0b432f20d54647f077811ecb1df4dbc64fb17fbd6a9e0cce4ac9437d5f7891fb

Resubmissions

18-03-2024 22:36

240318-2h9hwsba88 10

Analysis

max time kernel
1800s
max time network
1762s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
18-03-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware/PolyRansom.exe
Size

220KB
MD5

3ed3fb296a477156bc51aba43d825fc0
SHA1

9caa5c658b1a88fee149893d3a00b34a8bb8a1a6
SHA256

1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423
SHA512

dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e
SSDEEP

3072:EJv/3Ppzq+M4Lh5VWK5qlYRV+hvuFiweXXbGgL90v5mq33Z3:8hzEA5GlYMWFBeXvx0c+3

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (76) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

neokkskY.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	neokkskY.exe

Executes dropped EXE 2 IoCs

Processes:

neokkskY.exeQuwkkMwc.exe

pid process

3784 neokkskY.exe
3788 QuwkkMwc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

PolyRansom.exeneokkskY.exeQuwkkMwc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neokkskY.exe = "C:\\Users\\Admin\\aKgckQsQ\\neokkskY.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QuwkkMwc.exe = "C:\\ProgramData\\hAcwAwMY\\QuwkkMwc.exe"	PolyRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neokkskY.exe = "C:\\Users\\Admin\\aKgckQsQ\\neokkskY.exe"	neokkskY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QuwkkMwc.exe = "C:\\ProgramData\\hAcwAwMY\\QuwkkMwc.exe"	QuwkkMwc.exe

Drops file in System32 directory 2 IoCs

Processes:

neokkskY.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	neokkskY.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	neokkskY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 15 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1788	reg.exe
1844	reg.exe
2572	reg.exe
4664	reg.exe
916	reg.exe
4944	reg.exe
3392	reg.exe
4408	reg.exe
1340	reg.exe
4480	reg.exe
3736	reg.exe
3672	reg.exe
1328	reg.exe
1596	reg.exe
5100	reg.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

PolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exePolyRansom.exe

pid	process
2972	PolyRansom.exe
2972	PolyRansom.exe
2972	PolyRansom.exe
2972	PolyRansom.exe
1588	PolyRansom.exe
1588	PolyRansom.exe
1588	PolyRansom.exe
1588	PolyRansom.exe
4512	PolyRansom.exe
4512	PolyRansom.exe
4512	PolyRansom.exe
4512	PolyRansom.exe
744	PolyRansom.exe
744	PolyRansom.exe
744	PolyRansom.exe
744	PolyRansom.exe
2852	PolyRansom.exe
2852	PolyRansom.exe
2852	PolyRansom.exe
2852	PolyRansom.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

neokkskY.exe

pid process

3784 neokkskY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

neokkskY.exe

pid	process
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe
3784	neokkskY.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PolyRansom.execmd.execmd.exePolyRansom.execmd.execmd.exePolyRansom.execmd.exe

description	pid	process	target process
PID 2972 wrote to memory of 3784	2972	PolyRansom.exe	neokkskY.exe
PID 2972 wrote to memory of 3784	2972	PolyRansom.exe	neokkskY.exe
PID 2972 wrote to memory of 3784	2972	PolyRansom.exe	neokkskY.exe
PID 2972 wrote to memory of 3788	2972	PolyRansom.exe	QuwkkMwc.exe
PID 2972 wrote to memory of 3788	2972	PolyRansom.exe	QuwkkMwc.exe
PID 2972 wrote to memory of 3788	2972	PolyRansom.exe	QuwkkMwc.exe
PID 2972 wrote to memory of 5008	2972	PolyRansom.exe	cmd.exe
PID 2972 wrote to memory of 5008	2972	PolyRansom.exe	cmd.exe
PID 2972 wrote to memory of 5008	2972	PolyRansom.exe	cmd.exe
PID 2972 wrote to memory of 1328	2972	PolyRansom.exe	reg.exe
PID 2972 wrote to memory of 1328	2972	PolyRansom.exe	reg.exe
PID 2972 wrote to memory of 1328	2972	PolyRansom.exe	reg.exe
PID 2972 wrote to memory of 4944	2972	PolyRansom.exe	reg.exe
PID 2972 wrote to memory of 4944	2972	PolyRansom.exe	reg.exe
PID 2972 wrote to memory of 4944	2972	PolyRansom.exe	reg.exe
PID 2972 wrote to memory of 5100	2972	PolyRansom.exe	reg.exe
PID 2972 wrote to memory of 5100	2972	PolyRansom.exe	reg.exe
PID 2972 wrote to memory of 5100	2972	PolyRansom.exe	reg.exe
PID 2972 wrote to memory of 4460	2972	PolyRansom.exe	cmd.exe
PID 2972 wrote to memory of 4460	2972	PolyRansom.exe	cmd.exe
PID 2972 wrote to memory of 4460	2972	PolyRansom.exe	cmd.exe
PID 5008 wrote to memory of 1588	5008	cmd.exe	PolyRansom.exe
PID 5008 wrote to memory of 1588	5008	cmd.exe	PolyRansom.exe
PID 5008 wrote to memory of 1588	5008	cmd.exe	PolyRansom.exe
PID 4460 wrote to memory of 4060	4460	cmd.exe	cscript.exe
PID 4460 wrote to memory of 4060	4460	cmd.exe	cscript.exe
PID 4460 wrote to memory of 4060	4460	cmd.exe	cscript.exe
PID 1588 wrote to memory of 3836	1588	PolyRansom.exe	cmd.exe
PID 1588 wrote to memory of 3836	1588	PolyRansom.exe	cmd.exe
PID 1588 wrote to memory of 3836	1588	PolyRansom.exe	cmd.exe
PID 1588 wrote to memory of 4408	1588	PolyRansom.exe	reg.exe
PID 1588 wrote to memory of 4408	1588	PolyRansom.exe	reg.exe
PID 1588 wrote to memory of 4408	1588	PolyRansom.exe	reg.exe
PID 1588 wrote to memory of 1596	1588	PolyRansom.exe	reg.exe
PID 1588 wrote to memory of 1596	1588	PolyRansom.exe	reg.exe
PID 1588 wrote to memory of 1596	1588	PolyRansom.exe	reg.exe
PID 1588 wrote to memory of 3392	1588	PolyRansom.exe	reg.exe
PID 1588 wrote to memory of 3392	1588	PolyRansom.exe	reg.exe
PID 1588 wrote to memory of 3392	1588	PolyRansom.exe	reg.exe
PID 1588 wrote to memory of 4432	1588	PolyRansom.exe	cmd.exe
PID 1588 wrote to memory of 4432	1588	PolyRansom.exe	cmd.exe
PID 1588 wrote to memory of 4432	1588	PolyRansom.exe	cmd.exe
PID 3836 wrote to memory of 4512	3836	cmd.exe	PolyRansom.exe
PID 3836 wrote to memory of 4512	3836	cmd.exe	PolyRansom.exe
PID 3836 wrote to memory of 4512	3836	cmd.exe	PolyRansom.exe
PID 4432 wrote to memory of 4920	4432	cmd.exe	cscript.exe
PID 4432 wrote to memory of 4920	4432	cmd.exe	cscript.exe
PID 4432 wrote to memory of 4920	4432	cmd.exe	cscript.exe
PID 4512 wrote to memory of 3876	4512	PolyRansom.exe	cmd.exe
PID 4512 wrote to memory of 3876	4512	PolyRansom.exe	cmd.exe
PID 4512 wrote to memory of 3876	4512	PolyRansom.exe	cmd.exe
PID 3876 wrote to memory of 744	3876	cmd.exe	PolyRansom.exe
PID 3876 wrote to memory of 744	3876	cmd.exe	PolyRansom.exe
PID 3876 wrote to memory of 744	3876	cmd.exe	PolyRansom.exe
PID 4512 wrote to memory of 4480	4512	PolyRansom.exe	reg.exe
PID 4512 wrote to memory of 4480	4512	PolyRansom.exe	reg.exe
PID 4512 wrote to memory of 4480	4512	PolyRansom.exe	reg.exe
PID 4512 wrote to memory of 2572	4512	PolyRansom.exe	reg.exe
PID 4512 wrote to memory of 2572	4512	PolyRansom.exe	reg.exe
PID 4512 wrote to memory of 2572	4512	PolyRansom.exe	reg.exe
PID 4512 wrote to memory of 1340	4512	PolyRansom.exe	reg.exe
PID 4512 wrote to memory of 1340	4512	PolyRansom.exe	reg.exe
PID 4512 wrote to memory of 1340	4512	PolyRansom.exe	reg.exe
PID 4512 wrote to memory of 1388	4512	PolyRansom.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Ransomware\PolyRansom.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware\PolyRansom.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\aKgckQsQ\neokkskY.exe
"C:\Users\Admin\aKgckQsQ\neokkskY.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3784

C:\ProgramData\hAcwAwMY\QuwkkMwc.exe
"C:\ProgramData\hAcwAwMY\QuwkkMwc.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Ransomware\PolyRansom"
2⤵
- Suspicious use of WriteProcessMemory
PID:5008

C:\Users\Admin\AppData\Local\Temp\Ransomware\PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\Ransomware\PolyRansom
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Ransomware\PolyRansom"
4⤵
- Suspicious use of WriteProcessMemory
PID:3836

C:\Users\Admin\AppData\Local\Temp\Ransomware\PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\Ransomware\PolyRansom
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Ransomware\PolyRansom"
6⤵
- Suspicious use of WriteProcessMemory
PID:3876

C:\Users\Admin\AppData\Local\Temp\Ransomware\PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\Ransomware\PolyRansom
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Ransomware\PolyRansom"
8⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\Ransomware\PolyRansom.exe
C:\Users\Admin\AppData\Local\Temp\Ransomware\PolyRansom
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Ransomware\PolyRansom"
10⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
- Modifies registry key
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
- Modifies registry key
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUwkcsEE.bat" "C:\Users\Admin\AppData\Local\Temp\Ransomware\PolyRansom.exe""
10⤵
PID:3696

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1844

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:3736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
- Modifies registry key
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIgsIMMI.bat" "C:\Users\Admin\AppData\Local\Temp\Ransomware\PolyRansom.exe""
8⤵
PID:1728

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:2572

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
- Modifies registry key
PID:1340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XOgEgUMY.bat" "C:\Users\Admin\AppData\Local\Temp\Ransomware\PolyRansom.exe""
6⤵
PID:1388

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
- Modifies registry key
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
- Modifies registry key
PID:3392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tIMkAMYU.bat" "C:\Users\Admin\AppData\Local\Temp\Ransomware\PolyRansom.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:4432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:4920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
- Modifies registry key
PID:5100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BawMsEAk.bat" "C:\Users\Admin\AppData\Local\Temp\Ransomware\PolyRansom.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:4060

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
Filesize
641KB

MD5
bb6a7feae206ea7ef1f2bf671f6abdb8

SHA1
4954f6a969f8d19de0c14ba8c1423ce9e4625bb6

SHA256
155926fce3cbc25fd73cfb802c348cd812728b7546d51b0a30f46d790fa282e0

SHA512
edf1bd16de4b44250add1c443e5d5479ad1a811c8b020636877b18e6cd87a5bde8e8e3f7a13a3fa5248399ede7a56adbae875e63127fc6c519014b7fa33abe3c

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
Filesize
324KB

MD5
d78c68b095a61dff6c913c3da6d8f8c5

SHA1
81003d9e71d429d3a9145feb3fd8c28acc03d9cc

SHA256
634029527323aceb8270a305626e0f791d7f7c9cd68f380aeefd9839314398ca

SHA512
4193bda07d2e302c3f56a3cd4d90ba6b61de884f0ec6b1d37d3eb5dd00b5882f22e5dbd78a10ee9ec021aa494b96dc8e90033f9f1d9d66f6c46634f6d149819d

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
Filesize
237KB

MD5
92057b1cd5cddcfd0cb93cdfc618e916

SHA1
6de2905a4a5b9239297f4d5beb7349632fed3485

SHA256
683ea78fb62f47438a2dec0816c83dc1f0eecb6b42a614c90e289856b5a7c628

SHA512
7ea17bf586c8d56b15fdf3b42928bfbdb8e867307e161df2f66122fdf6d45336eb940fda688dd66e69950f347cafbf8d6ec256d874e6b703b7d710441df98cc1

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
Filesize
225KB

MD5
a2210ecfecc0cc0ad6a1e89c8d6ee761

SHA1
15c194d074bc3166a7694d9baaa18c5ff7d8423e

SHA256
4170fc1784bc79741b0f71477956e28e2d96a7b400ec860dfda364de0c19fd7b

SHA512
564ebad16ed23e0870d36da7d6daa2bda235cac4675612645c2cb8c279eb1c79b97bd19925ad1e8e688ee8351baa177bc63ff0b19d04c253659865091bbacc5b

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
Filesize
218KB

MD5
7050063db4ae1cb573c45754e933dc37

SHA1
9c58cb77910e28c67d6fcbd59066722494bcd087

SHA256
94e68dfe18e0dc5dd24c753cb36a8ab116c8e63896eb3cc02e4f099f53b4544c

SHA512
8877d68a13b957d98d811581563274879910931a5ebbc3248348c33caa7194903c58ca437bd725d7881d457fe45aa71fb2d5e9663e7d7b921ba0717cef91bc3b

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.exe
Filesize
768KB

MD5
27a8d16cc81193f7a9382344b3f8e30e

SHA1
26178e1a0e32437fa5e676f9ba887a2fff41f41b

SHA256
abf595ec8bc92ba84b4a297422a080c409da16e8dc880340940f2630687ca69b

SHA512
18e1d9e2a6f6c166b048f0eeb611d325d91caaa57047fc801835ea4296ca79776b1bdf2e20a40fe0cedc3117b5152f62f5c8630ab30cf2521a5645b780419217

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.png.exe
Filesize
186KB

MD5
bb29260738dd2d4571280c60dc92c7c0

SHA1
0c323384a9674c98beee64292c9ec7cb547c28e6

SHA256
abe9f0ec5e4e345aafb5b6360b237867378b2cb03a90625d9eea901860cc3326

SHA512
5fe27c24999c1e8a46d25dd97a4bcc6e80a54e2985c27d9658704b36eb30f002367aa9fe169733b61c7fd727b7d57db15c09017787ae2e79dcb8b1245953693e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user-192.png.exe
Filesize
181KB

MD5
1f960cb5929c0f11ce3ed817078fce8c

SHA1
dc9e02d015d4b108334fd506d4115ce93f5324ae

SHA256
933107fdc8653780191694a49ff73b2bc92d1946b22cb395c0ee0f166a671a01

SHA512
c1ff075f8a6d966a5d7ef5c3212c5da2629bbd24911862a4d0407dddf0ea053996e5ce899cbc62dab48d6c2c13f5fd2944fb47563cc87773ca90dfd0e3c9befe

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe
Filesize
787KB

MD5
aa9ba117ad52678beb474dbd04f56bfe

SHA1
10f2d46408a00d6420747f22356bffe79cd5490f

SHA256
90ae3e21b4dbba03491c7eb35f3693630085072f9f3e0f4b0fcb2ed882faef3e

SHA512
1274119ffceaa3abba4f6e150ae37d6e742abcbb671bba8ceaf80a162a4acdb3b836628985b47fb6f902cf597cc3df926a0bbbeafb593611892dd3dde10b2e46

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.png.exe
Filesize
198KB

MD5
1e8c18f466b11446748454535d38831a

SHA1
9ace2ccf7c3cae4599190a2b8920e3117b0bb9f4

SHA256
d4b810fcbbc4d0bd8a9b69aaa97ed6ccf31ce97cded3675eb157d30fd5ac990c

SHA512
db3a39cf9291a0bff52baa6fe2afc6ca0ebb1100bb61f5d5a637be5e305f4dd6f53dc5cc127998c6844b63f0530debad51a904b49e2ed6144d55dbd8df829644

Download Submit
C:\ProgramData\Package Cache\{17316079-d65a-4f25-a9f3-56c32781b15d}\windowsdesktop-runtime-8.0.0-win-x64.exe
Filesize
790KB

MD5
d333b711ab92c5d67afda5566efde851

SHA1
df594d7b74ae518c381038e40251114f3aea8fa0

SHA256
ab605ae47f5c96379a35c6412406197d464de84da30d572c2aad3af6ae4e950b

SHA512
350ddc0c09c763f35f258a352409cc92ae2a7a5e98aa1f586294c007baaf789dd73b02ae7db33adcc0f3009ea397ad8ed5e38f72818e45eabb0bda0dc4ad8fe8

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
Filesize
628KB

MD5
62b8c8671efd5056a826b879e4180e6e

SHA1
93341b962a50a434fe526cd045b637cfc0b6138d

SHA256
70d30cd149ba02cea84af1cc7c6bed544a6c37e848196e81c361010523ce6e02

SHA512
b0ead9d18b65dff22fc8643bc7a020bb99f14b57b8e130d245c9ec772525e06f39e6f17cea69ff7eb131297dc5cfde777c84a2aff2a2dc5cffc8e9a9d829fb89

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
Filesize
816KB

MD5
2589df4f09e678fdead64ba97fe06855

SHA1
a0f1821dd75fdf5d6cddb0414a564a6eee90314e

SHA256
4cb68987a6236e93ce088f85e4bea3a7d93bec4e0a1f1efe9ecc4f5a60c0429b

SHA512
5cc5178d5aeeed26b05ea9ad1362b8e598a909e5ec08abb81146c725bbfabf2eff5240afd7b2bc8af10fba9f7024e45e65ad7becd0cf2ab77994a99bd04ed404

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
Filesize
650KB

MD5
edb9339595ddcec9bbed8a694d60cd50

SHA1
0ca6e56eca691cce1504c88482ed9da7c747340d

SHA256
62b5fe24a63941fae4e62d1da94f903bda8d61958f4ef7ae4d68b40356c94e65

SHA512
a8e54e64914be6508007490ec1903898d7e80bed4b5ac81914a68810ed03b7a0204a4e49ab44662b5e5e423146bdf34e0ccdc8d68843b7a30ae5d5e8c8775694

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
Filesize
636KB

MD5
d0c740c41158e8dbdf24df2f831cb504

SHA1
55a6f60654c2b50ce7d14ef96f897b5f670084c1

SHA256
9f8a80909fb67903f94a73e8454b5b57a8799df44b7843f3bde9722039cb3b34

SHA512
241c424d28beab7f149f74b03fdfb8c37dbe80c50577fdd893698b31648714dcb9f6e9a790a521c94dff09d0cbd8f068cfc44c0908042a66d23c25947dde6196

Download Submit
C:\ProgramData\Package Cache\{fb0500c1-f968-4621-a48b-985b52884c49}\windowsdesktop-runtime-6.0.25-win-x64.exe
Filesize
799KB

MD5
fd267c85a012b66dab39edafd7924609

SHA1
b2bc21519c8eec0d8a64d8b28f733a879ac96715

SHA256
d5f56887a14bd0b822c907267efc338e0f5c5a6017b1165cd05a3c75da8c7817

SHA512
9df21831ccb4e4baf3f0c5756d57b10d63b44ca1f01eb57c29b52e63914df08daa755c1632cb795edd9fc27648cd5ca618cda0c1e108269267098c3d0dea5977

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.exe
Filesize
188KB

MD5
4e84a71b7299eda67919c464a0cba285

SHA1
992913f1a8c86f06c6900e9952c1f1e3c4e0a621

SHA256
ab6f116f3ec834f4cdfc79e65984e926158658979edd62d45d20382cea9e7f2e

SHA512
f41db889488b686940f2e54f7f0af8f8a123d43fc6037e45b2bab1b925af50be4bff03386b68afdd25ae6cbc866e15f8de553ecc05e9c344b7808959d3d6448b

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
0685821c8abc79c1f1aca5ed41cd88bf

SHA1
bf6b72a4d57d3296b15cfa43677c14da63cfad6a

SHA256
700e7172e9b4e30717b9a4f345e401747ad08c5800b71998151faf8f13e50d77

SHA512
cc66806d361e4e721718ef89d58be40fe427ccb480153125ceed964c35a55021f391ee3904a9d44a2d3a4bbb00f031a229877cb72b81edf18f731db477ecc650

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
fd1a4a0c749161811a7394ac3e555f08

SHA1
bca50e99e7e0d2590de6e000324334e023df7b14

SHA256
dc4d744f369034fe16a6955f706c9b03bca630aa240cad3ebf48e3a6508c0b96

SHA512
df8d2773fa92b6a1961b0e915f8d000466ea2604cd07dd764cbd8ff2987d4485b8015c5bde32accd676086545188887ad56747b805a8a2ff57dbd1081d295f47

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
5347afe4619a3e92b7cb50feab6356a2

SHA1
7ca0058efc858bb1d719c9b7ddfc406ee7dc5a54

SHA256
1d000310e8537c41b357727d36af68d4c5e7e1695d5a9dd1787729700b2d12d4

SHA512
9f4d35eb3cff779a234b4a3475aff2fe2547d2dec1314a62811299dce1409f049c343eec4379cdbf4379df34ed22e6417e0f8e84f1dd8fe2c1dea0315676a215

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
d3578f8e90fd96b405f6b60c2246203f

SHA1
5bd4e3b9660c51f203f311dea6c150817dc9a008

SHA256
8b42163d851f4ff1dbba320216f963242f8ad629a5de9788fc1eace6f853b6d5

SHA512
c5a9eb6b8dd985bb5ff17fe94223b31162fd103200640df6ffc9a1f1878dc342e2f26dbf48a1866ea84eb528fbc915897c28ea17a7fe47dd4d868344429314ad

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
2d90ef9c899323a64dec0503ed61e69a

SHA1
9b8386d428e67939fa1b4c14b67ba2516fa976b3

SHA256
3cb4fca28b575a3cfb97593b7d426ea6e786e3f60dfcf31dbf5727fa359d832c

SHA512
f45200ee9f19479d2e98f4916a9d43b621220e2527b48e970788bc6c27489b4d6569602a100205e75ab5fd130aa3cd25f91e8af051720442aad0ac6e8c7ac91c

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
99a968099c30ca8d1706d062155f2123

SHA1
78bb8389502f1f5704f25c2c3980d3b3c33bedac

SHA256
f0251c3410145fedc6cc001f676afff4570b7a0b887bc21ff5fe993379fdd92c

SHA512
0874ad05e0305cdd0a3e687c554bf1cb3119770cb803e56d0c114fcd3da62951deb34a8f7aa44022f8c828a5fc078cd8eb7e8e11954bd6360bcb739ecf171683

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
e72f5955c4c4d01ab76d693add442ae9

SHA1
4a6c8bf09379541b44f90c8251a3e6c14b70d5a7

SHA256
92fe549e2a4b50c29b714eb22ba9890c1afe4847917f9b54627659000540365d

SHA512
97ba6218a835ea62aacd67f391589a387642a4c08d21d19130c2edf404d690e8387e3b62930f145b1e07fb91a3826f103c2d039b67f62f2690097763e71c81dc

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
debae99ffdcbde8049d3c73093d0d19c

SHA1
37bd646711893d5a4a1c8881e801f11a57768caa

SHA256
bf33b27b0b22d88f3e8a547d51ec9615d9ba4f601f7c71df60a6dece351c272f

SHA512
abdf643e573aafb3930dff99d43b881121fae894b2b5d9b0744be6f45f7a5cd6faaf6e09f5448767369e735d5411dcf737482c7da1ff94fc56ba256b34dc6bf8

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
5e89b188c906cab2fd6fe755a6ba0e2d

SHA1
794ffaf3c95a8427c9c0bbd6cf209575a563a713

SHA256
3b9eafee9c20da6605b02405a12c2c30f8dbca717ec0010a889dc646305b07e6

SHA512
f163c9e11b3b70a9c58e840a045ff38837817189654c01e978cc068e13daceab798ce7169fb3e4420fbc269bb50e3bb789691ff12bd424988a7027067f33c889

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
c2fe486e4345413535aa7476887fc344

SHA1
b8efad65902dfe0e62a1aa0ca8b2645e75f2c556

SHA256
64ac5951c422c11e1fc2d5dc58b5cf1d80b8612f669e3a1303d1115996c2654b

SHA512
f44a327aab05c94718652e45b356b80cb3f5ffeda8569ea5de397b23e82b00b0705d733ed16f5e658b52867753e5bab65742ce49fa6fe63a39568c2f65aafca5

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
3a04ff24b457ee3b2a51204dde0fbd11

SHA1
9e027ac167c97f891a6eff61b6067bddac0ca14e

SHA256
46edfef3ddae2692c6b8ae096ea6c7c8b6b99090ce4bd15010cd0575463e7cc5

SHA512
cf8d87e08d38b43b43c34d527a5b8dd00ffc8152119e3e7a87a74ce57d4371b5120b9834c125e59e19e8a1df98d0280aab41b5b472ca91407fa4fa0d96da8670

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
46f1f133a77064b06ca75a90bb939548

SHA1
df65f9d676fb290e6d253d9dd95d353ce720aa0c

SHA256
2a23ccf792c9418cdcff6777ce723ee12e8e74374e4ef77a1104717cce0ac394

SHA512
66ca62c48b9669d30d96faefbd396dd3488aa45130aae6ced26cc108d9d04280fd4f44126715c2fa5fb9390add57f74cf93fa7a75061ed97581a458d1056aeb6

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
8551802d0fa18aa830c912588416a378

SHA1
595de257f19754e1287918327cd5fef599a14c26

SHA256
135903d8c455823dbc61910fc4cf642cf18223f4b4e366a7c4450360ce118471

SHA512
c3002a839f6ab628e4392e81dd1f56d2c8fab37c7dd7bbbbca993d14059230207944b60612f1485bc39cd725aef85388b3b807caa714d02e964e75694ffc4c02

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
f7a04182481917cc4d2d9be222b5e3e4

SHA1
27182be39af168a3f133d1d686389f0b44f29ecd

SHA256
d6f84bb1312db08e1cb79529f4cacb69a4b9bb868acd85da148c6819ff194a54

SHA512
a30ab82bd1c53b9c91fd18ab4e2b70eb25d3efedb2f42b9f40d111e3d39ff32034b6cf6280aaf11820b09b6d3d6783335dbc1d2143efb62ebed71b6884f773ed

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
baaf512ae246124a780ea9051e59df0e

SHA1
c993cc2c16dd709e916a97a5dd08a40985722818

SHA256
9c4c34c920f65af936e13290cb51f67e2aa16b2f12cc8df4112177f32f05b565

SHA512
f08fc7886129178be97c2a1fe2b905979205735e18b30a00a01dda1e278d9395f5782b04a8ecf8bd3c71b4e060b5fc7a9accbc5875b9ffe7dc8744a9b554a908

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
a70fc04a0804694f566b965b9230a2d2

SHA1
44b3ccce86c655398a247b3c7eb2369faf888918

SHA256
39055120b55bf65863917c71d3458e40b2e0d6086ec44c6cc419ef7ba17786fb

SHA512
f326d4992103c8d73a61e06e982c6b3673a76418a96fdc3d94a022a8e7084fb0e914d143f8629c132bc70980b45deb3738b0fbf148abc79168b0b88b50d357fd

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
55bb3618c63c2fea065410556c52d108

SHA1
1ab16da7acc699d929886552ed46382023592399

SHA256
8b0d6e83266ff1ae5f78e4cbde6cb421215c7553baa80c35b21ae80a7f237e5e

SHA512
a364e1661a166936076710e8a231bd1b407fdff0aec7c18d2b03a1cb0933c496f56ab157a656b01448a3d31fa0f7a7eb21dd83930a273f27f62989e503dad377

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
62515cfac31469bdfe244b78bceb7e41

SHA1
c4427e2d298d3cd6d696d311641e533483a2f465

SHA256
e19bc031dd147cc81122d45198cbce325be138659db836300740bedfe2867853

SHA512
77c51f6a76ed42feee135c5ddf96518746c450783b4fe494d4d9ba39ddcd94b1e3af01a8ded07098072db7961aedba76c35d2ebb61402b3e1f2fbb6f4683f7bf

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
68884b56a2b9c8f6514a3a9857b38fe2

SHA1
dcf6ff69d0af2cc4f0977fba5130e1d170a4f9d9

SHA256
4925d1100c7fddb237105041587b926860cc8ba424e1c1f71c1dcd2bb88a815f

SHA512
d23bda34865d7c6b904a848cce089ed4673a5219ba5129ee040303d128113ca155477ba16e81790ae01c3de3df12da0c65a1e310429d7183c0baf2a68d9ef9fe

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
87181a2265df0071f45f0d0f17a44810

SHA1
9f0f6972aa936b7ba3fe2c65069e8c59311191a5

SHA256
96649c4484cf0fb7ae65cb6a30b67cc6f0fb3d4a83afad8ceeb5650ca2943c9f

SHA512
692a6fcbbffad16358eade295973be888a87d33e8193db3dcdc0fb7788971b79cd97ad1a5cad73cddce08c43d18083f693f4cab371429d648bd86fba60ffbce4

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
3522974daa20a8d85bbb09efe94129c9

SHA1
f0f1a61a608fbcfce91cba2a0563482d389b8d89

SHA256
d273b9d2a36959fb2385a3acc543c64566d1441b3d079e5164c0cabe4e28f1de

SHA512
f34eb820b308db6342972b1da2da49d4caba82b3f4b5cb8da3707d025ae2aefbd487f206c91620b89a1b5d7438fafecb51678871c2d2d12b30b3708aff710705

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
7cc1ddab3b20ff3462d7e6f54ec56afb

SHA1
3239591e4cb4099da4b894abfedca30001c518c9

SHA256
99d3977905438882ccf733694fdc239021d10027280e53d726fb16581d11551b

SHA512
5d5183e388e82933608b148e2441dc3d30c74401cc8308dab6ad1c3b7e65ffd7a953dde92cc8700ebdc789ec04ec19289a15963d109886582019397860a6e330

Download Submit
C:\ProgramData\hAcwAwMY\QuwkkMwc.inf
Filesize
4B

MD5
85764f57e7e90535361f28b38273031b

SHA1
84f83f3fc96ba57983a08f801bb8948f4275cc96

SHA256
ecbaac35a624da209000e08aada37ced5f734425143a1fcfbc7200784b4c2955

SHA512
8269556801aa03c88303ffe06d51f0f79ca94d6591011dd4b85b788c7beae70e2116c0682491b1cada87e04a7671fb3e997f62a437cb0973fb0639db68855107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.exe
Filesize
268KB

MD5
5df14ece895ed50fbb3efab9aa22db82

SHA1
0ce9e44a0cfc27762b4dcd1db071a55d2780e5ac

SHA256
2444af2e2c2430a55749b203616c5f8734a22a137b8a898ea7659e865e1bb65f

SHA512
0e64905d5c236646fb5363be9bffcc2a3ddcb6650c638f3eef163c108977308898a3f853405e96afc48a24fffc54e7bbcbd5cee8550d0ae7d2da21e8dfed159b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe
Filesize
204KB

MD5
314e48907503d975330e9133d17b26d7

SHA1
849a5708bb55af21e11d2b379f9cf36cab0d1de9

SHA256
5a64e6627a1dff2401433dfb4aafd0967bd17e289491bb9d3ffb838835c5f450

SHA512
9e087ac5185fe0172ba1f4c40ba95c6daf683eb08d68fc10b6e1b296c4e6eb51b107b8b07e540f07e285b0bc9aad6d43bd909293beaeb16f8bd6a95de1a79275

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.exe
Filesize
212KB

MD5
1b1ac70c9ffd8b50dd7a1a8331af3e53

SHA1
41660ad44fea9d94b26774ed597d0d7ee0b10b0e

SHA256
c380f68364b2d3fd5d4d52368afdec8662cb082a6fee9e42b6e357e645497f41

SHA512
5c1b8276a85179e86dc4087f06aab471104f7bc6b006b990525b284b39160673c915ab963ecc3f4405af5fcf24c891c0088964fdfe5a2f95c74893496f5cd224

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png.exe
Filesize
200KB

MD5
56ec78c4e3a9e996ec0982726d6edcdb

SHA1
52475707ed6c2047271c3e24680ec98e443d5f18

SHA256
64d65bef5a534040c133bd8b9fd02a1f1551acf9abbe2ef34ed846cd8ec78602

SHA512
5600efbc69f251546d4872432330dceaeedeee008661a16d91ae69ffa93e72a8637894605605b09d497234c11498248be3025fb42fd615da7cc61d7c53df499a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.exe
Filesize
182KB

MD5
ea373f16d3384cfe5a42aa8f93754aab

SHA1
5f5ab811ed409c842fd6d1bdab105e8154b18d83

SHA256
7ca7c8fa0739b4fbbdb89b40f0992423d33207e5e1b0010d4b471d584c12eaad

SHA512
ab610e716074e2757a2abaee5ade4610ff5e7cff04c5cb7d596aaddbae41a9507eb359dcd1d8d0aacbdb5b3249fd6841a46581a14a40169463591c96031b48ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.exe
Filesize
195KB

MD5
6b726ae4800abb67b158ba15f550637d

SHA1
ba43f0225209e2d603a431be0502009dddba44b2

SHA256
e71a80f5e955b085d678f2d1be6ad59f367151275cac15a121bf9de5360c1830

SHA512
741e2c67e297250d525bf19a4e213e8373d42dc0d9654aeec435866232abeb7e48f22dac6636904d87d8748f72986f7039cf3437428e133b3afa37deb91534aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe
Filesize
192KB

MD5
8cb067d042d49962bbbaec84ca6c0cc1

SHA1
dab4e88671c920ff77039b90e5246e7d6b509731

SHA256
971064a20ec6d8a52b5e826ed6587566b72fa6f6497b903000dc12524adef335

SHA512
a9e22fe8126553d0b599d05268323896d12e55254f8a9e9656d3da39b3e115787b8297de1e0ec3958c1972ccb303ed3cbfaa4012d0af513e2692000bba9c1e4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png.exe
Filesize
200KB

MD5
275279ebaab758ff2ac8f009a852ef50

SHA1
351561dea426ba413d5db508844a2509f3c0481c

SHA256
d1208ca26cc07d39ff669ee8042d9421dcd88a11feb0a4cfad5beb62c4593cc8

SHA512
5da59cc10e20929618548fac1108ac900786b9b8b56ce66c625631c17d23e9f48d167acc4ba2352085285078266a051268346653e6ab8f90006a4e98a660aa35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe
Filesize
190KB

MD5
835c8e2a6feb616acb24694c6a0c7f83

SHA1
b5bfa1dc16e7323f3b4c41b105f91847f3653db2

SHA256
518541850ecb4ec949f9bff33991b3be4729dbcd2f1e08ae599c0a2493c38760

SHA512
ba37abd7f083d985136ff7aaaa80ae461a9dc7c92b4b908e05ab9de8cd85f1f2e93930d758422c4de9f7141ca6de526a4e0b637b6103f62ffdc8614e9fe5c842

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe
Filesize
197KB

MD5
e259d876e08aee201e9bc388bbf7e730

SHA1
5b4ce3fa75344c879804425a04344bafd735252d

SHA256
00e9933864105fcaa523d7747b7a5257e540d514fd3a03933e7b0bd6cab1dca5

SHA512
7275e110f96a433d312a7efdb211e438ea635356eece40740f0e3272f3895b482775aff16c3ff07a27f2d82d82e1578701080b69887961d03a20d767e9e0764c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.exe
Filesize
201KB

MD5
809e189bce95854f349a40b55da05063

SHA1
5dea1e2f55167c20041766a63f1f57fd87c51d85

SHA256
6d799ae81a5cc0176c92b04ca5f9c3dd9f4bc722979bf28f20494c7e06265840

SHA512
6ac9aa3ec8a66915f13bf2af7d19a35085ec01eb4284eea8f334e308df490e669547f314661cfb8f738dd5db508c99ab120990b290b9f7738605e5bbba57800a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe
Filesize
205KB

MD5
beb5e598ad45257840c7e966eb6e78a1

SHA1
1f17d4204da77636cb3e1578b1aa4c3819c8be2b

SHA256
5d0d5ed80fcb389535bb091dcc95136bc26e9ccf471e66d693bdfce46dd2647a

SHA512
c5542ff7239cdb1e3fefcc5aa2b2a9031f7cf3a21a5640510f5cdca7d940f051086ccae427794d44e460aac77bd37492fa854f44044ebd73598f44ae18c4a98a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe
Filesize
199KB

MD5
20d3529fe88b08778a0a972ed0e73096

SHA1
71913d07f336652bcbb54530a6ceb7dc68d0e143

SHA256
09d596cd77ace8d1c9e96b75e8e3ae87ec48e4b9285b48ee27d8707f1a218956

SHA512
94aebb7dc2e62fd812270f8d909cabb00808b8256dde9834ba182f10fca195fe97442551d23d68337f9a15b3c068e77543f1a9dcca7b02c9333aa42537d66019

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe
Filesize
200KB

MD5
bc18977cf77033df2c246da581cdcfd9

SHA1
fdb88ac385d9a9257db4bd09c3ff5d8c98fbff79

SHA256
8d4c2f22aa958514fd7f97950f7708d04ebd3f47b5607ac61c7c856449221190

SHA512
c01b3a5495109e95a84606c519116d84b1316ed76559d9aa6d642cf3fec2b11efd1481f72c933967f30f3cb1e0d707b0ba434ea318c1c0b2df6b5f4d5eeb04f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.exe
Filesize
185KB

MD5
5611cf53fb53e3e63e50d18a436c0651

SHA1
2fda091565b67d7e6ae690bf92158c7e5ee93f76

SHA256
1390d5643b6823ccf4971d74b651a10ecc50a0f6567ca84316953d19b0e7e976

SHA512
dd6f0b1f9b9c085a38da1e65d92e287a2f09178fd51f719700499b7748ed4025b9317b1317b15ee0212da43d825174410eb58a50f413cf546c319fd224350c8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe
Filesize
200KB

MD5
255b973cd3d697b70a50b50dc2beba45

SHA1
d14a8d4b6e8b80992d0a322de2bcfcf46a47cce0

SHA256
85a5ce106f525f72ad83a86c32f1def0c3d94dcc45ad3c550eb99024f8951134

SHA512
347fd799f1f2ae5ba085e87f558e9b62622ffa6579ea43c8e19261b6d378f0aa4b7b1b30c0c13fec6276e1cca846de00e4f84f9fb2d9c2bdbad8235b61078021

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.exe
Filesize
199KB

MD5
7034f3676f0642f59107870d71ae021d

SHA1
d1df35b2c82674766203d6bb7bc6df8d4d699e86

SHA256
1f83333a073bdfd04f65e582c1a31b915bd54e2e6a008918758ce23f082ddc2a

SHA512
f278782a7c8fc329f40fa573bd80e8d9c92a09c9a69264b8dab86058b82b0b4d2dc9adafaeb6c68ab37791275add1e27ffd3cd2a9cf1b4276ce718dcf97376a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\BawMsEAk.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\AYYc.exe
Filesize
204KB

MD5
25d14ff1f78dd8345dc1da0c0946492f

SHA1
5e49f6eb64cfe196c1d63a5aa59396ac2c5e9fb3

SHA256
296e10cee18b6e623b503ad1f5aa3cc24fe67e4a929bb4e8590e92e2ec81e4e0

SHA512
369b5c15da3837cc57c2b3b9a9267abe408ccc76cdee13e7bcaf797838913e85c3c3ab121ddc1652e64d4ad9e15292be052f93d9fe93e4bcc77ccf08aff67f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\AYsg.exe
Filesize
207KB

MD5
2bddac82bfd83d8b9d2a66f364b49d15

SHA1
c9504f0665b0ea11e071ca596c5dcb22eee69c35

SHA256
8c026f5b4ba90169612d481582b063ee66449b457445a5bb69f9ea2dae13731e

SHA512
31e5146655a6f77c4d78655059eb5283e494783134bd895c424da6d9972879256514349dd8c5633b0793f63f653e3c86eea865c84a4f53fc15260cc0f9937483

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\BUsi.exe
Filesize
201KB

MD5
56d3d15060e70ccd979c59e346596f74

SHA1
db5fb6a67152218a1506b99c1b1701330ef85288

SHA256
9e42fbbd6a184dff3df390c4cf556bfde2426643cfe04fdb0102e075c53dd58b

SHA512
24a63af59ee8438ec681dd9e8884319f541145b004774da191f7ff727b83aaacfda2a6b4f2d20093a7f97654adcaee4b37cb777b017cdb08156f216794403f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\CEEg.exe
Filesize
200KB

MD5
87e0eac80c2c5666a92196d798e35bd6

SHA1
043307de6bfea5b974fe6231faa8c465f3e4562f

SHA256
3b045de904b1f429ae284874238b080796691216208f5886a2d383d9776808a0

SHA512
51f3d3cefb8811c58c31517e60c96199ab65b23aaf86705f4eaa88b6a8e52514bceb036bef1ae7ffda79fa881a8e8fae6755648de42ee90900eaf7b4fb58cb4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\CsgM.exe
Filesize
319KB

MD5
2d97e92bbcd107c50aa26a39cb2331c5

SHA1
14731965420ec28efdb14cd0967efc4c0626d831

SHA256
bfca8459febcdd9d10e9d0fc938e455a7fd0d0c92ddd3f2cd137eb34f227f567

SHA512
d89563763f9ccea53fa8eb677bdffef92f6e974b7f20cde4d1ee2a0087858f0041736cdc84075bf398914d0aabf2be0af0e8293a3db5651acda3cb6b65f4e07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\DoYG.exe
Filesize
1.1MB

MD5
96512b8774e962b4628e5348eba26c22

SHA1
27c58cc473ca2a3b289bdb6e2f669598e31b69b8

SHA256
c3184936e91a72019a899a3943490386f7a4d5fe5e158a3dbf4336011c2e84d1

SHA512
8b965c887ae8a714085e85410a6c32a9cfe2167e2ead0fbab713dc0c42ad1befa094925a0b4a414b36fcb274f02780cccd75a0189692af02cfd8e6b8d65b2727

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\EEMo.exe
Filesize
202KB

MD5
2d52f72004a6af04c5e5da1be4afff30

SHA1
8110ad54e79a10494c5f011244029975b193f3f4

SHA256
801c545dcb177d3bbc25a1c6e42e824ca8a64e34f110e59b3453d3aecc673286

SHA512
4b32caea10c6d6ef78552fed0998b30747d1b77aedca3f600156e0b33e16cf2ab7d2185b945f6fe935473b7dd9d902783d26dd99951fe09bf1acc4e2295a4e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\FgQU.exe
Filesize
206KB

MD5
d4f0189a0ebe86fc6fc660bb8ca78abd

SHA1
8986e9f80c8e7db5a79b761577a10eb84eb0527c

SHA256
6471aee4cd77814238eaba220f9bec2740e85fb078549dddb26483681fd213d3

SHA512
0ff4e00a601338438cfb8449e5d0183aa71c4cdb0ec3f8a815891acefb5022c31438ff8a3fa76a43f644e8b9887bb76ad8357a8214ec451cfdc34ea7535cbd78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\GQMC.exe
Filesize
227KB

MD5
60425e5f70c804874ff19f583208a8f0

SHA1
7a54536dd061fcf7127efb480a932fd4bbdc8237

SHA256
c247f299c38117bed22ef5d309cc4bd431490844ec0ec2b87f132261e6fb5b51

SHA512
4050de681f75bd23eeb95429a911e2141f5c8f27a4023de7b653d601d63bb0b992845c2ea57be14722ca04ba3a3c2e835bff7faf8294793c1d00fd603070ceef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\Gkkc.exe
Filesize
203KB

MD5
5dbb0cb3dc7ae1284c4827a600c69f62

SHA1
4a4c6977fabfeb1ca38a222a0a8895ec1da73978

SHA256
f362fb23a988175b76ff1ab42d5b071f95f1f9eef1a494c209362071413800f1

SHA512
ea2d4cdfd647e9ecd88cbbe20d0def9d149e351940c00d57d5880f943e8c5215c264e8cf7ef2e950be6680d2baa748503bc9237b0ab24b9394edb5efabec3cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\HcEi.exe
Filesize
190KB

MD5
e07ea770dbfb0f48701b545446f60de9

SHA1
6819b0321c6747b3496ab7702424fe7a1d14ca59

SHA256
4ac100979a9db25f6fc67ca3b83b5ec9702847db1c2ead729f3c6a19b78324de

SHA512
dc06442c8bbb6d3449adec34347ac9e293304149a984cfa97936a1b433054b28c24e83bfda74964ffb009ca5b3b4f392e320e6d537706cc713a0aaada8cb77ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\JUUA.exe
Filesize
797KB

MD5
45ed6676d514feabda7b153d2859e714

SHA1
0e2fa522c4df15f2efe4f753431519a81ef75580

SHA256
64e038eb81ff128841e4e7fb74163117c0053c9c222285b67ab8a8534806419c

SHA512
831c367b8f70c1fbd950240984d344fd9f1bbbb05dd51028d2c71e788734e443b9580c27ed00583e6aab8b1a3b4ed7a1faf77f097409b41dd4ab5d854be7c4c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\Jooa.exe
Filesize
604KB

MD5
b629a0a143ebaf78ecf45e3e5bdde50e

SHA1
c60e65c0e46ab2c083c37892270296adb9e45872

SHA256
82d32e7d297fb30674da673a2dcf8258a11329dffa4aab18b66bc0ca395d6369

SHA512
834b65bf10e2a06806667c4ce726ae5403d95b1ace39b5d278abd3e34c825db04b04553f869e5ddfa65c3e3af9758c9c3c7b03d3d5c74592bae0ab3473c6bad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\Jssu.exe
Filesize
209KB

MD5
feca6c3b734a3777b392a5e1bf549e68

SHA1
0073434b3923ec3595f0245b7a5294ed712f826f

SHA256
40565344ada0fbf20cb0ea1550467f3d4c4895e5ca02146c97dcca56f1ef008d

SHA512
8eb8c86ad40aefa05e508624534dce547a304c9386d7f67c64ad247a395ed7cbeaa6d24a8a460dd12aab962402726b0d870e30e12f842358de46a0bc51bb89f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\KoQO.exe
Filesize
192KB

MD5
636e995b80a52fc6a33482562fc1546a

SHA1
a19a0bdcfcb2119e2cc664f855cfc642b4e9237b

SHA256
2fd14fd4139d1031e376e667b92ee59863776134672acae57b528ec6c8744e55

SHA512
494ac2e2f844edbb884f9cf71229307b8870c23a1bb6a4b79ae29a0854081bcef138ee709cb4ad1aa282f299ab2aae6bf3b14726a5a6bd3461a358880735559a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\KwUw.exe
Filesize
188KB

MD5
6a9f63216f71f46078fd89176c325b76

SHA1
c0134764ec0915277c9d383443aecc89ab02a402

SHA256
77560427c4d82b3215ba4f3a00cabb07a2e92d6eb74950bcb320e8f992a3632f

SHA512
d76e0d86a88c05d7d5cbd40f69116c9d27c0aeded6e9ae90488b4c6806c9d92e78fe7881bec9ac2328745dba656f2eaa3eadd69db95effbbd2782ff89974a626

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\MYEY.exe
Filesize
173KB

MD5
668012021dfec72b380613c511d9322a

SHA1
48b4162bd3b1f8afe46c9ce2860247dada411de0

SHA256
b810cda739fe2a7628fb17b8843a80e1b28c7e62682e1e6d182d0eed5d42422b

SHA512
741dc05398a49204d5fc44293fb243d1327dddeb00236975fd5effa445dbf6bce3ae1512c740b3adaaa05d8cd40dff0bc5167c06e814f89ffaa9c7beb1883b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\McYI.exe
Filesize
414KB

MD5
acb271023abe9f0317d1146edfcc7e45

SHA1
aa68f9c671cf2f35784ff224ace4dda6ddc4e65f

SHA256
c3430c041990286208ab210686732483d438c99cee648c928db73e3d7276100a

SHA512
ce605296e8af4415e6cc0d1cfd36f5b09226e04e6dc4175e24408556d7e4b4cb50a92ba23af3b22f26a86db0c0296800994f0b579225cf9d225b4853b38e2d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\NMwS.exe
Filesize
322KB

MD5
687b82fcf7f595ec939c3b8f149d5eae

SHA1
ae4d8989fe6af6292ee66077898fb95e161ae896

SHA256
d4cd0bd3a30af73cbbc8a0f27b7e0d21422c92ddfb94ca4d30c9c87d8fa82cd1

SHA512
0b2b81fc6b1f82e7fa50f550a4c45fae3b8b70c3eb2da06dec8775c1ed7ff591e9e60567d74066443c38e5811889f34289c7963a0d3ee18f03a53bd1d0ccf1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\NoUS.ico
Filesize
4KB

MD5
383646cca62e4fe9e6ab638e6dea9b9e

SHA1
b91b3cbb9bcf486bb7dc28dc89301464659bb95b

SHA256
9a233711400b52fc399d16bb7e3937772c44d7841a24a685467e19dfa57769d5

SHA512
03b41da2751fdefdf8eaced0bbb752b320ecbc5a6dbf69b9429f92031459390fe6d6dc4665eebe3ee36f9c448a4f582ac488571a21acc6bba82436d292f36ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\OUoQ.exe
Filesize
195KB

MD5
7ff2318012ed129b2435ff934cf12f64

SHA1
dea6b967fbe78561ea36a681fd39207f04da79e7

SHA256
921d21dbc57c4c67880268c4263e09a4b54a4fe2a641d62bcfd72319ff5ccca3

SHA512
260f955d1a251ff9ffbcbe100d5ad8d97ac19c0303a25e45d2ed1866ef1967b701e263cef80c2597ad2c404376ab1f829225e7f85db5a63d447c2b3b95ff047a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\Owkm.exe
Filesize
572KB

MD5
0071629486e9564c17da7976ee0cb35f

SHA1
f9079997459b7118b715143b9bf1b3139f7d7ed5

SHA256
ee3548481801e0771b4daa88469869b1e5c7d78b50d8af487e00d63c5777985b

SHA512
fcc8414e7cae428ed1ca9f65421712cd2d9053d955373700101f832090f4fc635609f5b1564dd12c91ec3c2d07cf4349c49d4da196d156d1a59a829b1b80500e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\PgYM.exe
Filesize
211KB

MD5
6185a17e71826e6efcd75b492c8067f9

SHA1
419afc1a2bb0e6a53923203c36240d1c56e9c8ae

SHA256
6c5f5261dacf19dc4ace6bf8acdd68ec45c5b5e3f0ce8d5132f5466521941157

SHA512
cc3d54aabea54f70d318b452b5cbeeb1e99996d62b3ddb78b8e0605f6bb3810b75b68208c535b91d6389244bbcca66dd6557993f64cf96d1a8b11060d6aeebf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\PkMU.exe
Filesize
349KB

MD5
2b2698862fea23b416074cba3fe94eb3

SHA1
c6f51a4aff2ed78083f9958a09cc8c61f3ff9b77

SHA256
47dc663b349650a9a209d4e3b73350808a073455ca91bd79c69c38073d0aebc3

SHA512
2c1ddb0a0f9012da0f957e82b38794066188240a585586d238dc2d5b3f9a8ffbc07f71a94ffcad57590dbbda06f61b55fee571cf93a9d0919b0884008a76e401

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\PolyRansom
Filesize
25KB

MD5
2fc0e096bf2f094cca883de93802abb6

SHA1
a4b51b3b4c645a8c082440a6abbc641c5d4ec986

SHA256
14695f6259685d72bf20db399b419153031fa35277727ab9b2259bf44a8f8ae3

SHA512
7418892efe2f3c2ff245c0b84708922a9374324116a525fa16f7c4bca03b267db123ad7757acf8e0ba15d4ea623908d6a14424088a542125c7a6394970dd8978

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\QUMc.exe
Filesize
191KB

MD5
d93614d1a5272e7dba3a9fe1de814b4b

SHA1
8a818cf54d72a892cf20252dc7fbdb91596dcdbf

SHA256
a4d54b41439cd610a8d5268ab7af39044c9ddcdddb64c660d3bdbc8cdd93b301

SHA512
fc32f74b8b7681195ee5e0a00e45852d410cbd3caf69f9c9ad6363b9bd9f1c97c5454935bac081222e1fcb75c5e2e3b4a585acb70ce5c38e17d002caab96608b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\QUwk.exe
Filesize
636KB

MD5
3139ad6dca99453b7c93d210649234f8

SHA1
4e9562f3ed9c3b2b3954b5203be1ee9df29b1322

SHA256
4c01756ce83494767abd10a08bb670ae4033ceeb1773742a3897fc3ef44650d8

SHA512
66ef860e9d88b791cf552b98dbbad7f7952a00390c122eea3912061daf033ce364a33d2e91af8e5198fdb14c9418a33d711109fc32484fb5ff493acaa8d9d30d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\REUc.exe
Filesize
194KB

MD5
c9f8f93356831f8d46eb15baaa7d38d1

SHA1
9561be088e18639ca77bea87a1d2fd2816f9cb7d

SHA256
acfa713218f4f01a6ce0a7a2b5bce26efb46de80434cc48c546d450a80a2d519

SHA512
f44f77f55447a67e53f71c06a2440255a5c24b77c96c53bb2a7e38848622cb2c8f30a91db5c1dc62bb66ed0cb3446c9a21bf4214ffa0b3b9483bf56a0ea70066

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\RIUQ.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\RUsY.exe
Filesize
204KB

MD5
9218170517ddbb459fcbb4116525d8f8

SHA1
8897a094fb061753129a5a5f30933f55c26ba5ff

SHA256
251358be38fd431ce26d9e92efc8d249824b6b1a6da0ec590458f16ebf018588

SHA512
8c63f925d0ec4338e0d9767406542d22a2eeb23ef4e238d0d8e27ede2ce6b72e46eadaa721b9990418a0057d109f9be57c7e445b3ec44ee64286fa1b9634f826

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\TAUY.exe
Filesize
201KB

MD5
fde1353852490312c928e82851229af4

SHA1
04d94717429940587e0a34b68eef3e34bd606d58

SHA256
6a4d13596792afcf92f09b2a4a697eecee7fd894e57010600d3dd107bae014fc

SHA512
7463f307b09c91a01cc9a5f09a05ed6c6826934c1572802ee88b4e296e8978dbc7db16ca625894c663ae578339c14a984f36461ca66e1dcbae7b60feabab2343

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\TUsE.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\TkIu.exe
Filesize
336KB

MD5
1a27257540adea9b60907f2ff73b4162

SHA1
6d26e9b27ca04a02d2466aba2cd179d2e037bd95

SHA256
d7399a3e6cfef29184c1071e39bb080591dff6ee48874be133384cc58dc8febc

SHA512
172dbb28fe7d0dec030d687d4149dcd7a431475c2dcb35e0f46a566b6bb6186d813de78f3a98bc7fe788ca5427464999c64a4d422b9f796c9e865d4f01fe5006

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\Twca.exe
Filesize
221KB

MD5
43ba19fccce77fdb1ee22a6a3331b831

SHA1
58f49e980be1373be6e4c28246383babc8775125

SHA256
1381688e5f0d96f77621ac45c8adaad76daac26d619992367ffd5aec697d5276

SHA512
ed11790db8ad03e046e3ed432fd63100efa6620cf9bf258c0b52fa1328979c9ccf11062f7eec72cbd1aec7281c866496a448322869b3a9d28689caee9b472cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\UcEU.exe
Filesize
197KB

MD5
3b4dc3b3b506b581090c801125418d8f

SHA1
acb27fde8c73bd16f112c1f1fc3c19d1d6f98840

SHA256
150e437d5ce1c70bdf4f7fb0ff0e81364f286e7de2585c510f05bfbbb3c600bf

SHA512
d69dff2dc8a898e694f356a142ce96c7ff39b470822663c33d443b80a668d7f7578b13d6b8b6b65f7ffc7437ea6402d5a9dcdcf3325e0bbf08c626bcf811e12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\VUoI.exe
Filesize
199KB

MD5
5051a8c943beaf11f608c97591459db7

SHA1
e218a586fdc711722b0a37271bb98511e1299b4b

SHA256
babd85d4a329a6ef18f22e9f357ec4ad28da2a423df69eca075288b4f3505cb4

SHA512
7956ed45361f79764b8f435ea6593aa3c5cb2fd6ffeab70bedace4668d0b8408ec2abf6e4b34063c410a5b922c4e4144da047b971664ae1ad1e8291cd132ed5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\WcoI.exe
Filesize
182KB

MD5
1549b39d14a23b4d9569f61368132e04

SHA1
c23ed1fae3ee27335e573cd15feecf645bc7a702

SHA256
3ff1ae61132f3d23a63972444e3e83dc157fd12070e3fc984783d6faa2f01179

SHA512
163341c46d3e286b944160c2c26b2b6e4de218e40195bec16088944a958e7cc329a520e1b7831428665ffaae8515ebbc1deedff3f6964f616326d93397baedc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\Xwwq.exe
Filesize
761KB

MD5
be795c815c31e272c73e132297b1219d

SHA1
99f6587c563530b86561aabad327665bd53ab366

SHA256
919833291d5da352663d625a335841e8b228ea084658f438fc86ce06cd4f59c4

SHA512
125ff6e2204c451ef7de9c3a009249cdbd97ccc77e86fca4035b71f13c3583043a7571020fb3808859f1bb2b4258a880b144d2bfba49130b1d40e9e0275a9403

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\YIkw.exe
Filesize
426KB

MD5
987ef12320a117a66d06457b6d8de544

SHA1
7db29b6b687e8ced7d9cd0c60433caec6080319f

SHA256
4360feddfa7a5a54fcc227cf9d6d879ef60d1bbdc97d1b3ac5eb13b98c44594b

SHA512
1398c869631ea4bf0cfaf63053097791c98661b8dbc7e1ff0d1e96d38b7432eff8fdc4f752f60a5ff97848c18233e46633937b00cad28e799bcccc66023f01c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\YUIm.exe
Filesize
829KB

MD5
a007b6d0b793ec9c2a835f99ddade490

SHA1
549436bf932fd721ddf3aaaed7a375c72eaf9a5d

SHA256
ca01c979aca4cca9e4e6be54d4b151aa081587de587d459c80e517c26803d17f

SHA512
72a060c0d29cecd324e2189f528e664ce4c5c39fb7ef218e529e7e6666b726e3279cd8dc8f8044cefa1200c993d620e20026aa46467e3ded84c710291ea6e898

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\YYYS.exe
Filesize
192KB

MD5
e880addf8745b0a6a703ab2134c789f2

SHA1
0a52c67c0c0edbbaf76fabacf8d8aabefbdfc3f7

SHA256
6cd5d6d3239f7b0be79e9d54233a1db2b52aaf14d669f2fcb0cae285c8eb0f4e

SHA512
a5161fc5c8fa30c4fd8f6e15ccd686e0f1aef850d685704ad5dd37ed9b5eb5856b2650c2aa2c7059bed321aae722887d39f6cef782f901f5b76db312f21c4f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\YkoO.exe
Filesize
5.9MB

MD5
85389f6587468727040f923775267c46

SHA1
9aaa38fb9f87a92d087d576c111bfcf8a801c9c2

SHA256
25f4ccbfee5717194a020ad3a90fe27854fc45e33eb03be7ea5fcd34ee360c7f

SHA512
11fa06aa813faca6810a92029deb9415a991c588fd387dc3989f22d52bc4fda67c18f4539d8026067ef3da63f3b50c0ccd3ed100aa3d77fc113330ed4607f4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ZIso.exe
Filesize
193KB

MD5
f0201d9b68d3e243987284ed79882d5b

SHA1
fa6aace4e15bf44eb4b859ab98aedc860a347054

SHA256
9bbf14c71f782292ca5e17783b043a72f4f6d051d7f588371f2e385f89a13d07

SHA512
cfc941ae34ed750ffd642d920ddc0eaabdf4678c194c17a30c39d1d060d2e73b4d3effa5a0b805572ed31aa1581b002916a6911a250dcd2d565cfc2fd4dad6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ZMkc.exe
Filesize
5.9MB

MD5
c173b838b62fdd668eb7e1a19f7fcce2

SHA1
ee38394441d7d505570c747560b3c888263d608b

SHA256
dc384300bc3c885e19fe9bee0ede6d8853495d1ecf81bfa991b048a799a9144e

SHA512
db69cf5b6aea48436ee2fa72f927d98e9220cdd341ab8ca3814f4c7b43f5c8c17622a07deca7495ef09d386ab3d7fe3811756b740c2e821ee4d3510a1705599f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ZwkM.exe
Filesize
205KB

MD5
b64099040d31c254f4df98d110703ce7

SHA1
2fa524fc9661a5c49f97d37f8df1066f8ae9f1a6

SHA256
430ab1c0768a2aed221dfeb1905f3eadef1daa80140d7d928c5942a05507d899

SHA512
11a2427f97b9915f02330011af6850e470db4a2daf15c8ea19d3954650e7478c5ac9fef0fe5894e399f4ce6e13b74255771aff6dd8808a7631b5fe12c64a5561

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\csIO.exe
Filesize
183KB

MD5
9878825253891da8b7dc42dd241686c9

SHA1
406c9b5f15648c6fc174bc1839dd65d3378df014

SHA256
a42e7c9a794638cde70e0bde82509e283c374d2ebd3b99b87bb6e5eceec7f4f4

SHA512
65d4811ed347ab3faeef5542f4560c287cbd9650ca6e3b990e6e817241e9fde819d38bbf4a57a9726dcab0190e3d738bc29277b67b47aa8fefad78da70d41582

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\csQm.exe
Filesize
198KB

MD5
c187ac4f18a46e6e97481cdd997691e9

SHA1
f9e9983593448998e12c5c085a1e89a0dc048c63

SHA256
875cdf08cf5a99cb892cbc78a6d61cfb901d5b14c9fe3a979340ce340d28fc64

SHA512
9a067fe0ed8c41c871e8a2ce80eb029264e66bd230aaed87d97ce8b55c1bd2da623f9b2374e38b2c25abf87e6965f4940edf798d1ad304fc0c4165d10c503e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\csgG.exe
Filesize
206KB

MD5
2fbd84235c05e143fc020d8dfa305f32

SHA1
eee1ec2697f6c2eff1b5ad92cf701b9b20467b11

SHA256
afcc2c6699d5b82c944276a2a7619e44bdf8952b55f34dfba32d2a03b5f2dcdd

SHA512
ef5be6dad41b9f8530e87b0a674e5c2a2079918a518fe27c026b61fc59dc9e1d5c21651b545648ef882606631945ae5a25c66d970ceef94096faa7d6ce3d2813

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\dEsY.exe
Filesize
195KB

MD5
f3886452242b927bd273c8f061cc4e58

SHA1
0b9de480633df3ad4e0170afaf2179c38722b20c

SHA256
8dc9f3c162bcc52fa6a2b7af91a7a2953c6aa7f8f9cfef6d3bf7b2f86a5831cb

SHA512
d67dded31f4345f58c56f45b63ac7a6ca59b20307840a255a7316550406560c955db52d0f9a437a16a6f9d96a746beb685d3ae630938053b233e6f258ea29111

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\dUoS.exe
Filesize
196KB

MD5
ed3ec01f5b8bac3ce474d8c9eb733d1f

SHA1
8c615d168dc7d2a4365c26641d7fd45b0e57e1b1

SHA256
2315b66a0b00a80f0f01bee8c999cf416efacd4ef9f4445fa49a993d9093ad8b

SHA512
244b9c5dc63e60bc793c13aade1621dbf64a054dc4d571b955792227aa88dbd8a81cf4393771a2d229eb8e0b0f0d61ab82ce883d33898d285dda7d140d4c3179

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\eIsW.exe
Filesize
202KB

MD5
3be62c40932f92acabc886580e8c8076

SHA1
7c4eb4fd8c633916e71b0f83a84db85bf987c968

SHA256
e62e08ae9898047227eb86f59425160bd3ac17752530f45c05da88dfa78f353e

SHA512
56ea699227b50749432a3c32a87fda0f2fe4e7f363b687790bc28d9eeb207c4890d7c6501ddfc16188f775a646b2636e50f0332ea82d77f44a03e8c765f3d138

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\fkQG.exe
Filesize
5.2MB

MD5
9ea99bfc426c0b3d34371be4e67a37c6

SHA1
01b894e86665cb87cae3fbab9d5c81e66fc949a2

SHA256
d25b5480fe0fb09405b8a0ebd10328d06cc855503969a4c50826454804df9cae

SHA512
2188a5c21b91020ca88bd6580b36b3ca3abe5829105b16b12b0d49b2454be0008776d15b22dd93d4e311cbe4369f072b169d4da187865db5892e7dab2ab42d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\foUi.exe
Filesize
1.2MB

MD5
f00ae00137223a38dd0ccf25c61208a7

SHA1
2eb39fa1fd9995f631375f7cad287fec91f58552

SHA256
2c43bbfd3444317b2972d777dd96a61ebc0704c4ea03b3466732084c6d89bcd0

SHA512
5676dc735fbad5b0ee227fddf2253ae1e76889c134af9e597282d918acf3e766e5e14b0f029281d6b5b28f5f923cccb8d38d75cf24ab939eedf8b0f83aa425d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\fsMa.exe
Filesize
206KB

MD5
4d82dc48affe3b9a8445221c7616d860

SHA1
68854f06f501240f87b5defbfc815724c0c364bd

SHA256
c706fa42393481ba3b3e6262af227b36d02e1c534be2e39e04fa4e33717f2899

SHA512
5caec0ffbcebb030969515ee91bd9292d09eed6d26e221bfb0de3f0145dddcfe3aa61bb28782fb2701c2f66e7829b56b788fe67812d3258c6ffe936038c2b30c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\gokE.exe
Filesize
180KB

MD5
3a320418878cc957887641331d8976ba

SHA1
30445730261ea4e33a6168800332958dfcfd763a

SHA256
c79e995d3b8f6743503c969ed8af7d95cc9ac6eb9e480ead7aca65d0f5f17b34

SHA512
69e69b1a543a0b06f26e105c02e36242efac0e007b2e40439282821285a8efc1a7eb9648c0fc2b6115967b20df827a830caac444f468c189f0a4eeac53432b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\hwcy.exe
Filesize
232KB

MD5
fe8c854ab1ec3b1ffd68896bd3e20b16

SHA1
67124d3b9a4ac73222b0711a4f8328bca4f35f64

SHA256
77b3695daa9ab842acddb290a5f4d975fac3e62c3129553470c9ed721d037097

SHA512
6a93ad17390a55f224a245b01e0cbc6989ce920546fe690419a0a00a671b65efdb02f99ad907e4bee6ea800f973dd158fe3c0e82a36a81461e0191fa3d32b655

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\iYwm.exe
Filesize
195KB

MD5
40e7268fe40c733ee0346561360e84af

SHA1
30e9776807ddd49881fc525f8b1b20080db9798e

SHA256
1bc336dacef48e0fbc8ab8c0bc0aaa128e4314f865fd722d6d131758a84af577

SHA512
703a3c87104af1e718d2a40c089323e987c013b83be7f6daafc6d5d5d1d088bfaa9493f9e17046ff6dd16b12422085c47f6a150908f1e151c214635f067ecb74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\igUa.exe
Filesize
231KB

MD5
bc2fd96007c7e0beefaef67023995097

SHA1
6fc0be4354d507e3555829c705b6d92b9fe5f388

SHA256
5e92a9f566cfc4448b1e81e91c4be2a52dcb48f6a361b03c6b1213a371cf943f

SHA512
823085cb67bd9ca3e3a3f71b6f3ad1a1de0799b818165085e26ba20adbed76a5bbef34e4400b8fd5e306a0f69610f4ea5b039a8609aaef76e00f9787a0229203

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\jwwC.exe
Filesize
5.9MB

MD5
0f4890c792e96a4ccc87a89145304921

SHA1
6544c3cfbb65dc6aa5bc3c5db0fd840bbaa681a5

SHA256
db3de541205ae9f1ae28ebf9fbc24c8809398c8ae54a6b8f83fd3a19f52fdba0

SHA512
36d5474bf0cbdbb562d4e070f62bcde168ecc576e01195d8fd98a120724b3bd694475f3ae8b1c9bd7fb95241db3b8e6fe131a38553a8ae142dc63d014723716b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\kMUo.exe
Filesize
551KB

MD5
d61d2069a526db13838b1e2922948d9c

SHA1
5fb1d8cc48cc5a0a88c88af244fb30f3e5ee7a76

SHA256
1eb2c6cab56a3f22824eab9bd6ccddbf6edd079f7b23645c16252ea3977b9117

SHA512
ee39bfea3d852eec72a59f8591bde1bc6b7c4e74463bcd66d809596be99e330bf6258073fd6e6b42973f7073123a43deb0df837868078fc62bc884712edeba8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\kQUk.exe
Filesize
192KB

MD5
5a9c07d7bde25253d4efb47a2021d99d

SHA1
63961bba5589cb306be36feac3d90478160a7795

SHA256
855b6e96dffb2b8bd09e29a1ea73117592c189ebf08db8fb804351390b55fcf8

SHA512
cec724c13c06e6df3541843152ce7240eff0851456ac811d17aa287fc0176096915b953d51ecdfd64d2e8a6c41e9ec435b6450834f1e9be5813b16e032faee63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\lkUG.exe
Filesize
195KB

MD5
1915251573037f0b922e6f77483a0ae4

SHA1
136ca5247f2233792888e84e1c70ddacc95d5ab8

SHA256
b3466b379cf16ee8d16b2b5bb3853f0b9d86de0cfa132746c24a10a58cf0a7a9

SHA512
ac3912a2f1948a059833eb00207024efa31741585f74198400db55e9a7df16cd6ef5aecb4130bd2f0dcf73d563bd86ec1920aa9167beb992172eb139c47860a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\nQkO.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\nUIC.exe
Filesize
205KB

MD5
45dbaee5fba744e5a7e70fbc1e700139

SHA1
a921112df52a1e0da5bebafabe7d62617a59e351

SHA256
1e142a3c91ced7b9b7eca1c6140ca329c7b28882cc5d5c6c279cfc710cd0e75f

SHA512
7b6a93363117f3ca5890df48617057bdcdabf5346dfcaf99add0b1d5dd4f666e174316cad3061958cf5c5cfcce67a0b8ef287ae604bb6a60776ac70e0d0e6d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\occm.exe
Filesize
189KB

MD5
629a88590a4169c322b3908dbfdd6c00

SHA1
0a449ceac83d4a109c94dc5342ba175fcffca153

SHA256
76657602d5cb03abbd2bf0dbe182cef8ca4b97eda58f437d654f597cfc73e0ee

SHA512
9240ca97357d7247f12ef095c1e9a8e396c7dfdd17e23fbe84d77373f88d8c7cf7c8ace08bd55fbb274f61694dbb6a6d84b0037f24fcdc4531043a4e94a6bceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\ogUS.exe
Filesize
193KB

MD5
a1b4adc8c9de039c190c1bf4a9b33ec8

SHA1
7499894c4928471c8e614b6a9c287a532ddc4611

SHA256
939ce5cb0ddb315cdb8d10ebd0764b17bc2a495025bdd0e50060f80e5e0f0379

SHA512
a793521b04ae611ad1136de93c8eeebf92a5e28588aac11e90baed5a0fd12fffeab43efa7144a3fd846ef3119b7b08049de84528b4db6c606e4c9a36b157c62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\poUW.exe
Filesize
691KB

MD5
a8401e62e78e872f3478ad22f81a2b85

SHA1
e99e3cd7c32fc454250615e510cd6f0b4151123c

SHA256
74788888e2d7f7702ac6628d9fec30a4f760244b2eb35fa4a5820302c4a26abc

SHA512
df4c8c607c0060f651d3e3b37d934e775e49b1a4fbcd6c69229aca0a2ab9a5a9cf2a696e1eaba505eee5026c716b904c6c5fa19aa47b945e0dde41e86732feb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\qIgC.exe
Filesize
1.7MB

MD5
a8a237fea9694a163b6d71db0c8f7e72

SHA1
f62b87e81ad6a42e3392e9c0802ba7d766a89b97

SHA256
c6536434262d4ec7c187e992e9865358949c38b0b25165a1cee70b4063b60c94

SHA512
3c5b880be62cf0714e19844d0a6bd606b0b1502fa8fd343b5c2458845c076761b7a85f35a6208c2a879739aba4f688bc1c907498f5752159046549a87ab15635

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\sAIK.exe
Filesize
210KB

MD5
3efff91fc87a861b5084f3a82f0f72d6

SHA1
7f5eeb391103f4c9df98cda6849c1fa05cad5c2a

SHA256
83f1025a475ab9d1c7a8538e99300f0c0937f9880c65866b4b5d2755f3ac8283

SHA512
6a2e25876da11a837f2ac5614f880c2963e433fcd80d464731c56a3c8bf83d9495b8f99a083108b97ad6a680278683406b074270a702be8a35e9086e5a313da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\sYYC.exe
Filesize
188KB

MD5
cee08a1442ad014dbb6ec468e3800c96

SHA1
04767323e36a7b6c8b5a2003f05fb147e74e3598

SHA256
c7626f125f5cff94b9102a728d247a0e23bc89f29e20fcda6427a6021911d860

SHA512
fdcca1ad6cbd16257068761a9a1a9dd095e40e2b85e701d62e4cd95c10caf2f23859678eb7ba216b99033afe93cdbeb6bdedde314904609b25fdd951bcbb864e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\tQwm.exe
Filesize
3.5MB

MD5
95cf4f30311db6db71a73b3e78253919

SHA1
6463b3a8c65dd5f6569bc91f7437db09881f9f6a

SHA256
1a85efc707b23dedf65257c40b8cf274a69de2718f33b02b7ec0e56b54392e53

SHA512
b520dd0f3792115f632a4372f1f7f7a95d6700910e0216b781e4e7f6cb711851621c9cde30383f51808d786398f41d83a32542a206c1bd40dfac140a6ff07efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\tkAy.exe
Filesize
5.9MB

MD5
5e15cd68a8df6e03b9cac750bc8ed042

SHA1
238af0c899044e52ce3b7f74b3adffb114e3d7a3

SHA256
fa703a55cd5101129d4f4c8f332cbe55181738e33143728d1af45432b989dae7

SHA512
78a501352a02cc781d5e04271f5c3ff9b82f23549b9124c2a225b99247eaa75e62293346cda583a77aaae6c4e1f41f986af4e81cecc4ee6aa1552d548f71f75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\uIEE.exe
Filesize
1.2MB

MD5
1b5799a9ab53ce6e74586a46ed35d7b4

SHA1
bc8c6a2f12e8ac4fbed9bb5fddd8e54d5ffc17fb

SHA256
3b435ae415499548f4501f9a5f94ad97bf3b02374b8dd722df0e9fb62f26f1c2

SHA512
8999dff926b9eb4972b1fe24e33b59d49c54cd4ad7447ea28f815dc8ea9bd3fd7e75d1463e65a3c81543f6603dbda1958a29cd7ecc685d11934a91be345102e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\uIMa.exe
Filesize
852KB

MD5
6563d3678d8a1d26b62b2e7bb9a0d828

SHA1
0a930cb8115c5f21a1a80a2c5ddc6b266d935b66

SHA256
2f8b2c50ada119284e2c9223f372198b5b6ca74969b58c93d843dff0cb85c5f3

SHA512
d952fe6014c2368c22823279e458ec4a877b17d9fe9376f3f9617b3b85790b2583a03ed2bbe958119fa2336f983afab4a616a5c6b54b1b7a0be499dd2bf6232a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\vgkk.exe
Filesize
183KB

MD5
9d0126bdac3cd34e05a84761b5872c02

SHA1
3c39a6c9d213a5139824bccffbf3c7ca4284f31d

SHA256
34c811081ef78273546b226474f9490a9641f40d6bba8f2f5d80f3e9fb18947c

SHA512
455fa5d95b7adc8971f2732058775672bf2545c50e5d0d87583d183874092bc416304bea50e85b66b7e3ee36f1068fc83818cd5e3115d3f7cae6f23116999718

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\xcYO.ico
Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\zAsI.exe
Filesize
211KB

MD5
19206b9ba2b8196cec8bac40f92c1a4d

SHA1
f36410dda10a584805784c91fb69c563aead47b4

SHA256
db03b94de63716a3039037928b87800038c07c8d4e854663813277c097fb1194

SHA512
18d3f720888a9c925bc89292afa6014084970e946d4d4a671fafb157ff67cf6d70c68467f547892a0a9685bd6cfd9ccbfb7b333fab95180fbd4ae93c83d6b546

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ransomware\zYga.exe
Filesize
940KB

MD5
78f51017434cdc28a93fdc0365c0103d

SHA1
a4ac63161049e6a6b424323b668842ec3208cddb

SHA256
217f2d395fd69b8629a5f22ee202af7d68ed1a87e3cbc064d44fed0f5dad2fc0

SHA512
f806df2f8976b49b2d4561186b1572fb22f0435763a33f925781e73ca175e529f2c2788c98f3bc6ff98cf565dae1c2f5b36837599c785865cdc8e16873fb7313

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\aKgckQsQ\neokkskY.exe
Filesize
197KB

MD5
e23c02d78f12868e1c8080a1a623a037

SHA1
a9db4f5dacf6fb81cedd486cc92fef8e67ea28b8

SHA256
7d6e143c36490646fcb04adfa788e61a7753239a3558819b985930809d0c3838

SHA512
a462eb7ce4ac45da1d7351f31f82cf471b4bfa71f0f4672b124b37100854e258a41dbc5d0480393efd59b27f7c9a25c4b5ea74c8c8628d386d3d3812cb3b6c34

Download Submit
memory/744-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1588-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2852-69-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2852-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2972-19-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2972-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3784-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-1975-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-14-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3788-1986-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4512-44-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4512-33-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download