Analysis
-
max time kernel
38s -
max time network
107s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-04-2024 17:10
Static task
static1
Behavioral task
behavioral1
Sample
FileCrypter.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
FileCrypter.exe
Resource
win10v2004-20240226-en
General
-
Target
FileCrypter.exe
-
Size
1.0MB
-
MD5
ab566bd2a0f20afa6817214cf66269f0
-
SHA1
31cb35812778d4bbb0c7a496c9d789a13625b056
-
SHA256
d8270d57a3b02ad700dd88eb35bd00c24899e193efe4d60a1c1d3c5947eaf3ea
-
SHA512
353d36b414bfaef79f7c3703f33d12ec8467ca6bd71d7dab9aaf4546d60c9b74941fbf41eaa5e0352e34a3bd51b56baefd15183168ee519985eba81fe5399447
-
SSDEEP
24576:TR+cl7X1BRnI6hmebOe1gmf2Jg+DTcTugiIwsQhlRv9x/9K4CfFiEr0CJ:l+clb1BRntmeSKJStRv9xFK1gEr0E
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
Processes:
resource yara_rule C:\Windows\5CFF.tmp mimikatz -
Modifies Windows Firewall 2 TTPs 4 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exepid process 2836 netsh.exe 2952 netsh.exe 2856 netsh.exe 1396 netsh.exe -
Executes dropped EXE 8 IoCs
Processes:
A2-Cryptor.exeBadRabbit.exeFMLN.exeShingapi.exe5CFF.tmpShingapi.exeShingapi.exeShingapi.exepid process 2332 A2-Cryptor.exe 1124 BadRabbit.exe 1972 FMLN.exe 2020 Shingapi.exe 1764 5CFF.tmp 1976 Shingapi.exe 1156 Shingapi.exe 656 Shingapi.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exepid process 548 cmd.exe 548 cmd.exe 548 cmd.exe 548 cmd.exe 548 cmd.exe 548 cmd.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exepid process 2288 takeown.exe 2816 takeown.exe 3016 takeown.exe 1124 takeown.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Twain_20 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Twain_20.cmd" reg.exe -
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
cmd.exedescription ioc process File opened (read-only) \??\A: cmd.exe File opened (read-only) \??\B: cmd.exe File opened (read-only) \??\E: cmd.exe -
Drops autorun.inf file 1 TTPs 6 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
attrib.execmd.execmd.execmd.exeattrib.execmd.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf attrib.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf attrib.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe -
Sets desktop wallpaper using registry 2 TTPs 5 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exewscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg" wscript.exe -
Drops file in Windows directory 8 IoCs
Processes:
mspaint.exemspaint.exemspaint.exeBadRabbit.exerundll32.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\5CFF.tmp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1732 schtasks.exe 988 schtasks.exe -
Delays execution with timeout.exe 6 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 2772 timeout.exe 2976 timeout.exe 884 timeout.exe 1868 timeout.exe 1584 timeout.exe 3016 timeout.exe -
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exeipconfig.exeipconfig.exepid process 2704 ipconfig.exe 1896 ipconfig.exe 1160 ipconfig.exe 560 ipconfig.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3040 taskkill.exe 2852 taskkill.exe 2264 taskkill.exe 2116 taskkill.exe -
Modifies Control Panel 5 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop wscript.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop wscript.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop wscript.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop wscript.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop wscript.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
rundll32.exe5CFF.tmppid process 592 rundll32.exe 592 rundll32.exe 1764 5CFF.tmp 1764 5CFF.tmp 1764 5CFF.tmp 1764 5CFF.tmp 1764 5CFF.tmp -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
rundll32.exetakeown.exetaskkill.exe5CFF.tmptakeown.exetaskkill.exetaskkill.exetaskkill.exetakeown.exetakeown.exedescription pid process Token: SeShutdownPrivilege 592 rundll32.exe Token: SeDebugPrivilege 592 rundll32.exe Token: SeTcbPrivilege 592 rundll32.exe Token: SeTakeOwnershipPrivilege 2816 takeown.exe Token: SeDebugPrivilege 3040 taskkill.exe Token: SeDebugPrivilege 1764 5CFF.tmp Token: SeTakeOwnershipPrivilege 3016 takeown.exe Token: SeDebugPrivilege 2852 taskkill.exe Token: SeDebugPrivilege 2116 taskkill.exe Token: SeDebugPrivilege 2264 taskkill.exe Token: SeTakeOwnershipPrivilege 1124 takeown.exe Token: SeTakeOwnershipPrivilege 2288 takeown.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
mspaint.exemspaint.exemspaint.exepid process 2336 mspaint.exe 2412 mspaint.exe 2764 mspaint.exe 2336 mspaint.exe 2336 mspaint.exe 2336 mspaint.exe 2764 mspaint.exe 2764 mspaint.exe 2764 mspaint.exe 2412 mspaint.exe 2412 mspaint.exe 2412 mspaint.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
FileCrypter.exeA2-Cryptor.execmd.exeBadRabbit.exeFMLN.exeShingapi.execmd.execmd.execmd.exedescription pid process target process PID 2336 wrote to memory of 2332 2336 FileCrypter.exe A2-Cryptor.exe PID 2336 wrote to memory of 2332 2336 FileCrypter.exe A2-Cryptor.exe PID 2336 wrote to memory of 2332 2336 FileCrypter.exe A2-Cryptor.exe PID 2336 wrote to memory of 2332 2336 FileCrypter.exe A2-Cryptor.exe PID 2336 wrote to memory of 1124 2336 FileCrypter.exe BadRabbit.exe PID 2336 wrote to memory of 1124 2336 FileCrypter.exe BadRabbit.exe PID 2336 wrote to memory of 1124 2336 FileCrypter.exe BadRabbit.exe PID 2336 wrote to memory of 1124 2336 FileCrypter.exe BadRabbit.exe PID 2336 wrote to memory of 1124 2336 FileCrypter.exe BadRabbit.exe PID 2336 wrote to memory of 1124 2336 FileCrypter.exe BadRabbit.exe PID 2336 wrote to memory of 1124 2336 FileCrypter.exe BadRabbit.exe PID 2336 wrote to memory of 1972 2336 FileCrypter.exe FMLN.exe PID 2336 wrote to memory of 1972 2336 FileCrypter.exe FMLN.exe PID 2336 wrote to memory of 1972 2336 FileCrypter.exe FMLN.exe PID 2336 wrote to memory of 1972 2336 FileCrypter.exe FMLN.exe PID 2332 wrote to memory of 1264 2332 A2-Cryptor.exe cmd.exe PID 2332 wrote to memory of 1264 2332 A2-Cryptor.exe cmd.exe PID 2332 wrote to memory of 1264 2332 A2-Cryptor.exe cmd.exe PID 2332 wrote to memory of 1264 2332 A2-Cryptor.exe cmd.exe PID 2336 wrote to memory of 2020 2336 FileCrypter.exe Shingapi.exe PID 2336 wrote to memory of 2020 2336 FileCrypter.exe Shingapi.exe PID 2336 wrote to memory of 2020 2336 FileCrypter.exe Shingapi.exe PID 2336 wrote to memory of 2020 2336 FileCrypter.exe Shingapi.exe PID 1264 wrote to memory of 580 1264 cmd.exe mode.com PID 1264 wrote to memory of 580 1264 cmd.exe mode.com PID 1264 wrote to memory of 580 1264 cmd.exe mode.com PID 1124 wrote to memory of 592 1124 BadRabbit.exe rundll32.exe PID 1124 wrote to memory of 592 1124 BadRabbit.exe rundll32.exe PID 1124 wrote to memory of 592 1124 BadRabbit.exe rundll32.exe PID 1124 wrote to memory of 592 1124 BadRabbit.exe rundll32.exe PID 1124 wrote to memory of 592 1124 BadRabbit.exe rundll32.exe PID 1124 wrote to memory of 592 1124 BadRabbit.exe rundll32.exe PID 1124 wrote to memory of 592 1124 BadRabbit.exe rundll32.exe PID 1972 wrote to memory of 1016 1972 FMLN.exe cmd.exe PID 1972 wrote to memory of 1016 1972 FMLN.exe cmd.exe PID 1972 wrote to memory of 1016 1972 FMLN.exe cmd.exe PID 1972 wrote to memory of 1016 1972 FMLN.exe cmd.exe PID 2020 wrote to memory of 548 2020 Shingapi.exe cmd.exe PID 2020 wrote to memory of 548 2020 Shingapi.exe cmd.exe PID 2020 wrote to memory of 548 2020 Shingapi.exe cmd.exe PID 2020 wrote to memory of 548 2020 Shingapi.exe cmd.exe PID 1264 wrote to memory of 1596 1264 cmd.exe mode.com PID 1264 wrote to memory of 1596 1264 cmd.exe mode.com PID 1264 wrote to memory of 1596 1264 cmd.exe mode.com PID 1016 wrote to memory of 1168 1016 cmd.exe mode.com PID 1016 wrote to memory of 1168 1016 cmd.exe mode.com PID 1016 wrote to memory of 1168 1016 cmd.exe mode.com PID 1016 wrote to memory of 1168 1016 cmd.exe mode.com PID 1264 wrote to memory of 2848 1264 cmd.exe certutil.exe PID 1264 wrote to memory of 2848 1264 cmd.exe certutil.exe PID 1264 wrote to memory of 2848 1264 cmd.exe certutil.exe PID 548 wrote to memory of 2548 548 cmd.exe cmd.exe PID 548 wrote to memory of 2548 548 cmd.exe cmd.exe PID 548 wrote to memory of 2548 548 cmd.exe cmd.exe PID 548 wrote to memory of 2548 548 cmd.exe cmd.exe PID 548 wrote to memory of 2836 548 cmd.exe netsh.exe PID 548 wrote to memory of 2836 548 cmd.exe netsh.exe PID 548 wrote to memory of 2836 548 cmd.exe netsh.exe PID 548 wrote to memory of 2836 548 cmd.exe netsh.exe PID 2548 wrote to memory of 2656 2548 cmd.exe reg.exe PID 2548 wrote to memory of 2656 2548 cmd.exe reg.exe PID 2548 wrote to memory of 2656 2548 cmd.exe reg.exe PID 2548 wrote to memory of 2656 2548 cmd.exe reg.exe PID 1264 wrote to memory of 1868 1264 cmd.exe timeout.exe -
Views/modifies file attributes 1 TTPs 4 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid process 1432 attrib.exe 3304 attrib.exe 3488 attrib.exe 1836 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FileCrypter.exe"C:\Users\Admin\AppData\Local\Temp\FileCrypter.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4FE4.tmp\4FE5.tmp\4FF6.bat C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"3⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.comMODE CON: COLS=100 LINES=254⤵
-
C:\Windows\system32\mode.comMODE CON: COLS=100 LINES=254⤵
-
C:\Windows\system32\certutil.execertutil -decode "Image.bin" "Encrypted.jpeg"4⤵
-
C:\Windows\system32\timeout.exetimeout /t 34⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 34⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 34⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\wscript.exewscript "0.vbs"4⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
-
C:\Windows\System32\RUNDLL32.EXE"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\wscript.exewscript "0.vbs"4⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
-
C:\Windows\System32\RUNDLL32.EXE"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\wscript.exewscript "0.vbs"4⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
-
C:\Windows\System32\RUNDLL32.EXE"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\wscript.exewscript "0.vbs"4⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
-
C:\Windows\System32\RUNDLL32.EXE"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\wscript.exewscript "0.vbs"4⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
-
C:\Windows\System32\RUNDLL32.EXE"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters5⤵
-
C:\Windows\system32\timeout.exetimeout /t 44⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\wscript.exewscript "m.vbs"4⤵
-
C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe"C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal5⤵
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3749942816 && exit"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3749942816 && exit"5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:28:004⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:28:005⤵
- Creates scheduled task(s)
-
C:\Windows\5CFF.tmp"C:\Windows\5CFF.tmp" \\.\pipe\{41EEE1D2-6D90-4EA6-9D8F-8A7969E0B513}4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\FMLN.exe"C:\Users\Admin\AppData\Local\Temp\FMLN.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\50DE.tmp\50DF.tmp\50E0.bat C:\Users\Admin\AppData\Local\Temp\FMLN.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mode.commode con: cols=170 lines=454⤵
-
C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\512C.tmp\512D.tmp\512E.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"3⤵
- Loads dropped DLL
- Drops autorun.inf file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"5⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set publicprofile state off4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat4⤵
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32" /r5⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im DiskPart /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib -r -a -s -h *.*4⤵
- Drops autorun.inf file
- Views/modifies file attributes
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Shingapi.exeC:\Users\Admin\AppData\Local\Temp\Shingapi.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7436.tmp\7437.tmp\7448.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"5⤵
- Drops autorun.inf file
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd6⤵
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"7⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off6⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat6⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r7⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f6⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f6⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release6⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*6⤵
- Drops autorun.inf file
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"6⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado6⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado6⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!6⤵
-
C:\Users\Admin\AppData\Local\Temp\Shingapi.exeC:\Users\Admin\AppData\Local\Temp\Shingapi.exe6⤵
-
C:\Windows\system32\notepad.exenotepad6⤵
-
C:\Windows\system32\calc.execalc6⤵
-
C:\Windows\explorer.exeexplorer.exe6⤵
-
C:\Windows\system32\mspaint.exemspaint.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\Shingapi.exeC:\Users\Admin\AppData\Local\Temp\Shingapi.exe6⤵
-
C:\Windows\system32\notepad.exenotepad6⤵
-
C:\Windows\system32\calc.execalc6⤵
-
C:\Windows\explorer.exeexplorer.exe6⤵
-
C:\Windows\system32\mspaint.exemspaint.exe6⤵
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
-
C:\Windows\SysWOW64\calc.execalc4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Windows\SysWOW64\mspaint.exemspaint.exe4⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Shingapi.exeC:\Users\Admin\AppData\Local\Temp\Shingapi.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\75AD.tmp\75AE.tmp\75AF.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"5⤵
- Drops autorun.inf file
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd6⤵
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"7⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off6⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat6⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r7⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f6⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f6⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release6⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*6⤵
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"6⤵
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
-
C:\Windows\SysWOW64\calc.execalc4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Windows\SysWOW64\mspaint.exemspaint.exe4⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Shingapi.exeC:\Users\Admin\AppData\Local\Temp\Shingapi.exe4⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7733.tmp\7734.tmp\7735.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"5⤵
- Drops autorun.inf file
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd6⤵
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"7⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off6⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat6⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r7⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f6⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f6⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release6⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*6⤵
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"6⤵
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
-
C:\Windows\SysWOW64\calc.execalc4⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
-
C:\Windows\SysWOW64\mspaint.exemspaint.exe4⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "13715493832029987037335331756214325375712897291039110561921180950106-1082107760"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1File and Directory Permissions Modification
1Modify Registry
2Hide Artifacts
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0.vbsFilesize
383B
MD5e8ac1f187bb02b76ff45f3a3977c6669
SHA1a6246d99d7f0347e246399576342e7e118d6cb2a
SHA2568b163a7e7bc1048d74b3b0298b85bc453cf349c9adb53d76adf391ef0491db26
SHA512f7f67854fdd19718a5fe8aaf99cf722ffb73a8151c8d3f214e89b44b0c4cba24c5fbfd390246e9cb2423919d0b4f694117c09b7697853168156d77efbb83397b
-
C:\Users\Admin\AppData\Local\Temp\00000.ekyFilesize
49B
MD560019def991ce2c43c439625da620ae1
SHA111a4146032b8e26c7ef2d0d29c27351fc266e79b
SHA256b7a8cbbbdc6b998f7d3447069542c050aa111e6dc403cc79686b4f59da0d2f0b
SHA5123f1b7a8d5969ab8b42d66a6372d504807389ca8d8d00f8a72b778e98f6497110ea527426862dbffec3f5ad33e68d03e082be1631da45cb81ad99dd604f30ceda
-
C:\Users\Admin\AppData\Local\Temp\00000.pkyFilesize
46B
MD5cecb76b53af837070c7e0f800caa8ab7
SHA12011e46e241520555cb200466e182824e2976598
SHA256e4901cbd286e61c1d550090f2f1896e1634a1174f91ebee9c5bef44e3cbd956a
SHA51224554103a9c68dea293b63c3bfe1e5210b461766a5fd2e47fe884602e66a8cf26b174fce404ad600cf8891e1661c6d1e95250439f508421906e948acc7fcc667
-
C:\Users\Admin\AppData\Local\Temp\00000.pleFilesize
51B
MD574d9354a3937130babf616a4178ab025
SHA1f271df4f0c53a77b1b8491212d042b98d95cfeb4
SHA256f18e47be3c0f002b1f0f1364fb1b28360a81d0f12ede07b1fa847831597e1ebe
SHA5125cfb53fd598dd3d504432640e2dbffaa061af77092336e2c53a0cb6d2e5212519ef94cd8488669aa551856d9ac7de9489a3ad492f396fb64b18fe34eaf5e95b8
-
C:\Users\Admin\AppData\Local\Temp\00000.resFilesize
50B
MD549574e784b6bdfb8bd243f822f7d3ef4
SHA16cfd3d22f9800e24e4e9b524927305c1f343f0d3
SHA2563619586779ddabf59f03ad14c304b11f850a374f4ef032b90e9ebf567d0dfcdd
SHA512e3626043082e65ec4c6f25f12b38a72306b1ce78e0dfdf0486e7a3e3b736fc4749126071802f12c7f7555765b6f7ecea21f5a82409e360f2f9826f91aed3636f
-
C:\Users\Admin\AppData\Local\Temp\00000.vhcFilesize
49B
MD51d6e4f5253e9271a79494706a6bb5bd0
SHA1182aa5850b7c4517337f5af574e82faea843d80d
SHA2560b1688dd538fcf7579403b2ab245af919bede2cbeba380d9f0536aab9f193966
SHA51237b75db70e6e239e0abd0b579c395ef09c58b1ab51eb121684fcd628710b9703854bfc4286e0661baec7609c727f5eb5f6829c7b10f8d518db200f1344943209
-
C:\Users\Admin\AppData\Local\Temp\4FE4.tmp\4FE5.tmp\4FF6.batFilesize
33KB
MD54b42191175209ea23203acc526307c00
SHA1a77abea54f5b2a0084fd1574a1c5b6e1df1df054
SHA2564ce518699c3f97015eb2f81b09325c8f67213d0efaec73bbf924a5bdf3d5152c
SHA512fb35705095153a587a253160a92268c8e03605f87ecbb45dd3a0c4ca59e255046188cb9476d99f8164458506d2e5057e6127f0e0fe7997471e7381cc4a08ec42
-
C:\Users\Admin\AppData\Local\Temp\50DE.tmp\50DF.tmp\50E0.batFilesize
54KB
MD593841169c4264ce13735e8b116d06226
SHA11ceac2fe01f6bdb37bdeb73ba13cd7ed99d0f608
SHA25682bf8fbb4b79fdd9a21518373ddd57fc2d6c53599458a055f64e20d40dc85f2b
SHA512ce98cac504828ac676d1069f6d0cedc55ff68bf51d2b01df0108ec632bdc0aa1f809ef6ddb000fa1c59ea66723c903cf37412d98f59ff7032777a45b2c72e871
-
C:\Users\Admin\AppData\Local\Temp\512C.tmp\512D.tmp\512E.batFilesize
17KB
MD5190e7cfa7d6de532ba4498ca3d38b47d
SHA17d4ea5ce61962c0445d955a44dd31226fa8c736e
SHA256faee2b0ac2218435a6973b87277b29010c988efefdcd7fe0e107808c2cc0f282
SHA5125a87b4bac67957acbc6dfab08cf9b3e1110e4b496b66110a44f7b2d0ec75b950d7569b6220c4a5ab3597db032e70b16d5a5e6ee4ab23102f6d12fea7bdc11598
-
C:\Users\Admin\AppData\Local\Temp\5680_31879.batFilesize
127B
MD571f2ece5d6de26f528ff0e1c9382f1c9
SHA112b4fe9e4f1d4e0ea494393282baeb58f5991c8e
SHA256648b31ac461f2539e111298e9d5f8e154ed8852a4f8c57cceec17504da8cdb01
SHA5120236aa82c44f9cdc7230d2b46c910c794820202e697031c893ed8502883f310bc202beee7d4a502f5508c8f6c320f9479e48be30f24f344624a0224a1f549c56
-
C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exeFilesize
122KB
MD5d6e36f6b145a4601a84835b7e8a0bbc2
SHA13c7e26433f5f42fe69fbe4b3c2e6d9d7b196697c
SHA25646038db7643482e1d25939e6c7be35a7e7529fd716570e25e4137f6a79a1c316
SHA512e10acbaa6e1cd5cc4350dc789841e2638fb50b152aebc65bee2c07ad94f7e6ae1ce6bd51c5f5f6952f970ee364f2515417608e872c3b97b0cf749bb86fa0b72e
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
60B
MD511aa52a7eca2cf8fdcd1584b5a8b6026
SHA101ae6066e6b3879cb0caf306cc91077b7c0bea1e
SHA2568dfd0a6db2df60455840dbbbcc4f8b70d730ba1c2afbf300316898b3dd3e9b11
SHA51207f37c050eb59e7a1a228ca851d05ca9b62bb3de97f988fb36c374c827833c8c551e5cb51eb05130861c0b35515ca77ae667ca97ee4f08c86cdf9f6fb64533c5
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
180B
MD5b2206e980c51067d6e9dd7575d842bdc
SHA15aa6f76eee9efd569089be7f363e30ebf0531a22
SHA256add106f3d6e9cfd2fac3d14a74d6791a9caa257b9c7e105a9a5fc2a309337ecd
SHA51289ab3ca635f8fdcb1206f0a1d585355a730506cc1d72ca666f1e9d650b24107368349b44ab0b3d3132442a2fc61c0c9404d00b717a61f305d9c93d5d638d9bec
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
184B
MD50e758e4075696160e66b27af14b8b5ae
SHA17bbcebdbac764771850bb1e32722e65afff1e40b
SHA2565e690d98d13602812c921d20a6328acd24ceed8bf7e9c1ff550d67f5020c34d7
SHA512afcca00d5f9a3c70e0f5eba685df432a149bc135c986d6e4dbeedf3235074f1cd17dd5087eb620636b33c5ced0412e5e2608b75da1c7f0107a3c5846a9b796cf
-
C:\Users\Admin\AppData\Local\Temp\Autorun.infFilesize
74B
MD5b39df423c6e5978065a9a8ec4879a3b4
SHA196441a7a7d8090f7a96a1160f539531f66568e88
SHA25612a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967
SHA5122d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4
-
C:\Users\Admin\AppData\Local\Temp\Autorun.infFilesize
222B
MD505a4d4594b598cfe885bf862787b8cde
SHA1dfb26e156e88af25bd00db0bc788b81c521a4db9
SHA256fd8427db8c0c5ad2c7a8fc36c18f9400e25bdd7dfd1d267ec11a7a94bdbd1cab
SHA512ac1f87eabd69e1939f463c8710cdd1ba8a886ad6509d26d0fac4e09ab82056cf952b7a0cf2ecb55bb0549fdb0aff6457133eeb6b7b222df58f773f91df101136
-
C:\Users\Admin\AppData\Local\Temp\BadRabbit.exeFilesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
C:\Users\Admin\AppData\Local\Temp\Encrypt.skFilesize
357B
MD5955afc984c7d08b2bc7bcf4fb8b4a739
SHA14c23a29640cada6423065ec8b1fe12f4cd7e3fec
SHA256b7b12f78dfcfce7968e1e612410d4535127fb029815c73779f9a29ae7da897d5
SHA5126909a0343dc1868f496ae3b2948f260c2f8c0bcf77d18f3ab0028c9996fdb649c2ea4e8f657fde4f050424f2d86a3cf2669852a331392362bb4d9e1b364bbefe
-
C:\Users\Admin\AppData\Local\Temp\Encrypted.jpegFilesize
15KB
MD520aba01130e85571476712c784af05b0
SHA154c9002381bafbfa648dd3f5c77b1830efc1dc85
SHA25672bdac2468fa4e19f8915817f380ceeb96ff94a64a3e29e64ac79b65bed2f6ac
SHA512c84a603b359d3e7097229161d22a69c574a582cbbd21c8343fa06986b5058125763196b8d4e2f7bf51400ffaba63e9c565e42c32759b973439f46e5a9f84b19f
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
54B
MD5888e64c554686bbbc0499057cce1af36
SHA15a7f51c66e3ae7dd0e0231c9817aee8c9fc54006
SHA256616cf19739e00c69e9606d9c94869f6fcb6a7b3860e7b8af9bc896f3081dad0d
SHA5129882375fdd09d489258447d49b8b63d0bc8db57cdb7186500c00c79d57f30af5f37a69e8fab70683a7c9d730e3484ef537ee57bb1892a84f92e9aba639d1d227
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
162B
MD5d5980bf4b018e4c397df95afe8941c66
SHA1ce53c669a898d09479831bc59bc31a5fba2a6f2b
SHA2569afd004a8cb9b9e8b1eeab780fb0c4ffa39c3ec2ded034b1a7cd69db7f67872a
SHA512c995f9d3252b9a7af52a398562261baf3297fee64fade9de22895cce017e5aa097c7935a0519e474253a181e1e018348a1ade3d953bfaff5dc43e30e2d9fde5f
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
216B
MD57659392a12010d8c761cb9888f6fd5ac
SHA1b8829c26628740b77ab7405c231f420e860d8c1f
SHA25671bd0bffdeca9dce2b4e9e1d767a0732657032171f3ad33903dec353ef95a431
SHA5125caf94b288649b687f411cbb5519168e09e161f8d9545a6bad1b0d08876a542d153a115f8b44e3f15d973812ce8ec7471bba7d8bd0b9a22d0abf6fdf2914a2bf
-
C:\Users\Admin\AppData\Local\Temp\FMLN.exeFilesize
258KB
MD5c87988e35ec34779191f42b6213fdec1
SHA181036dcf6ea331243f2d512b8ac9611a95a18ea1
SHA25696f3ce153153f922fb18e4722b0348aee2c76022bcdee75fadab97023003fe10
SHA512ba32f9bc18fb187fa4dc03bb1db903255c16af62dc903521ddd8fb120e5599bbccb4fa12255f0195a5e51b6a99ee5228bc0515f299c0ebb1b1a5134e61aab9e4
-
C:\Users\Admin\AppData\Local\Temp\Image.binFilesize
21KB
MD5f6f72da7cd731682ff5442ba541457e2
SHA160bddfc609fad2f80c0688905e795e51003d9433
SHA25600a5048d9f74271e4cd5c36cf1434c789a8c16206ff5fca1c785156e01693bc1
SHA5122a09df3df3d89ec413f31f7a20254513db6323e7c7e5e041161f55dfefcc80d22870c512f71aad77e7e9ef775b635a707ddf60b0bb4ef458bff6e15f1e425e5d
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
69B
MD572946942abf5cf295f726b816c531ebf
SHA18ac5ccae8003c3776c2e0ee0959a76c8bc913495
SHA256d9fc0446467e00e640f0dd0bf36882943a6993dcc1038ba8f73239152896eb25
SHA5122f42b10e2c1359a690e1a69e307008e3beb4712e4c071d916fb1380c61cb2ed3ae48c86af44c6f1c9d613e85dd75d8cfd66fd01de0649444ee6d5193d9789d23
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
207B
MD5d3715d7f77349116a701484780269375
SHA1589c48410637ac33431569b867070a51c4de5b1c
SHA256ea0bdd86d283aba33d619aeecb5087ad9132b58e8ae7121e3c3774504abb976a
SHA5129526a79ac4f9a18104f8e84d684136eef9b6bbccfe772d1d1030d9be02de2f7221cdee248ec748971551a42ed1d8fb1c8a9d820b837164f68376cdee1dc8ff3a
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
211B
MD54d6f1b0da81629f8a31411bdb8b30cf6
SHA11bf9f2f3d7607fd39dc68f06b4742dce96541f56
SHA256fba01bc71e9bf757fa27fe5f797662757b0e2b64478bff49cf5ac0027be6e648
SHA5124deb7ad24a5ddc7df17ba567550b96c12038b01c6930c9b01c472d2c26afae152bed81414c1aaf078c7c9962828d958b1f99d1395ca8dc42714aa68c5e5f1007
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
276B
MD5089381a847f01ba0962ae00f0d92d5e8
SHA19f3240f89871639778a318e0cadccafcf9d7c55e
SHA2562cda289b5067c9daf8b4dffdf323b2fe9d0a47bfdbb91b4a017029bc74729c05
SHA51289fbf1b423f17101970290b070d740b8d58beecc6723e64edb7ae23b9285afe3a612b8e8f5ec202d60aca3875a28dbc556a43af9fe4113ac0bdba1fa83c5213a
-
C:\Users\Admin\AppData\Local\Temp\README.txtFilesize
564B
MD5df6412cc0f77ce16caf3602c53d7a4be
SHA1aa34421e95cb3a642842a63f5cfd46763e9b9a8c
SHA25651bc53f8dba5178e0063e41e54197c4d7a566df509e67cc40c02137fd7ee2ac6
SHA512335b790a29f91853899eae21d5973c839e5a9edfc49496ce6de909ec20bdfc9841dd14042727dd6b3dec091337fcdbb8ae8f1e44f4d8619723a2e882e50e667b
-
C:\Users\Admin\AppData\Local\Temp\Shingapi.exeFilesize
106KB
MD58b6a377f9a67d5482a8eba5708f45bb2
SHA17197436525e568606850ee5e033c43aea1c3bc91
SHA2566ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f
SHA512644e51798399168530b05e629b414dd80cac678bd3c8d4a5d164f55736a2b2fd380d3ca4640f7a034c8f043c06b1527b473e2d17da088d5e97de6ea04120dd72
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
173B
MD50c998e3681eb9f67fbacda38281c5fa7
SHA1bd3e89780f374c54c5dfbe3fab83a926ca5803de
SHA2563c656f47268598c5bbe3ee4661b4f8c7dc09420cf393a6e417541db3c6020205
SHA51211e3fd1d141bd23a2b0f17665f0f57e5a606fdd82555a7bd88cd533863ce4269d8395f8963d1cdfde93efbb0817486db48c3b593f8de35e150e2395daadb762e
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
519B
MD503f0ef4961ee3f5ebc91e222ad5c3a55
SHA1130947f0716f672e1c0577f60471dfbd9d1f3435
SHA256b2cf1c83480bb2e69599e063be75ef8188b20c82a03998098d13d42c11502d21
SHA512641784c8422a15360449ae9d79722e4d6d5752ef8db0a6cd8e1d71e78c5994dc9e790f5e875a7314be603feb42badc587bf79e8f682aa94b2335443ea8592671
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
692B
MD56989502044e4a9fca67e9ded25de9956
SHA19a8d099caad939d32599530b27f7db641cbdb8da
SHA256b370b54e95376f4b6df27592bc23343c82ebbfad3d52e71a38a2aac504bda04c
SHA5129f0e6d59d9adc531f5c162b964205e0dd63c6a956291af48d24e6b8988a940b6f2cc7644a9163277e6383a6d9f8ddb00c9687d73426ea776c691e73f66e95a5e
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
4KB
MD517b2117ad2d2e11ea919aa5ec0123e0e
SHA172a06878125058f3060c62bdd5e4643a6eb6afa4
SHA2566ebc648973bb6c54729969ec9ffb82f80787e859573a84e8a836fae0c5839ac6
SHA5129ec14dfb5a8c2ed1d59c3c7a9a827c97792dfe4d21b928e2dadd5c3810ddc9f2834951bf61a09ae8b124f565603f1195ee7848c99fb2d805048d3381ea66f5de
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
5KB
MD5028d5a36a16cfb64545d14cf508f6ede
SHA1fcaecded3fb92e09f157f183b01fbcfaf6eaadb4
SHA256052b1cd60cd997fde793838ef3f3d9c89092c96254a2d5ac1ef7c5d00148ca6b
SHA512cfdc128e16556ccd0ce685b894e734ad15e65d3f0422b6dd2f7b6b7cbd8cac1452c951532d71a5ddd72c868b56d0cf5923873dacc1ee118ea3035a409a765475
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
13KB
MD583213ceb52e34039599d178721d760f7
SHA1acf9e8859367c1445682a220a59a372e94a31077
SHA256e6ef01c0840f6e20fafe3b1390ada167ccf2f157f0e1cdc222c9163ee5cfdd4c
SHA5121a16c37b4d6e5a0aa873ded31966cac6c0ee624a8c527f5aa3e9b9d710aad3b14b5c0ca9b49b5ef82ce80d133d8f8966f6444edcbcdf7d2a69d46d59bb91beba
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
18KB
MD5c7813b4d51ca2f8931c49db0efe988c7
SHA14e6b2845bfde3e8197527574a9f2aa48489db0fd
SHA256eefd5110eca1fabd97ced651a5edf879cbdb92a5530e5214e6e33c4438d740a0
SHA5121735a950e1df511129b82e49b30877e3dbae1f12179b995b0d91b32f8f0ad25f5dd5547d63048be70d3a4d701316535fd50d17507ac1e444a476c4149e09aeaf
-
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmdFilesize
462B
MD54dc05ac0050c0d2f98299a019fda2577
SHA19e606ec3d928474adfda99e10a3ef39e5c727683
SHA25655fbdc6e73e70bf1466c6f00fe182c51aca8ead2fd1e3ee408cf9eff91f1a5da
SHA512ebe2a623abbb7da77102687d1cbdd6255317ef32de0c0e6920c933c25a8a6069cd6be9f44248d91bdca87270db50468bf5e16ea629dd7277d9e15f34075cb268
-
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmdFilesize
693B
MD5c58af879c4bc06725fbfdd6bb786bdca
SHA199885cc5fd8c13599b64d3a6c3b6d60ae2e06cb7
SHA256812512204d03cd54638c2f2bf89973bcc46a2b141755f81fd3490211b5dcbc8e
SHA512791bc1545afbf811ab2abc09d267cbcef0e8d5263c3bb08bb6e68f951edc56045fd0031b8843e6edd486c8c69443a17a21b6015bd6ecb2a864a044e144895a5a
-
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmdFilesize
231B
MD5da5f8d71afd8ce9598ec5e5443c459d9
SHA1abd2267aaea39b0a9208bc7f094df5fb2754d233
SHA256a1d679d97c8ab326b9578d18de310789709482bf270d350786e1b30895c92c80
SHA5121318f1471a536244523141d14c8c73b8dc52de3843eb8b8b3e9b2ae0348eb4f41c085931b8053c5fc68182f0a493d15de7bb086cc872f48203e8f9916886452b
-
C:\Users\Admin\AppData\Local\Temp\m.vbsFilesize
71B
MD5cbaa7c6cb3c383b11dd691b316f2a91b
SHA10f2d66cea7cc24e0dda9972e05a7b236a9bcbc9e
SHA2565f1ffcde4ee668c3350fdd9730df67adc35c704342ac2224924069c9bae2be95
SHA512fe74a8ccd7875e7bf9588d386fd886810dc0edd01216bf5a886add985fcbb813296a606ec83028a90d30b4df348125827300a98f2ec6081a5d981d09316a44f9
-
C:\Users\Admin\AppData\Local\Temp\windowswimn32.batFilesize
49B
MD5cfb046d3c9513b92c1b287da26f97c28
SHA1ea8208c4dad826b7fdb3b5b728863a95e86d4383
SHA256a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b
SHA512dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340
-
C:\Windows\5CFF.tmpFilesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
C:\Windows\infpub.datFilesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
memory/592-183-0x0000000000210000-0x0000000000278000-memory.dmpFilesize
416KB
-
memory/592-122-0x0000000000210000-0x0000000000278000-memory.dmpFilesize
416KB
-
memory/592-108-0x0000000000210000-0x0000000000278000-memory.dmpFilesize
416KB
-
memory/2336-738-0x00000000027E0000-0x00000000027E1000-memory.dmpFilesize
4KB
-
memory/2336-707-0x00000000027E0000-0x00000000027E1000-memory.dmpFilesize
4KB
-
memory/2412-723-0x0000000002310000-0x0000000002311000-memory.dmpFilesize
4KB
-
memory/2412-744-0x0000000002310000-0x0000000002311000-memory.dmpFilesize
4KB
-
memory/2764-710-0x0000000002820000-0x0000000002821000-memory.dmpFilesize
4KB