e2181e93e686e2644e7f940cfa852c846496c039428

SHA512
2b0f3f449b444afa8ee3089ce896e3d7799f2705fd87e5910d33b326b9bac0f3c99d461472c66cfc32b93763289b968e28c6e31fb152eb81ca0293b8fe503f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vakq5fu\1vakq5fu.0.vb
Filesize
372B

MD5
4f16bc8195bf8faffcb7143004f6b98d

SHA1
d8108fdb15755c22cd5df165a137b5d2af5bc938

SHA256
8d22deda1240345582850f7211306b82fbe8cc9f8a84f9fe3ca5ce3ac03be844

SHA512
be5a0f8b45170edcf250c5c822f63697da5e378fff6bbf52fbd65beb17a0683b2de1dc353eeacace0cac0ddeb389528ec34eabedb66df38a34d707d2640bdd28

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vakq5fu\1vakq5fu.cmdline
Filesize
266B

MD5
405a9eb6b44a1a73551889778a9d1c82

SHA1
96db723666c2c423eb032634c8576f48d63b7e22

SHA256
7919868fbe826354b9f7cbd25f0f08730df144e36e65a9648c6e533b08582720

SHA512
7f4fd1d2bfd067a94c610d56b1fa4d3f823ccc6637de6d02f0a55722a98710b84a0cc7a1e7f748f946d554c312104776d7bf467c805d0734e731a8828d0e7f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\5hshyg0b\5hshyg0b.0.vb
Filesize
381B

MD5
56353dbafcab3482384f52e9926aeff9

SHA1
409782553e47a46675e2d300708fa6f45e0fd974

SHA256
397c249dc9c6d1b4c435de8dd2d20b3bdae6f83e57c6812c63df8437a24ea8ec

SHA512
49c5188d9e45fb8ceb32ab24f5217ed5d16f037ce798d9d5b759b63dc4d4227cfb50408d77cd2c545cc5c67c7cb7d8c87634678d65e1e295207da063ed9c5e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5hshyg0b\5hshyg0b.cmdline
Filesize
284B

MD5
e79abd0b0d27124543c7fa9cba43a2cc

SHA1
21732d8c8da3d64e6fa2fb250433ed5578aea18e

SHA256
0fbba3c2aefc249e2420f3b439ea0e1b529a94d1f77df6649e5e1802ca16fbfc

SHA512
8393fec197d2efdbcf8a3b364ba5d159d8735c31603a2974c9c3c914bd0e762cefb5953f222d77a93b75618ab67be6e8d00846b8e6a5b5c2f9897caced2d3b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NRHXJvb.txt
Filesize
102B

MD5
ba2dccdfaaf1ef0773a1d2b9d3a80769

SHA1
09dbd1de347a7e2e1db96e0d0c020fbd8d58bdf4

SHA256
4d5510830365819abf6aa5c51dfdac67d0ccf0a9d1d6ad6c717337be1a28a9fa

SHA512
dae5d60809973a5f8aca4b9579c8ee0953cff6dc8e4d0b08ff15e1dea877b6edbf46b6a8ae0c30684d1f37dade30a2cb1ab2aa52fd7e35d679a2ef1ca18cde63

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBE02.tmp
Filesize
6KB

MD5
9888fa40b293e303f35fe40433eb9f24

SHA1
372f7de1ca52883bf5b2f5ae27a2bd75b73041a5

SHA256
3b8a90045e0057e508425b01b3130f997ba7bf8239d1075283fbfcb5cd70fcb3

SHA512
c1ed9209a161cabc09285725bec4a551771e69e533b9a364adfcc772f9b90de3c3e01c136b9ef1d5b98dada2534d7d46eb60cb57a3bf0b72e087e3f12b21d499

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBF49.tmp
Filesize
6KB

MD5
43a3a7fea1397f71a2e35960b724fbda

SHA1
7146f860921a475e3b2ca330a74655287c11ed56

SHA256
3b87cf3dd5f6e1c33265d864a71f6a7bb25b7f161669a8cc7f276e43a3d974ce

SHA512
64dd1dcd4c98ecea01699deaaa1910b245d6782c701a1823437b7514ae82cc67f16cbc6ce62fb23ba33dc2e3d97e95ae9da71057f3465b9637c609d19299dca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC043.tmp
Filesize
6KB

MD5
9978c02da3d18c73b715c35bfd5bebc1

SHA1
2dedabb6f13c7cffcd548696d5b234f4c89ebcea

SHA256
d70c386310ebb76a9fd39b84ab0cc87cbe9742fc47137103122f41087ba6f61e

SHA512
0a8f7edfb9908cf0c73330e8b23e54a72a5c3639696f3f2c07929de04a8b28ba2720c0f883a4553a9e7fe061c3a31ca143172d4ce20438f0b3ea96bc13d9a97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC14C.tmp
Filesize
6KB

MD5
13019e72b73d5fff8cf65b9bd8a5deb7

SHA1
652f2cd278482dce79f957b0204391f50764e819

SHA256
cd5fbe71fd9bc2285f48aaaa604f84dec366ac4615c236bbd5e3678ccf07e9b8

SHA512
077dbd46531e5ea5d721e03fdc889d59b1f6f21ed9a5d7bd0f1cfa1cdfa969d0aa893528645d16171db3ca2de8a97d039c0fd27d4b7388880694061439b37df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC294.tmp
Filesize
6KB

MD5
7e76d76df2c4f764afe748eae5bb1644

SHA1
a8b68b239ce93f797cbb58575cef2244eba4aad9

SHA256
3221115e16f3822031ab332573aa22342acf4949ea971d787da3a5cf20d55924

SHA512
bbab3ec48650c77afac699b02c2472a9f2dfcbf9fc72d73e13c15ae503cb6240d2a38b4b4890f271b197dbc86ba06c8c2f2dc75a3b26ab650ac47f9a567ac6ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC33F.tmp
Filesize
6KB

MD5
19ebdafbb28a4d22db5ed9febaee0937

SHA1
b4646f000077e780ae5e20ba47607917196cf52d

SHA256
ca3b0ac116541e6840ce72961eab556cd6fba43c7576f81144ed9a279f1c78a5

SHA512
54ea6e19ba8a82f30c8be6b59ac7560ddfc79addc0465ca610b7c0bd5a8068cf57ddd2766cbe88c50b1b992b11765f3d1e1003ab0f6c74b0651373a7f114c5fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC3FB.tmp
Filesize
6KB

MD5
db4c01e7a0a4e4a923030a15925508ce

SHA1
4b9e7b8f92f2c666bae093ce26249c6b84566081

SHA256
cceeeabd76f07aff8eb33f03bf5c1ef49a2ea2933edca9bd3797bac84932dc98

SHA512
b3d7f67a8bb195cb6f996239f597fbd8afc49042c646970498f8dbe1c3fc197cd7d19fb19c11d41396128e02e941f9cc39a836350875ad552185e37866b71eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC4F4.tmp
Filesize
6KB

MD5
7cc4811895c57063431a7d859c6af3bc

SHA1
42b2341a595feee42c97e3910fb66f5da3026429

SHA256
fde824a62ab3222176ea997e04c65b6f8d643d56cbed6c5a9f7dfe3156ca88ae

SHA512
771d25d11ec61da7884859113933aed5ac1e68913e36fc85b964abe6022b720cf5f6d38483907d272a6e8dada8c56d144064274482f2d559ab3f0943b912d693

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC5EE.tmp
Filesize
6KB

MD5
f36a4449e69571191420f24c62531264

SHA1
eb9f5937397e0190871cfa542e580782dc18b7de

SHA256
6cf8601657022c45fd50306ae386f2c0dc2563d9bb3b1bf56d82a9e953735d5f

SHA512
2152ae80bfaf07d84654eece9d20731f26e83a517cba505a4678a341ee74ab07cf851d50601bb3c150712dfe300bae9a5e73d7019c9623763ea7d2e9cfe8c2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC6E7.tmp
Filesize
6KB

MD5
1af9d6f40fe3b1c76e5403d275429e4e

SHA1
a28bcbab280b4f2baeeb4902234eb66ebb1f42b7

SHA256
07b1ae198ebc53918d6bd4331122cc69e06c36d2a4d16c4ee2d492f808f928f0

SHA512
b173d63c040b40db610ce195e825fafa935ab35e9a560dd971f240edeb73e201e7fa46349857cd7d552323fb4283374a18290cc0173584d7796dfe15b96b400f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC7C2.tmp
Filesize
6KB

MD5
cbd1d6378d49da385ec9db1119028fe1

SHA1
d084cb07ceab3c84a46882561566f52219b38384

SHA256
2a0d13e455c92c6f8e37a372ce868060c74efeac8e261fbab18c998d84df96c4

SHA512
583be751e9fa5b49d8faec0fabef512715df52fd0df7e0d56f24f610a8b67b0f04fc861270be0ab1caa6b8cd85642126c144c0e1b89a2f8c5630849d59684dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC86D.tmp
Filesize
6KB

MD5
d6ee6960585535550bf9ed9fd0db43e1

SHA1
c863b428f7f422953fd136a9591c058f8d1f979f

SHA256
fe1d566b107df8a10c73862a6cb3339326337ec85cc48f0587ad801fadb125a0

SHA512
f9b0119446551847b4377b28b3ede5cf867a37685e1c72f20bafa1f1dbcfde5351cace7793d4f455be16eb23b03212f35a68ed25422625d09d673b4eba94cdea

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgpqm50v\cgpqm50v.0.vb
Filesize
372B

MD5
3dfc1912d533d8a58c7519120f72503c

SHA1
64a80c0efedd49a66e20d662069666a7816fd626

SHA256
7c50bd6ab1f3c9fae4acf6caa9a9de944dae58f8c12e99770f8caafb265a1494

SHA512
91122647b4d7ed5137c63a9ce9a870918c675d90df27d47b9b06d6932432fc17c7eed0cd8d1e50638e8be811cbc2f83f5e3a01dac5e16c2644e86ceedc4c4f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgpqm50v\cgpqm50v.cmdline
Filesize
266B

MD5
e3f33efe55bba4198b37be84982cac60

SHA1
a199283bfb8e66d5c7a562f25fb682f77f5af979

SHA256
2e329ca20b06e29a52d27c81c674f4e9a4d2a4e3f2f9db6e8203211b48ea6e77

SHA512
5949b2d71ac457934ce75af792cd173fa19edd4849e1eacdef931f0052cc7daadc832b7d66937bf3660b8c172402514257cefc516ff6ee9bb091193d1823b188

Download Submit
C:\Users\Admin\AppData\Local\Temp\di3vtgdb\di3vtgdb.0.vb
Filesize
376B

MD5
9142a18b01ff279872841047b51af510

SHA1
5c2d3e41d89c3a9c3bdc501517eca75e0f7696f5

SHA256
5b349f3c62b28fb90ff3a3dece5af80ef2f43411b8bd69cb0b36249dbe4c0f50

SHA512
bab3f2e8cd81497cf470cbce824e15f12df96e498498fd839a44abb50b841ba1cab82f3b3f4935877bf4efae2d5daa6ea7726ba4cc5499cdc799e401d9820424

Download Submit
C:\Users\Admin\AppData\Local\Temp\di3vtgdb\di3vtgdb.cmdline
Filesize
274B

MD5
c65355afba382b7663d84ac7d14eff69

SHA1
985218dd63ed225409d18cabd27ce1382dc5c32a

SHA256
82f3f7665d418727767915369a72a1489f884b8781ebf1828c72e89e8a14ada9

SHA512
a8f150de7ce3dec5b3f3a6ece88c9126cd92c62d71025386587cd84bb9ffdc5dce14beefff23450ec0edfc79d2b0d43f4e39d474ae14d7cb2f61d5578c4b89d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gw03hshl\gw03hshl.0.vb
Filesize
376B

MD5
ec4a6c4c37c41025c6514c1ee717f9df

SHA1
396e60cefc15db8324c137c420d1b69be6cac00f

SHA256
72b07a8a7d88b81e3a65f1af9e988f4edb05944ee70ab87f14cd93b31589e9b7

SHA512
94eb5b790ede491b3250273385e81c03ef71a8f1a0249e8c2dc766c4cd3c79c35ed6dff3cabb06715f183866d7844f823140cf8c10c86caa7adb3956ff94a559

Download Submit
C:\Users\Admin\AppData\Local\Temp\gw03hshl\gw03hshl.cmdline
Filesize
274B

MD5
605da44ece2b590ee615b718e73ce02a

SHA1
1dd6e9cd5b3546925ffa8460bf66a7bea7a679c6

SHA256
ea0286e4f647be34f43d69dc3fe7f26a90ff531e39e5af01f5d3ae192a5a835c

SHA512
7bd29ffbaaa930befdc072c346370b9068d9e8c92e66b119ab285a34c3f93ba9ba63ed3ea9c584e9e4a927ba4cbd5fe9b65dd52b45031bd15a648334852889aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfhyxags\sfhyxags.0.vb
Filesize
358B

MD5
5468e283cbe84c3f87136870c07f13a4

SHA1
1625c084c011837f40a489ffc75e1d57a2886dbc

SHA256
f59f43e9ee0aec96a0d838ab5469a198a39a3c8b0c68c6538da5103953c007ca

SHA512
dc3d26f9efd6e023ed1530a912a26961b2ac16037fa71aec3ad4c16069c2ad0444dee5157552f960b2f7953708169392ce2e7af6786452dec221240449b0ef0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfhyxags\sfhyxags.cmdline
Filesize
237B

MD5
d0555df2a94157067e03eb22650239f4

SHA1
3113dfd9ee3cd49e0e7c3e60be720c6b8cea4e75

SHA256
e2cfb63227456ca42638cd0de2c16292d5130fef814d3b8777798e25f79388c2

SHA512
1c21d15c3dd0bf4f43aee015b6ffb0b84fec19c132e0e39fb05e654ee66af027af2b33d540362f4a36251136c8d5d9dbb2bedd06e0b523b59874afedabe0fd8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sikxynlf\sikxynlf.0.vb
Filesize
378B

MD5
a25ab47471edf1ddfde1ac6dfefbdf5c

SHA1
38fe981ac57cb369ec38e3f07841cc7905bf70a0

SHA256
3502f5923531697e38c623c4fd6b6f47c25d9e819f016b84273ab08ea2fd92f9

SHA512
66e7e1b930062a7778de85be4dc14d60af0502bd1ec479d28ef8105c469006f6f7d531fbf4dd92894249079b29c20249dd8ba3fe814290aa9845e02efb59747d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sikxynlf\sikxynlf.cmdline
Filesize
278B

MD5
1833e0aac58327a5223c6d078f1ebfb5

SHA1
5626db21f7f1fb778a65d07b49956973e8ec76f2

SHA256
3ce3022db7646895121735ccb2d9ffa3afc48db4dbe0d6888165a7485e2bfd39

SHA512
53506649d67c843f0882e9637ae3d68ef2834d3de53628312295d9d9db939d4c77c43aa009519266da655371a24987519f008d06edf4826ce10443b7904e35df

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufuwoti0\ufuwoti0.0.vb
Filesize
378B

MD5
70af9c1b36eadb0975a3b7b6396d75aa

SHA1
ad3e32d8f6e4b45e39b25c4690914521e893db05

SHA256
65cc055af8a35f3bbe2cc55418c2fe338a35f298c3fc45a6c0421d6bf9ebfeaf

SHA512
39b764f186469afa343ba755ef2c15e4f82d928d85e787e3a910b4210cfb3fee0119127c11c7794ac5e5f818bd2feae8b462237792e458ceae39ad1f55e30f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufuwoti0\ufuwoti0.cmdline
Filesize
278B

MD5
5d01c3c535d0b38ca46f87929b4f6179

SHA1
892fc6eabb33bd038a91782acb2c36311c0e4a52

SHA256
753cdcaa49c442065233b8eeec7ed433bd337dc32612100a6d9bfa400fc69696

SHA512
b976922f285e82939b9ba4d62cbe3a93cdbeb53c9bde8d2affe2d1253d420106d14c9bdde938dc8df5fa180ec8b6e0d534a2fb81febd43ea73bb5e2c7063e04c

Download Submit
C:\Users\Admin\AppData\Local\Temp\v42nqlik\v42nqlik.0.vb
Filesize
378B

MD5
7c409932dec5244e5cda022936f4e5fc

SHA1
c3c337310e62e6fa43b01d94973e6a73fc2c4a9a

SHA256
cf4fb5f907b89c9f07e395c89a90eb94242cd3f508f819816f0e5b627289457d

SHA512
dd33ef7f52a5a83d4553870e086fe205599bba9ed23c104d6a4eb21d0b0a2f7473d8ac150386cee0169cdfb1b5830def5e6ce3672a06d686b3d7c5a07a030f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\v42nqlik\v42nqlik.cmdline
Filesize
278B

MD5
2fde114abdb933b519dacf2eb7688236

SHA1
116b479d7c2c6fdb25c11b064294a5406b369fc7

SHA256
88a84dde74f5cccd5b881e946a82a0b3e782465a7f03ebd2958534dcce5ad350

SHA512
32aaf020294cb37938834d6f544196fb359bc10f2429175fad97d5d834ad92051b9ab4178fc4d04b8f29a114d67a5506efbf48049d951446e9b51f7e327ef4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc20D610C2C143496981121C1F84A51BB7.TMP
Filesize
5KB

MD5
ecbc1db98cc372af74d55399addae499

SHA1
ac8543ab72cb623fb11dd0eac686969e8c521e6d

SHA256
6dc5ab7cd5ecbc6328466e78c3c4b4fd2b6cbb5a71ddfffd05127a127d157894

SHA512
a709c2bfa63ed51bac2ce785da5e4f477116a3f860f59e561dfe3944bff10c04e28fd1e1d81decc8329eb9d3dc65ed4d542a39e16893b5f179e11e0fce05f572

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3AF549D4E9C646A5B5861EECEE2A2A9F.TMP
Filesize
5KB

MD5
c9a4ac95cc98a1ef8db71e9ec8952db5

SHA1
a4bd495698a13f483630ef27b76146c4fcf3829f

SHA256
61522fc53ae67e19daeb769dcb561dc6ffe17772c86f197e56096b9530a0bbea

SHA512
ed45945e60199ad768d41337d6e9a26d60e873f476c871dc78acd0617eeeb1bef7a6c39c906824030fc7b164ff8fd116cc7522685df48e6c96383a63dcc1a6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc42C7128A0DA46848D442A193994DE16.TMP
Filesize
5KB

MD5
27667aaf1c1a04cc45b6e359400b8c6e

SHA1
088cbdf46f0500eb7ff1a6b57be48f8688853c31

SHA256
15ff66caa3545c7c909941f557c327ffcf603fcddc1a57b678da7933934e2184

SHA512
ad25c4f09435c528dcd30df30a69ab1ae82897016d6c42cdc1ec7919f1887ee87f71a5b39959c81d576d80ad6b15708f9b9edfd76db80ada1e4e4142affd59c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc539D3778783443D49B81BC5837BEBF24.TMP
Filesize
5KB

MD5
245b250daa21e9d3829321512d90732a

SHA1
14282b34edb91323d4827a9b8f0490004887e077

SHA256
8e5845d2f1407c0db1cf6bf2874424a421058da443598e762874cad2c4a7ff0e

SHA512
45ea140234799c9139dc7884db0fb0291e243231b6ab9097a4252d4dbd9ea17e5b1d0bdf3adcde8c427f50c731076e9263e60a22f80a19cec805796cb5fdf8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5BA791617E164CAEABDFC79308BE68E.TMP
Filesize
5KB

MD5
e9bb68d8856cb9053b1976f2f20f0270

SHA1
a5687105b76b7ac2d1de4c76cb2fb3e5ab5110b1

SHA256
dc431a72c3bfdfa4163c4c05368e6e25e45c40fafcd95f8c33be3950f342a1fe

SHA512
6b48d5b82759aa65f76c46d5c9cf2fb6c1f3c562e95f138f5d2fcbfeae506a923d9f9c1ac8c0cbbc9d1c9a1859ea5a3978bb4e898c4429d22e34fedcc46b2871

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc94799B8B3EBF47918E3DD89376B05415.TMP
Filesize
5KB

MD5
153295e79d5e61d8b008e991a46afe94

SHA1
2362ae3c0a8e976ec781dabb8ca0280ee4591a9b

SHA256
d57f59431e73b6a88deaabda69683c39feabeef734791045db7a80d99232b521

SHA512
d8af032dd0e647da4575a065e2694fbeed3dbb3d4d459def18187eb9e252ab3819903442cb6f3e4c576d1705caf058d15d2df47088e8aa089083ed0384becd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc98CE14622724A3AB5A39D206CE47574.TMP
Filesize
5KB

MD5
f23d0b9491e31872027170690c0e7037

SHA1
4ce40fcad0edb3fcd89d2d52049ac4414385bb4b

SHA256
c62a28595e7dcbe13859b529d0d1d39f6acbf22505d356921db2a26b80624061

SHA512
9f40eb9610f95ed53ca96ddde0e2b95f74900758195bff7a7e80dccb4ada6ead52e30958f139ce1a35e97a8dae53da26bc389e770538f5470e00194d43588936

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD6A39A5738DA45DB9A777C76DE6FDE12.TMP
Filesize
5KB

MD5
d9371a70f4788f0cfe715dad88288588

SHA1
2c94bf76cc04cd7c30104e106ad8ba0f5300b803

SHA256
cae32ac785735fa054cdb8d7a39116d847a117656578527d77f7e8fe79cd0af4

SHA512
e2f7222030e2f8bcc6c2be2d0f292df9fb7afc7806bb7340e2cc1b3f6540397d38fc8e9192774a0e4a1ab5b8c1e922ea1c8203c111b52970291b972e8f16b90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE12C61B1AFAB4F78A317C51D4C7046A1.TMP
Filesize
5KB

MD5
ca6c53d460c7898e1a506d851fd1292d

SHA1
c77287219d0c34023a5ca44ca121ad8fd5a81741

SHA256
ece5254ba9ef062e12b41c74ab738162f0a8c23517e4a4c7596e68a3385760e4

SHA512
48e1177457abda1db4ebc6c1a88ce8765ff01a839e09e846487516a6ae52fcabdf0c8a73727b260d4bf6b37bc329e3e4707af2f837fddca3e6165a24e8068f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE3230C85161F4F328DFED4A13CEF16AD.TMP
Filesize
5KB

MD5
7979c229943b5050f166d335d66b945c

SHA1
356b83a57a9f89c6c8dc1d5a341d4ca78f94fd2c

SHA256
f533e70584e394288a0c6f42b24f066c8ba182b51e65c8a435b5953f7231cb8a

SHA512
06762ba4470b112da067870f8be3a77c2bf958f583bee730ba2cc92bb9a43f23d0b4dca8d0c45a125ea32742373f5d80c7e9046710082dab56654ad2a5780fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcEF7273931F71463B84070DDAEAACAFB.TMP
Filesize
5KB

MD5
0ad31e350f14f498b307c9b03b1ebdac

SHA1
f1a1da3e55bd4b467949f3d46cc20b98f939551c

SHA256
6504e17130c615f776b091a54eb0f8054f0826dceafc1fd7b0f173418af44fd8

SHA512
fd4a7bf60c8f6aa9dfcfd37576cabb447f15213ad1b2fa9c78a808344046e9cf998a11c1414371ac6997e778126a53133444093074c392dd6fa7a8fe1f3d7842

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFD284C408BF443BFBDB5D5592F8ABB42.TMP
Filesize
5KB

MD5
ec5202e2eb61c659886752e857882b9a

SHA1
5d350cb75f2a46ca38eb4c14b3d55612033c5289

SHA256
ce4aa768ccd7806aacda2c7c3710286d6c28ebb2c24396140ef186c0f3e65127

SHA512
fbb61bc31c070538e6d1c7fd6c6df95b7817b58ed11d05634374fe93d216fa103326362d055d511738b8b3a91eff650ac0428ed8aaca4b78995d54201b691632

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlzauywb\vlzauywb.0.vb
Filesize
379B

MD5
0d4174c11e206d3bad116dcc684782cc

SHA1
2e12d3e6dd5a25a90b2b9ea69020ecc04a5fa8dc

SHA256
c7a4202afe745612af78b3abd57b5187106aeca58fed11f725eab06040b18bc0

SHA512
769902f903486f824d9bf76ef7892bd1711932617171f7d3ccdf550ae171cadb65d86fd8a4994df21aaa121ac18981f165f47236a0d20185691083656d600a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlzauywb\vlzauywb.cmdline
Filesize
280B

MD5
ccb5c04b175b9eb688831811c9af1856

SHA1
b5c9d4b88f9653e35783d96f2287545f5ac67f86

SHA256
922d75b3ffd94df7515f07d835b5a088fab29bab95904cf94e42ec208ab6b349

SHA512
8596d70fa4e10f15bbbd29dcbc157b652a15352cf5c5895283ff22e2fe34cd4d4644fba194c85687e5676a0b2d16af73c88efef0d90f4a5d6383bb43138d4f44

Download Submit
C:\Users\Admin\AppData\Local\Temp\zub2r50e\zub2r50e.0.vb
Filesize
379B

MD5
39f1090051deb4a4a43bd29b8814dfb8

SHA1
dc42c563bb81474709203426de65d06218cec279

SHA256
d08fc6785cc2c58653d2c660a0ef631524610bd247aa6fc992527c7e1042ab47

SHA512
9b794441eb4cd585b97404de86c3987c3c119bd5692daf9d7aa33f16283f2a3ce472d431304500cb65535b7ebb6b2da49a85b97ca79ab202b4d85dca99b37cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zub2r50e\zub2r50e.cmdline
Filesize
280B

MD5
ebede3443958d2a9bc9c2eda9dbcf4c8

SHA1
375a96307214cb48e51ebb4ea606e5912c535d62

SHA256
33164139417c0e10f04b533d5070fb0018ae7204fbdb4debd67d84a04177c010

SHA512
12883ee13973c1ade4c18887f2f98691a0eeae50203453b5547c99a55359bd2945fff4ac771d50c26320799c5fa48e39305265d94dbd340b5f806406c0092bb3

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
305KB

MD5
9ff9e2eb4f1d5405de3a35c8a5c25366

SHA1
25db133181d55e92d6a29192a49e6eb2c060bd69

SHA256
f78ebe96629ef0bf102ddefe4c2f08ae66c76a3d9c4a82cc6e25dd306d6ce99d

SHA512
eac4c150331039d96af9ca4d258ce3fa1a8c4f621b8d8e59574d4dea7bee9de6ed4827460d6e849b85037feacabe9d39131b5d0423854955db7785780fc8a3a8

Download Submit
C:\Users\Admin\Desktop\OPEN_ME.txt
Filesize
1KB

MD5
7f334c0bdedefade207b4a8a5e29c9f5

SHA1
1ed67865be5a3323dff223fcb440d1652aed8030

SHA256
6f520eca1afef05df125b8fbcb238dc19df86aa5ac0e8d7e99e711713c9355df

SHA512
ba26091c71a66f59b80d61ca228b3e31999d8b87fec4bca5339af863770259e7cb5bfc2f1f39542bf7d4371ec4b307f8e433c56373db86a00a48af33a79e1764

Download Submit
C:\Windows\SysWOW64\Win32NT.exe
Filesize
957KB

MD5
0ba90c8d8c655ee822f19820c7641b6c

SHA1
94b09919d77c1760a003bcd3eee8745f79b5cd25

SHA256
90b709901d41e0c58923d0124beb345532d7f60a288a7432c8b2f0f0ff37ec67

SHA512
8c591016ea0edd78b00ad8cfcf6856e2f2902cbfd7208a3ca2367c0bcfbfdb89a473264d75f742706506e38e3edb0d42bfc627eb16191fe064464ce379c955f4

Download Submit
memory/812-373-0x000000006DC40000-0x000000006E1EB000-memory.dmp

Filesize
5.7MB

Download
memory/812-370-0x000000006DC40000-0x000000006E1EB000-memory.dmp

Filesize
5.7MB

Download
memory/812-372-0x0000000001EC0000-0x0000000001F00000-memory.dmp

Filesize
256KB

Download
memory/812-389-0x000000006DC40000-0x000000006E1EB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-408-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/1656-411-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/1768-410-0x0000000004C40000-0x0000000004C80000-memory.dmp

Filesize
256KB

Download
memory/1768-391-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/1768-385-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1768-403-0x0000000004C40000-0x0000000004C80000-memory.dmp

Filesize
256KB

Download
memory/1768-409-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/1768-390-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2016-504-0x000000001AFE0000-0x000000001B060000-memory.dmp

Filesize
512KB

Download
memory/2016-440-0x0000000000A10000-0x0000000000A62000-memory.dmp

Filesize
328KB

Download
memory/2016-441-0x000007FEF5180000-0x000007FEF5B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2016-536-0x000007FEF5180000-0x000007FEF5B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2376-1-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/2376-22-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/2376-0-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/2376-2-0x00000000006B0000-0x00000000006F0000-memory.dmp

Filesize
256KB

Download
memory/2596-21-0x0000000000090000-0x0000000000186000-memory.dmp

Filesize
984KB

Download
memory/2596-11-0x0000000000090000-0x0000000000186000-memory.dmp

Filesize
984KB

Download
memory/2596-9-0x0000000000090000-0x0000000000186000-memory.dmp

Filesize
984KB

Download
memory/2596-7-0x0000000000090000-0x0000000000186000-memory.dmp

Filesize
984KB

Download
memory/2596-5-0x0000000000090000-0x0000000000186000-memory.dmp

Filesize
984KB

Download
memory/2596-4-0x0000000000090000-0x0000000000186000-memory.dmp

Filesize
984KB

Download
memory/2596-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2596-371-0x00000000714A0000-0x0000000071B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-15-0x0000000000090000-0x0000000000186000-memory.dmp

Filesize
984KB

Download
memory/2596-18-0x0000000000090000-0x0000000000186000-memory.dmp

Filesize
984KB

Download
memory/2596-23-0x00000000714A0000-0x0000000071B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2596-41-0x00000000006A0000-0x00000000006E0000-memory.dmp

Filesize
256KB

Download
memory/2596-32-0x00000000006A0000-0x00000000006E0000-memory.dmp

Filesize
256KB

Download
memory/2596-40-0x00000000714A0000-0x0000000071B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2712-434-0x000007FEF5180000-0x000007FEF5B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2712-432-0x0000000000F30000-0x0000000000F82000-memory.dmp

Filesize
328KB

Download
memory/2712-439-0x000007FEF5180000-0x000007FEF5B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-517-0x000000006EF80000-0x000000006F52B000-memory.dmp

Filesize
5.7MB

Download
memory/2768-518-0x0000000001EB0000-0x0000000001EF0000-memory.dmp

Filesize
256KB

Download
memory/2768-534-0x000000006EF80000-0x000000006F52B000-memory.dmp

Filesize
5.7MB

Download
memory/2776-26-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2776-37-0x00000000714A0000-0x0000000071B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2776-39-0x00000000714A0000-0x0000000071B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2776-24-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2776-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2776-34-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2776-36-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2776-30-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2776-38-0x0000000004230000-0x0000000004270000-memory.dmp

Filesize
256KB

Download
memory/2776-27-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2776-25-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2840-537-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Filesize
6.9MB

Download
memory/2840-549-0x0000000004750000-0x0000000004790000-memory.dmp

Filesize
256KB

Download
memory/3032-516-0x000007FEF5180000-0x000007FEF5B6C000-memory.dmp

Filesize
9.9MB

Download
memory/3032-433-0x0000000000B70000-0x0000000000BBC000-memory.dmp

Filesize
304KB

Download
memory/3032-435-0x000007FEF5180000-0x000007FEF5B6C000-memory.dmp

Filesize
9.9MB

Download