chaos | 14592b6ee58e6c1abe76e8148f087b1da84f54892b1cca31540dd728298bb185

Resubmissions

18-04-2024 20:02

240418-yr4gfsef9v 10

18-04-2024 19:59

23-03-2024 00:07

20-03-2024 19:20

20-03-2024 19:18

19-03-2024 21:09

Analysis

max time kernel
490s
max time network
858s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-03-2024 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GH0ST.exe
Size

127KB
MD5

90b828929de1319e5b9bf94f4ae990b3
SHA1

8fc41267cfb9f057e78beca15b775d20fb01434b
SHA256

14592b6ee58e6c1abe76e8148f087b1da84f54892b1cca31540dd728298bb185
SHA512

57e50e8c3e424980bfb96d4d1862e998efd50e45df25478fc80537a67a27b8d7aa8cce00400e0126216395205946a38876a2ff494b74d86043c5e5779a4b5921
SSDEEP

3072:oDk4Rq96liXWAPEV9Ue4znvqg2WVrxuF:h4Rq9UCW7WhZx

Score

10^/10

chaos evasion persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\ProgramData\Adobe\Updater6\read_it.txt

Ransom Note

Don't worry, you can return all your files! All your files like documents, photos, databases and other important are encrypted What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt it for free. You must follow these steps To decrypt your files : 1) Write on our e-mail :[email protected] ( In case of no answer in 24 hours check your spam folder or write us to this e-mail: [email protected]) 2) Obtain Bitcoin (You have to pay for decryption in Bitcoins. After payment we will send you the tool that will decrypt all your files.)

Emails

[email protected]

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

resource	yara_rule
behavioral1/memory/2020-0-0x0000000000B70000-0x0000000000B96000-memory.dmp	family_chaos
behavioral1/files/0x000b00000001224c-6.dat	family_chaos
behavioral1/memory/2152-8-0x0000000000AB0000-0x0000000000AD6000-memory.dmp	family_chaos

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2360	bcdedit.exe
2304	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
692	wbadmin.exe

Disables Task Manager via registry modification
evasion

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2152	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\266EQP1S\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\2Y0HPGOE\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WZPJ6IGS\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JP38OXIN\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LS99WIMF\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BB0Z8TKM\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1OEGTYQG\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AS4I30IR\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	mstsc.exe
File opened (read-only)	\??\A:	mstsc.exe
File opened (read-only)	\??\I:	mstsc.exe
File opened (read-only)	\??\K:	mstsc.exe
File opened (read-only)	\??\N:	mstsc.exe
File opened (read-only)	\??\S:	mstsc.exe
File opened (read-only)	\??\W:	mstsc.exe
File opened (read-only)	\??\J:	mstsc.exe
File opened (read-only)	\??\L:	mstsc.exe
File opened (read-only)	\??\P:	mstsc.exe
File opened (read-only)	\??\R:	mstsc.exe
File opened (read-only)	\??\V:	mstsc.exe
File opened (read-only)	\??\B:	mstsc.exe
File opened (read-only)	\??\G:	mstsc.exe
File opened (read-only)	\??\T:	mstsc.exe
File opened (read-only)	\??\X:	mstsc.exe
File opened (read-only)	\??\U:	mstsc.exe
File opened (read-only)	\??\Z:	mstsc.exe
File opened (read-only)	\??\E:	mstsc.exe
File opened (read-only)	\??\H:	mstsc.exe
File opened (read-only)	\??\M:	mstsc.exe
File opened (read-only)	\??\O:	mstsc.exe
File opened (read-only)	\??\Q:	mstsc.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\v7thx942n.jpg"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2580	vssadmin.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\tuk5_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.tuk5	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.tuk5\ = "tuk5_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\tuk5_auto_file\shell\edit	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\tuk5_auto_file\shell\edit\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\tuk5_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\tuk5_auto_file\shell\open	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\tuk5_auto_file\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\tuk5_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\tuk5_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\tuk5_auto_file\	rundll32.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
2756	NOTEPAD.EXE
1160	NOTEPAD.EXE
2856	NOTEPAD.EXE

Runs .reg file with regedit 1 IoCs

pid	Process
2632	regedit.exe

Runs regedit.exe 1 IoCs

pid	Process
2040	regedit.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2020	GH0ST.exe
2152	svchost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2020	GH0ST.exe
2020	GH0ST.exe
2152	svchost.exe
2152	svchost.exe
2152	svchost.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	GH0ST.exe
Token: SeDebugPrivilege	2152	svchost.exe
Token: SeBackupPrivilege	2716	vssvc.exe
Token: SeRestorePrivilege	2716	vssvc.exe
Token: SeAuditPrivilege	2716	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2396	WMIC.exe
Token: SeSecurityPrivilege	2396	WMIC.exe
Token: SeTakeOwnershipPrivilege	2396	WMIC.exe
Token: SeLoadDriverPrivilege	2396	WMIC.exe
Token: SeSystemProfilePrivilege	2396	WMIC.exe
Token: SeSystemtimePrivilege	2396	WMIC.exe
Token: SeProfSingleProcessPrivilege	2396	WMIC.exe
Token: SeIncBasePriorityPrivilege	2396	WMIC.exe
Token: SeCreatePagefilePrivilege	2396	WMIC.exe
Token: SeBackupPrivilege	2396	WMIC.exe
Token: SeRestorePrivilege	2396	WMIC.exe
Token: SeShutdownPrivilege	2396	WMIC.exe
Token: SeDebugPrivilege	2396	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2396	WMIC.exe
Token: SeRemoteShutdownPrivilege	2396	WMIC.exe
Token: SeUndockPrivilege	2396	WMIC.exe
Token: SeManageVolumePrivilege	2396	WMIC.exe
Token: 33	2396	WMIC.exe
Token: 34	2396	WMIC.exe
Token: 35	2396	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2396	WMIC.exe
Token: SeSecurityPrivilege	2396	WMIC.exe
Token: SeTakeOwnershipPrivilege	2396	WMIC.exe
Token: SeLoadDriverPrivilege	2396	WMIC.exe
Token: SeSystemProfilePrivilege	2396	WMIC.exe
Token: SeSystemtimePrivilege	2396	WMIC.exe
Token: SeProfSingleProcessPrivilege	2396	WMIC.exe
Token: SeIncBasePriorityPrivilege	2396	WMIC.exe
Token: SeCreatePagefilePrivilege	2396	WMIC.exe
Token: SeBackupPrivilege	2396	WMIC.exe
Token: SeRestorePrivilege	2396	WMIC.exe
Token: SeShutdownPrivilege	2396	WMIC.exe
Token: SeDebugPrivilege	2396	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2396	WMIC.exe
Token: SeRemoteShutdownPrivilege	2396	WMIC.exe
Token: SeUndockPrivilege	2396	WMIC.exe
Token: SeManageVolumePrivilege	2396	WMIC.exe
Token: 33	2396	WMIC.exe
Token: 34	2396	WMIC.exe
Token: 35	2396	WMIC.exe
Token: SeBackupPrivilege	1188	wbengine.exe
Token: SeRestorePrivilege	1188	wbengine.exe
Token: SeSecurityPrivilege	1188	wbengine.exe
Token: 33	2872	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2872	AUDIODG.EXE
Token: 33	2872	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2872	AUDIODG.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2152	2020	GH0ST.exe	28
PID 2020 wrote to memory of 2152	2020	GH0ST.exe	28
PID 2020 wrote to memory of 2152	2020	GH0ST.exe	28
PID 2152 wrote to memory of 2856	2152	svchost.exe	29
PID 2152 wrote to memory of 2856	2152	svchost.exe	29
PID 2152 wrote to memory of 2856	2152	svchost.exe	29
PID 2856 wrote to memory of 2580	2856	cmd.exe	31
PID 2856 wrote to memory of 2580	2856	cmd.exe	31
PID 2856 wrote to memory of 2580	2856	cmd.exe	31
PID 2856 wrote to memory of 2396	2856	cmd.exe	34
PID 2856 wrote to memory of 2396	2856	cmd.exe	34
PID 2856 wrote to memory of 2396	2856	cmd.exe	34
PID 2152 wrote to memory of 2100	2152	svchost.exe	36
PID 2152 wrote to memory of 2100	2152	svchost.exe	36
PID 2152 wrote to memory of 2100	2152	svchost.exe	36
PID 2100 wrote to memory of 2360	2100	cmd.exe	38
PID 2100 wrote to memory of 2360	2100	cmd.exe	38
PID 2100 wrote to memory of 2360	2100	cmd.exe	38
PID 2100 wrote to memory of 2304	2100	cmd.exe	39
PID 2100 wrote to memory of 2304	2100	cmd.exe	39
PID 2100 wrote to memory of 2304	2100	cmd.exe	39
PID 2152 wrote to memory of 1948	2152	svchost.exe	40
PID 2152 wrote to memory of 1948	2152	svchost.exe	40
PID 2152 wrote to memory of 1948	2152	svchost.exe	40
PID 1948 wrote to memory of 692	1948	cmd.exe	42
PID 1948 wrote to memory of 692	1948	cmd.exe	42
PID 1948 wrote to memory of 692	1948	cmd.exe	42
PID 2152 wrote to memory of 1160	2152	svchost.exe	49
PID 2152 wrote to memory of 1160	2152	svchost.exe	49
PID 2152 wrote to memory of 1160	2152	svchost.exe	49
PID 2596 wrote to memory of 2420	2596	rundll32.exe	53
PID 2596 wrote to memory of 2420	2596	rundll32.exe	53
PID 2596 wrote to memory of 2420	2596	rundll32.exe	53
PID 852 wrote to memory of 2040	852	regedt32.exe	78
PID 852 wrote to memory of 2040	852	regedt32.exe	78
PID 852 wrote to memory of 2040	852	regedt32.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\GH0ST.exe
"C:\Users\Admin\AppData\Local\Temp\GH0ST.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2580
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2396
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2360
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2304
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:692
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1992

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2296

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1588

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2664

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Run.lnk.tuk5
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Run.lnk.tuk5
  2⤵
  PID:2420

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe"
1⤵
PID:2668

C:\Windows\system32\mstsc.exe
"C:\Windows\system32\mstsc.exe"
1⤵
- Enumerates connected drives
PID:2476

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe"
1⤵
PID:2228

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\read_it.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2856

C:\Windows\System32\regedt32.exe
"C:\Windows\System32\regedt32.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\regedit.exe
  "C:\Windows\regedit.exe"
  2⤵
  - Runs regedit.exe
  PID:2040

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2664

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\ImportAdd.cmd" "
1⤵
PID:2396

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\ImportAdd.cmd" "
1⤵
PID:872

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\Desktop\ResetUndo.reg"
1⤵
- Runs .reg file with regedit
PID:2632

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1148

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\ShowRestore.odt.dull
1⤵
PID:1080

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ShowRestore.odt"
1⤵
PID:1268

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Links\read_it.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2756

C:\Windows\bfsvc.exe
"C:\Windows\bfsvc.exe"
1⤵
PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Updater6\read_it.txt

Filesize
582B

MD5
ed5cc52876db869de48a4783069c2a5e

SHA1
a9d51ceaeff715ace430f9462ab2ee4e7f33e70e

SHA256
45726f2f29967ef016f8d556fb6468a577307d67388cc4530295a9ca10fdfa36

SHA512
1745aefb9b4db4cdd7c08ee3a7d133db08f35a336fd18b598211519b481ef25ac84a3e8a3da3db06caef9f531288d1cf0ca8d4b2560637945e7953e8b45421f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\26941b33-7fa8-4ae0-9677-38594145d40c.tmp

Filesize
242KB

MD5
541f52e24fe1ef9f8e12377a6ccae0c0

SHA1
189898bb2dcae7d5a6057bc2d98b8b450afaebb6

SHA256
81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82

SHA512
d779d78a15c5efca51ebd6b96a7ccb6d718741bdf7d9a37f53b2eb4b98aa1a78bc4cfa57d6e763aab97276c8f9088940ac0476690d4d46023ff4bf52f3326c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00000.log

Filesize
4KB

MD5
deb70385f9460d79b99497f41de8fd68

SHA1
2b7f225d6e61171f1f9dcaf8f8cfef3212eb50c4

SHA256
e557da77deb5073250af2cd8e5bfd8f979ca079b89a1685afbf7de7dc8edd77d

SHA512
8612e4aa392ed33630c344541e476e044de75b8b2a3df1fc39582ea47ddf2820217db9d23737d682f35af8bc0759750f155cd28176a48da66c4818490d01679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001.log

Filesize
2KB

MD5
048e94c9e8b82fb5e89628d222898fce

SHA1
b4417bd92699244588ddaa995a2991712cf7a2ac

SHA256
54c5f8a0cc3b84481b04acc305b0c5d080b018d77245908e214633b9ca905594

SHA512
6dbc63af38edb8266ab96beb66c3208f6a29f55ba1aab25b428cff0a04d1ad3f5a9bf838f584814df5e6d8641ab5d0578d7dbcc5a9cb3b6def999cbc563bfb2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin.bmp

Filesize
48KB

MD5
343fa15c150a516b20cc9f787cfd530e

SHA1
369e8ac39d762e531d961c58b8c5dc84d19ba989

SHA256
d632e9dbacdcd8f6b86ba011ed6b23f961d104869654caa764216ea57a916524

SHA512
7726bd196cfee176f3d2002e30d353f991ffeafda90bac23d0b44c84c104aa263b0c78f390dd85833635667a3ca3863d2e8cd806dad5751f7984b2d34cafdc57

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log

Filesize
4KB

MD5
612a650d1c773ee52d62546e66ff5918

SHA1
a7479722bea44f8719b651ba69aa337d60da4290

SHA256
9e0774deea09130ce23833cc3f0118e8dd06750e3570a230b199c87cdf354c00

SHA512
5882a9d5340d0197c660d0774f22a82f03a0fc73d14476c47d3ab86dfea8f80850bfb8af7a9433b120f4728da4889083086666145b3e2390966e6816ad981483

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240221_145553396-MSI_netfx_Full_x64.msi.txt

Filesize
12.7MB

MD5
c175fb376b2218d0c93a5f41ed3746a0

SHA1
5b0c35c425c8c29ff4fbf77384e816c224d34ea5

SHA256
fe722ebdbdfe28e6f0a9eda43441235b4e76013b407954499801299d127933d3

SHA512
325ad9ddf2f0c2566fa2b92b292b2ddb8b075b302a15fbbb90a3498ec16a487a63db802e2026783fb82a2c8769e4c54ad4f98571539d587f428848fc7c5577ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240221_145553396.html

Filesize
1.1MB

MD5
6151eb00e7d75279806db84fe01d0c4f

SHA1
e3661fd64cf3548574a7e033b4eca59ecf14e535

SHA256
a1b5ef396c9e647bd08ed1d6487bbe945404635fec68855d032fce2b45a4d272

SHA512
5c286a800376ae9603b922df23ae99064fe1e063699d433d3f908f0589da6741a6e14a725a7cb1ef4f74acf486a4ea48c53d169d80ff7bde2c2ed973dda55e24

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGI8A08.tmp

Filesize
10KB

MD5
dbef78447120e830587017c581f994f1

SHA1
ea5214b9503e9a3b5335053b9f2e85c1bd26f3ce

SHA256
a380116d80066949811b29c5b53c20488c1ca6b05a955c1698aff58fc18ebf94

SHA512
eda079a1c4e25d18099accf11860b7c78c9c303c855d87ddfd1750a41e47571db6acf929921a20be693a18d948799279c3f7be47574a2004810021271d735b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGI8A08.tmp-tmp

Filesize
8KB

MD5
4aae089d3731c3f9dca27587e61cc4a2

SHA1
97b570c80cce9d68fbdd728f8524d92bce4a5c35

SHA256
ed8f2f1786d5c57aee9c8228286f41b1665f46b88b882557675350d5108b438c

SHA512
6ec755dc7f6531bf0ecec25f8fbf5f712ccf46f93b954f8acf522b33b4bd13f3781e73f1122a81bd5165c507b0a58222a3cafe6fbd25f5d606b4414a9a4009fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SetupExe(202402211505243C4).log

Filesize
203KB

MD5
705ede2da728e3ca699d55f2b4a9ba8d

SHA1
a1652c395391a8a7023706cc25d52a005139ccb4

SHA256
ed3f7fcd7c106dbd95fabc1357c993c64da9422546ff0d64f2caa1cf93d10795

SHA512
b4c303f3ac19e19851f3957c9c5b7176d922eec666d665c54df830d98ff1f530ae3666dbfcf6ddd616d5db64be1c3713d93224266a3fbe28966f82014d31231d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a23d3b55-d69f-4aeb-a75e-551ce72b22d9.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
4KB

MD5
6bdb3afd3f22d2029a811b8a1732f63d

SHA1
a18e3fb7bf70e4ad7db1d66daad3525c6f2c6e63

SHA256
fa0be6e6d98325708e4f3e6693a3cdd155584ae5c1ea3f634edc74401b313957

SHA512
a73bc6e28e54cfc8457532638a7a7b901eaa7401dcc623f42b9bebc69867793341b0db5d3515dc087f188807c55f7218327a1692ce47fca48d27edda384176d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt

Filesize
1KB

MD5
0387d041796f38f81433d61fb24efb7b

SHA1
5ca6689d0a7ef22fc7073a6fd8c2cf4fd56b257c

SHA256
6c57145686abdb123dc0665e345311286784a81f83d00da20b940485e056e3af

SHA512
d9d06a421ed45238856bfee1a3dc699aa0e7010795cb23d52a3d595de57910e3c432afb8b26c105c02e421943897d1669c55d7f92da7f4eddb62e08af0f8a8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt

Filesize
2KB

MD5
7411f308358854ed1cd02313764a53f3

SHA1
ac2064504e3788c5c363753580c80baf57758e0a

SHA256
f1fcea67880c52f22fba8c1f43aafba75e935b65acfc73ae40cc4a1a698298ff

SHA512
426a5ad95e10074f72272aa002d857bc668d156e15dcb4323c162cd886b5841c0a2ba5503b31ca464055862f35bff5e367c941d1ca294eb9edd73802b88bfac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI554A.txt

Filesize
425KB

MD5
305242ec0eca8c43fb612a196be368e4

SHA1
1cec2e46facd830f35eb4caa94f133c8798c2a52

SHA256
5feb26f1df944e8603df9927714dbaba192aa71e90486b63384fb677accad196

SHA512
8362cbc6c28a1edf53cfb14e1a6d0ea5df6af729b8c9098c27b75cd1611eb92a7f71ce1444cad81f34cf5013ae55e12f5ac2502981ee4a9c22ab97f48dbbe63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI55B3.txt

Filesize
413KB

MD5
fa6302be05a1a6705f8b3fe7a74afd21

SHA1
bc296f5319cd7d677587592c313063649f3661f7

SHA256
3ff61b458272ae42985673b88c4868e61f680acdcb18174e6b2145973a03cd0a

SHA512
563791a98adcda8c913059bcea6d9c73ae3194b81f11d0f7d5119a895c9d0858fc8f79e3176b6c93c9b5d151ce2a7d76fffa67ba3f1112d632e0b72bf6b2ff18

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI554A.txt

Filesize
11KB

MD5
5b5466aceddbbad88c67026ecb50ff43

SHA1
13f32210a38cbba17ee39ee681890743edc4199e

SHA256
365bd7aa6576fe1de9dac4c316d77e8e1ff991e74cb1a4bea9c9617f7fd24096

SHA512
9c31ef9feed49175e2cf3026054eb237e744677753360c33a983270df80cceaf23b09b4cada7f2be661c65251501c83a767817a7c6b8a25035781fc4f4b08d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI55B3.txt

Filesize
11KB

MD5
9452c7bc08d6f6e82f707c62f0870d39

SHA1
bb9f1f0362a59035103f95bceef3975d07d79aae

SHA256
21734f2766e7acc1c3ff02bfc282eddc2bde80b579921bb45a16ba5b3d8b3b81

SHA512
657f5cc392101dd922f1e3e2399320a0597091234223b5528fbae062f115427d2d2427e536d0d4e8785518c03921fc2ba0584707b3b71f3780e607b72e29f44f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20240221_145622_288.txt

Filesize
7KB

MD5
6592571499912154a74b5692cd6f979e

SHA1
83dc8a08a26910c79833e603801d3150790a1416

SHA256
3f171889a0917a39ad39eed482df16b1bd318f05c7eb4da4d7193bdda5b4cffd

SHA512
40698b64c0d0c0d976993efef37f2284639e3924eebd1e0064662442c6ab9796b4a6edecde8f18dd291030861b95fe79e78d3f7f0103ebafa41bcfafc4c03d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_wcf_CA_smci_20240221_145623_723.txt

Filesize
2KB

MD5
854b520903f6102780f5e749f9d902ea

SHA1
fc9f9a7e128e69022319759ce7bf6334d3f61e8f

SHA256
8ef144956abbef7025eba599816716ebc59be44d11b14716f37acd38044ba4cb

SHA512
f3b1b98afa5df072aeeeab8c142a5e3261e95a94bb503b2b8fab8f6a70e66d1fdccbeecbead2fa36777cc488ba13356d52cfe3c0d38f626b22894c54cc821514

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install.log

Filesize
170KB

MD5
61698f2ba07bda2ba323140f20b28e28

SHA1
d3e46602b6e042abdfb6a8630ccaff23801cd104

SHA256
51c06f89c259219fd364b1a36991964e772e968873496a4d61532d488b2cb8c0

SHA512
eb7f3dc17e49d2c2191fd6eb235e22ef3aa63157f90da42af3e6653e174e129e663b9c1eac8798d770a99ecdad4230754f07c84a96a73d85e6c8ef14aeb1cfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

Filesize
4KB

MD5
36cf8d512a14fd2c5263e06775f2da47

SHA1
3e8ae2e7855ac773837272177b985f1705f65667

SHA256
c3d0d9bf10e08fc22138cb4fd1d0fdf59f37cd2e12e3ff779ece43259f861cc9

SHA512
e61afb7cf48065a5ad087dcd9ae7ae2c46552cb68c1bd1bd8f9df51b8f0eb040e6e69423d45b09166d16959e7bd1e247d7dd02552da8ec40d9bc805883e58725

Download Submit
C:\Users\Admin\AppData\Local\Temp\jawshtml.html

Filesize
13B

MD5
b2a4bc176e9f29b0c439ef9a53a62a1a

SHA1
1ae520cbbf7e14af867232784194366b3d1c3f34

SHA256
7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

SHA512
e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
347B

MD5
3b62b2ff866f40ab817a08b18f932d2a

SHA1
870cb1c02da93b2a9089ce050cbd7c2d84fd16f2

SHA256
a1b6cd2218b7a4ee66b46a982dd8429352a0ce98217ca3ac25cd89998b0fa3e7

SHA512
64743b2bdfce310f9c9e423d22d6ed59e9b9031afa254aa92220b1b2f87a2b38f517d53a7e3bc11c658b98e1091b95aec3bf2e3b6bc1f6b5466fe6881226d027

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup-20240221-151456-0.log

Filesize
33KB

MD5
f3f49977e2de416a7d78d83d8b5ec10f

SHA1
b9511cdafe086732988108f6fcbdcb2afdde81c1

SHA256
501e700acf538daa61f5c601679fb41f72c8a1de11896c35194f925ea7ac8cb0

SHA512
97d41dab8e4ac1fdc61f775a97bb3136e3fb5470cc1f66297ec56af8ac28b1d4d251ea2c7fddaaa499a8a99192c8dd0e859879e2852fcfa178b520a591af9424

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup-20240221-151820-0.log

Filesize
34KB

MD5
ff8270e732451ec3323e47c6cbae8bf2

SHA1
6137dbbfacfcbd047e2cddb4a24f9998a9b272dd

SHA256
170ec568f04fbf9ccf7848d44c3dac12f1b46869ef89c09b60b15133077909a1

SHA512
da9070916673cfb7ecfaf12200220a18837858e2b41b07bd01b3a5f1c575e85b56eff06d9247e3e90caa3eaf26ceece544e573f4a9443db4f4558e5fab63c2e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup-20240221-152127-0.log

Filesize
44KB

MD5
99b5d55f490b8de34b317500814a45be

SHA1
054076c534fc78bc9449c7b9323c7fbd3401c5a9

SHA256
5e289e424f8bb592087b0c194e021b0c229f80ecb209e3896c33cd796788b100

SHA512
30e2eeabb0cdd49197b7b51d9ac35430df0da4b816d5bdbead557d272e5d96c26c33d9d1866c35b8d265f2be040acce938dd1935499a458d6f7655d26a750edd

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup-20240221-152440-0.log

Filesize
35KB

MD5
2eb5d8fc59d0a9f73ef92bced7b50858

SHA1
63b586bf67ce26c9bed123ebbde29d1584113dd3

SHA256
bf8be9fe699e490e3cce98e251de28e4989ca402e0fd798c8e91a750848dc335

SHA512
3f675ebe8037b304b1330e2bfdd995bbc806b77e0f22f82ab1383debaeab3339caae1b9d21b8f865f1a96bd23ac1791bd9a2b7064d1e97a7511978ae62ec442b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lpksetup-20240221-152754-0.log

Filesize
36KB

MD5
ff1fa0848b5826b0c4233edc956e4e49

SHA1
66a19aad7cae30a3fbc75a835f81ac233ab7f27b

SHA256
3ee8e463abe0f0fbc48d6db5c93a2e9274b2f2c9c7f2081d2578905781654830

SHA512
fb5d2c6aa33304cccecdfaca596a952b4cba1e80706a99f38df3206f6b2caea9d63f32dea8139f565d3bdac8b170327a199254c9cacbfdbbe89f1603f68a69e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ose00000.exe

Filesize
145KB

MD5
9d10f99a6712e28f8acd5641e3a7ea6b

SHA1
835e982347db919a681ba12f3891f62152e50f0d

SHA256
70964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc

SHA512
2141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\v7thx942n.jpg

Filesize
37KB

MD5
e30a4b16784530395f7c639086dd13a4

SHA1
d3acb3c669ba6a183c92dbb8d5d1c9489cef28fd

SHA256
bc5ada70ce1f202fbe3b9616f83f9f6693e9665dd9dc7a2182ac6d5649f37b3d

SHA512
8a250d93235d208096483aef87605b0318a7f12aa07808f553852263f4c418fced206433d9e57b8490021aba091867e95fc7905e6af338b6ae9d04dafd4b0765

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
843B

MD5
365d500e6eadef3bb1ee6364901d2310

SHA1
9722a919afbe95844200b650b03c4b43c844342e

SHA256
faf561d2d7abff225267caf066f5b742fd0b64e7c22e138853afc29189eb7ece

SHA512
711ac11c0238caa18cfef4d3aa65550998bff47339be60be27847b4dccfd3d5e839a1db301f731f0086ca5f931afb7e2bc7edb37c6cc23998a1f0f67542d1768

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
c0c510932537a2da56d3807eb93992c6

SHA1
75a6bd374bf8fe6d664b0f49bb390937e5d49353

SHA256
24b4d379b810f1192f22bc3fe802d8381aa37f0a3c8c4f0dab2f0d04f77f2d0a

SHA512
1d3d5db95a016e20a26cbfeb794d007f4f85f2977387adf61aff3dff91731ab0c5abbafe6995c447213c03eb3fb3d863d606e66f5367dcec540f726f68048dc8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Run.lnk.tuk5

Filesize
624B

MD5
b48e454a4829ea2a63acb4ba6f1f176c

SHA1
75be3baf2aab969b3d8e55a5ae12118a49be9bdf

SHA256
2b5d04364825bb23c7ae3a22028b22c2909fe6e7107e683c0e9320334154c6ea

SHA512
f13882f92c26e276725bcb0f97b69d6aae8141ceb054a96e7e1a49a55cad4800479b1ef5d2aebf00baf95b7e6c1bac517c34b4558690a771448002430493cc1d

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
127KB

MD5
90b828929de1319e5b9bf94f4ae990b3

SHA1
8fc41267cfb9f057e78beca15b775d20fb01434b

SHA256
14592b6ee58e6c1abe76e8148f087b1da84f54892b1cca31540dd728298bb185

SHA512
57e50e8c3e424980bfb96d4d1862e998efd50e45df25478fc80537a67a27b8d7aa8cce00400e0126216395205946a38876a2ff494b74d86043c5e5779a4b5921

Download Submit
C:\Users\Admin\Desktop\AssertCheckpoint.exe.0iyp

Filesize
640KB

MD5
827fd8de86b63850c6b435ff58dd34cd

SHA1
b1c7666b210aaa4b38bd0247416fdf75eb1ed12b

SHA256
34f1dc0b0aa606f1e3d98b38349f238ad88c78454de704b3e2d03041277fecea

SHA512
68e816516448ba5f71dfd3f0264c31e7e68516b682e20826afb422a6d3db8626f5c268891abe91534e8a75ee09390a74183af5ec56443e9cbb466af2506c11ea

Download Submit
C:\Users\Admin\Desktop\ClearExit.ex_

Filesize
369KB

MD5
eb8ca9dc50945d38d9578264ea7e8ca8

SHA1
1bca6b2436367987d9f134831e536eb582309cb1

SHA256
3f79f7d1dd39a6e395e197e8e968d6e9830003e2bf969ced97e2d1df0616d638

SHA512
80a630a8d7a5f20daeb84154d600d4b95beb7b7bb68cf5352f0ed942e97df7fd53915d0f6e949e1e813420a9d276fdce258cd3558e57e7712bd20fee1afd4816

Download Submit
C:\Users\Admin\Desktop\CloseNew.eprtx

Filesize
477KB

MD5
72a09569caa82e7b0e1b257583f826aa

SHA1
7d44c0b83e15ff7c011bb5492b1da8c3a24e1ec9

SHA256
8ee2a839814470460f723e57f41647dccaa9368a26dea7ec95387df12451a8d9

SHA512
8f1596c22d46241cf3d43c8098f4b9acd19a2a88e2c61aa2aa051eb7fa81f9b1aa9d65a79771c69815bf2f564e4ff577b25e9f3b33b97b8e7650f1d7b70f8bfc

Download Submit
C:\Users\Admin\Desktop\DenyInvoke.ttc

Filesize
261KB

MD5
c52e1827c8817adf5e11fc799f84affe

SHA1
f8c5e5d8bf89ff1221f9b5ac9b34ad55944d9de7

SHA256
5cd75cf06581a89e2d97dc6e89fec03ff8f3012e2995f77a1345315949f25e43

SHA512
381f278c9432a3533e1f45b2c6d3e6546a587fd3d287b989aa06207acdab5490cb1dc73fd51a4646adde964c236607dd8ff1e4db16b78b7fb8fb9ba796e00555

Download Submit
C:\Users\Admin\Desktop\DisableCopy.aif

Filesize
441KB

MD5
ca000175fce38144c57b4040f02c92ef

SHA1
892427f73309b3d90320c7b4750ce03842ec4cf7

SHA256
52636f43197d075b5a27838727c660c099a5dbaa26001e67a15476672b327c11

SHA512
68c5298a0cad32324c26845b12fb9610785f67772c72a623895424f37dd04d4c624e7796caac0bbe0e81f26fc9ca53c77956cd17c3df1a5d7609889349d2817d

Download Submit
C:\Users\Admin\Desktop\DisableUse.mpa

Filesize
549KB

MD5
babf0a02f2a16544cc62c1e50816da99

SHA1
504542e7d184bbfbed5a75048164c1fc0bee79a6

SHA256
31af042f50c3d128cdae69741b9c24ca57c637dae8754d6f89d7ebb4e1a0f457

SHA512
644b2d342a2f9c3f0a7c7c395b9e0c515b0df7df9ddf0b980f3aca29cb3a24f82f70cc1487d6a05d857794b2cf26b2ada5b9f622c4ad92033620323b0eba8e5f

Download Submit
C:\Users\Admin\Desktop\ExpandStep.crw

Filesize
405KB

MD5
35c2fb82060f10ad38b993fe0b610153

SHA1
737875d79d319ccea0f5430cef558a8627ba2c69

SHA256
f59007f271a8c9ecd7f6fb84e972d940ca214f9d150715e10af6376dfed6622e

SHA512
eb5cf197d85943e1d130d611517b47ebbdd266a2d554ff270057a968ebf1b91ae896c456a81fd8eaaeb89de71bfc90f397167d70166ceb995fd2f547ec360e83

Download Submit
C:\Users\Admin\Desktop\ImportAdd.cmd

Filesize
603KB

MD5
c5bb7ee2ca9d2f08100140cfdd1ec220

SHA1
b3038a38a081044b4e3e59f4a2e58bded76a2248

SHA256
755139ebf7c1ec641066064a185d6d9e262ed7dd73efdf89f8fc5e252a6b96c3

SHA512
9f9d8bd7aeab57c7ac6027828b554cc836b8445ac10f4e0e38ee7f2b50b0476cdda0a9bb818f41f5cf96e923c2bd358da26f2d14f582500b1c80f61b6289a22a

Download Submit
C:\Users\Admin\Desktop\ShowRestore.odt

Filesize
423KB

MD5
c35a95434e134379d8f2b7f01a37cf8e

SHA1
d23b7d01686d5bb6817c8149747d20f87e5df59b

SHA256
1552eb98ec199ff0008e25e3d390d9ac7b086e2118f5eac8fe0934bed595180f

SHA512
861f2cca2ad56f93f8155de1fd4f405a88092db8503f79dcb0ab8da9bcbc77ec14e2f8e78ed25902ce95c04926d99f08ced60fdaf679cc4888ce3939717ce75a

Download Submit
C:\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk

Filesize
1B

MD5
d1457b72c3fb323a2671125aef3eab5d

SHA1
5bab61eb53176449e25c2c82f172b82cb13ffb9d

SHA256
8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

SHA512
ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk.mlfz

Filesize
1KB

MD5
d6fe96a8261467fc264f6bc7303b3cdd

SHA1
bfcdf27b23435fa8cd4e3e234b32f75ccb3658f6

SHA256
dabdc0aa8f3497e03e04d8e45cf152f4dd8f99647dcf50d0fec1cb2851656add

SHA512
da88ab152e5ed07dd00d408204d433096317eb7373cdd45f50b6c11e2160547c296ffec9342378ce5b0e7bf2ddf3dc668c5101f1da8d63c1d1f229020edc1c62

Download Submit
memory/1268-929-0x000000002FCE1000-0x000000002FCE2000-memory.dmp

Filesize
4KB

Download
memory/1268-956-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1268-957-0x000000007129D000-0x00000000712A8000-memory.dmp

Filesize
44KB

Download
memory/1268-930-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1268-931-0x000000007129D000-0x00000000712A8000-memory.dmp

Filesize
44KB

Download
memory/2020-1-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2020-0-0x0000000000B70000-0x0000000000B96000-memory.dmp

Filesize
152KB

Download
memory/2020-9-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2020-2-0x000000001AEF0000-0x000000001AF70000-memory.dmp

Filesize
512KB

Download
memory/2040-918-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/2040-915-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/2152-11-0x000000001AC10000-0x000000001AC90000-memory.dmp

Filesize
512KB

Download
memory/2152-925-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2152-865-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2152-10-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

Filesize
9.9MB

Download
memory/2152-8-0x0000000000AB0000-0x0000000000AD6000-memory.dmp

Filesize
152KB

Download
memory/2476-868-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/2632-928-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2664-920-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2664-919-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2664-917-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2664-916-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2664-921-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2664-922-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2664-923-0x0000000002060000-0x0000000002070000-memory.dmp

Filesize
64KB

Download
memory/2664-924-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download