badrabbit | d8270d57a3b02ad700dd88eb35bd00c24899e193efe4d60a1c1d3c5947eaf3ea

Analysis

max time kernel
38s
max time network
107s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-04-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FileCrypter.exe
Size

1.0MB
MD5

ab566bd2a0f20afa6817214cf66269f0
SHA1

31cb35812778d4bbb0c7a496c9d789a13625b056
SHA256

d8270d57a3b02ad700dd88eb35bd00c24899e193efe4d60a1c1d3c5947eaf3ea
SHA512

353d36b414bfaef79f7c3703f33d12ec8467ca6bd71d7dab9aaf4546d60c9b74941fbf41eaa5e0352e34a3bd51b56baefd15183168ee519985eba81fe5399447
SSDEEP

24576:TR+cl7X1BRnI6hmebOe1gmf2Jg+DTcTugiIwsQhlRv9x/9K4CfFiEr0CJ:l+clb1BRntmeSKJStRv9xFK1gEr0E

Score

10^/10

badrabbit mimikatz discovery evasion persistence ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource	yara_rule
C:\Windows\5CFF.tmp	mimikatz

Modifies Windows Firewall 2 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

2836 netsh.exe
2952 netsh.exe
2856 netsh.exe
1396 netsh.exe
Executes dropped EXE 8 IoCs

Processes:

A2-Cryptor.exeBadRabbit.exeFMLN.exeShingapi.exe5CFF.tmpShingapi.exeShingapi.exeShingapi.exe

pid process

2332 A2-Cryptor.exe
1124 BadRabbit.exe
1972 FMLN.exe
2020 Shingapi.exe
1764 5CFF.tmp
1976 Shingapi.exe
1156 Shingapi.exe
656 Shingapi.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exe

pid process

548 cmd.exe
548 cmd.exe
548 cmd.exe
548 cmd.exe
548 cmd.exe
548 cmd.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exe

pid process

2288 takeown.exe
2816 takeown.exe
3016 takeown.exe
1124 takeown.exe

pid	process
2836	netsh.exe
2952	netsh.exe
2856	netsh.exe
1396	netsh.exe

pid	process
2332	A2-Cryptor.exe
1124	BadRabbit.exe
1972	FMLN.exe
2020	Shingapi.exe
1764	5CFF.tmp
1976	Shingapi.exe
1156	Shingapi.exe
656	Shingapi.exe

pid	process
548	cmd.exe
548	cmd.exe
548	cmd.exe
548	cmd.exe
548	cmd.exe
548	cmd.exe

pid	process
2288	takeown.exe
2816	takeown.exe
3016	takeown.exe
1124	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Twain_20 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Twain_20.cmd"	reg.exe

Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

File opened (read-only) \??\A: cmd.exe
File opened (read-only) \??\B: cmd.exe
File opened (read-only) \??\E: cmd.exe

description	ioc	process
File opened (read-only)	\??\A:	cmd.exe
File opened (read-only)	\??\B:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe

Drops autorun.inf file 1 TTPs 6 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

attrib.execmd.execmd.execmd.exeattrib.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 5 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

wscript.exewscript.exewscript.exewscript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg"	wscript.exe

Drops file in Windows directory 8 IoCs

Processes:

mspaint.exemspaint.exemspaint.exeBadRabbit.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\5CFF.tmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1732 schtasks.exe
988 schtasks.exe
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

2772 timeout.exe
2976 timeout.exe
884 timeout.exe
1868 timeout.exe
1584 timeout.exe
3016 timeout.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid process

2704 ipconfig.exe
1896 ipconfig.exe
1160 ipconfig.exe
560 ipconfig.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3040 taskkill.exe
2852 taskkill.exe
2264 taskkill.exe
2116 taskkill.exe

pid	process
1732	schtasks.exe
988	schtasks.exe

pid	process
2772	timeout.exe
2976	timeout.exe
884	timeout.exe
1868	timeout.exe
1584	timeout.exe
3016	timeout.exe

pid	process
2704	ipconfig.exe
1896	ipconfig.exe
1160	ipconfig.exe
560	ipconfig.exe

pid	process
3040	taskkill.exe
2852	taskkill.exe
2264	taskkill.exe
2116	taskkill.exe

Modifies Control Panel 5 IoCs

evasion

Processes:

wscript.exewscript.exewscript.exewscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop	wscript.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

rundll32.exe5CFF.tmp

pid process

592 rundll32.exe
592 rundll32.exe
1764 5CFF.tmp
1764 5CFF.tmp
1764 5CFF.tmp
1764 5CFF.tmp
1764 5CFF.tmp

pid	process
592	rundll32.exe
592	rundll32.exe
1764	5CFF.tmp
1764	5CFF.tmp
1764	5CFF.tmp
1764	5CFF.tmp
1764	5CFF.tmp

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

rundll32.exetakeown.exetaskkill.exe5CFF.tmptakeown.exetaskkill.exetaskkill.exetaskkill.exetakeown.exetakeown.exe

description	pid	process
Token: SeShutdownPrivilege	592	rundll32.exe
Token: SeDebugPrivilege	592	rundll32.exe
Token: SeTcbPrivilege	592	rundll32.exe
Token: SeTakeOwnershipPrivilege	2816	takeown.exe
Token: SeDebugPrivilege	3040	taskkill.exe
Token: SeDebugPrivilege	1764	5CFF.tmp
Token: SeTakeOwnershipPrivilege	3016	takeown.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	2116	taskkill.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeTakeOwnershipPrivilege	1124	takeown.exe
Token: SeTakeOwnershipPrivilege	2288	takeown.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

mspaint.exemspaint.exemspaint.exe

pid	process
2336	mspaint.exe
2412	mspaint.exe
2764	mspaint.exe
2336	mspaint.exe
2336	mspaint.exe
2336	mspaint.exe
2764	mspaint.exe
2764	mspaint.exe
2764	mspaint.exe
2412	mspaint.exe
2412	mspaint.exe
2412	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FileCrypter.exeA2-Cryptor.execmd.exeBadRabbit.exeFMLN.exeShingapi.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2336 wrote to memory of 2332	2336	FileCrypter.exe	A2-Cryptor.exe
PID 2336 wrote to memory of 2332	2336	FileCrypter.exe	A2-Cryptor.exe
PID 2336 wrote to memory of 2332	2336	FileCrypter.exe	A2-Cryptor.exe
PID 2336 wrote to memory of 2332	2336	FileCrypter.exe	A2-Cryptor.exe
PID 2336 wrote to memory of 1124	2336	FileCrypter.exe	BadRabbit.exe
PID 2336 wrote to memory of 1124	2336	FileCrypter.exe	BadRabbit.exe
PID 2336 wrote to memory of 1124	2336	FileCrypter.exe	BadRabbit.exe
PID 2336 wrote to memory of 1124	2336	FileCrypter.exe	BadRabbit.exe
PID 2336 wrote to memory of 1124	2336	FileCrypter.exe	BadRabbit.exe
PID 2336 wrote to memory of 1124	2336	FileCrypter.exe	BadRabbit.exe
PID 2336 wrote to memory of 1124	2336	FileCrypter.exe	BadRabbit.exe
PID 2336 wrote to memory of 1972	2336	FileCrypter.exe	FMLN.exe
PID 2336 wrote to memory of 1972	2336	FileCrypter.exe	FMLN.exe
PID 2336 wrote to memory of 1972	2336	FileCrypter.exe	FMLN.exe
PID 2336 wrote to memory of 1972	2336	FileCrypter.exe	FMLN.exe
PID 2332 wrote to memory of 1264	2332	A2-Cryptor.exe	cmd.exe
PID 2332 wrote to memory of 1264	2332	A2-Cryptor.exe	cmd.exe
PID 2332 wrote to memory of 1264	2332	A2-Cryptor.exe	cmd.exe
PID 2332 wrote to memory of 1264	2332	A2-Cryptor.exe	cmd.exe
PID 2336 wrote to memory of 2020	2336	FileCrypter.exe	Shingapi.exe
PID 2336 wrote to memory of 2020	2336	FileCrypter.exe	Shingapi.exe
PID 2336 wrote to memory of 2020	2336	FileCrypter.exe	Shingapi.exe
PID 2336 wrote to memory of 2020	2336	FileCrypter.exe	Shingapi.exe
PID 1264 wrote to memory of 580	1264	cmd.exe	mode.com
PID 1264 wrote to memory of 580	1264	cmd.exe	mode.com
PID 1264 wrote to memory of 580	1264	cmd.exe	mode.com
PID 1124 wrote to memory of 592	1124	BadRabbit.exe	rundll32.exe
PID 1124 wrote to memory of 592	1124	BadRabbit.exe	rundll32.exe
PID 1124 wrote to memory of 592	1124	BadRabbit.exe	rundll32.exe
PID 1124 wrote to memory of 592	1124	BadRabbit.exe	rundll32.exe
PID 1124 wrote to memory of 592	1124	BadRabbit.exe	rundll32.exe
PID 1124 wrote to memory of 592	1124	BadRabbit.exe	rundll32.exe
PID 1124 wrote to memory of 592	1124	BadRabbit.exe	rundll32.exe
PID 1972 wrote to memory of 1016	1972	FMLN.exe	cmd.exe
PID 1972 wrote to memory of 1016	1972	FMLN.exe	cmd.exe
PID 1972 wrote to memory of 1016	1972	FMLN.exe	cmd.exe
PID 1972 wrote to memory of 1016	1972	FMLN.exe	cmd.exe
PID 2020 wrote to memory of 548	2020	Shingapi.exe	cmd.exe
PID 2020 wrote to memory of 548	2020	Shingapi.exe	cmd.exe
PID 2020 wrote to memory of 548	2020	Shingapi.exe	cmd.exe
PID 2020 wrote to memory of 548	2020	Shingapi.exe	cmd.exe
PID 1264 wrote to memory of 1596	1264	cmd.exe	mode.com
PID 1264 wrote to memory of 1596	1264	cmd.exe	mode.com
PID 1264 wrote to memory of 1596	1264	cmd.exe	mode.com
PID 1016 wrote to memory of 1168	1016	cmd.exe	mode.com
PID 1016 wrote to memory of 1168	1016	cmd.exe	mode.com
PID 1016 wrote to memory of 1168	1016	cmd.exe	mode.com
PID 1016 wrote to memory of 1168	1016	cmd.exe	mode.com
PID 1264 wrote to memory of 2848	1264	cmd.exe	certutil.exe
PID 1264 wrote to memory of 2848	1264	cmd.exe	certutil.exe
PID 1264 wrote to memory of 2848	1264	cmd.exe	certutil.exe
PID 548 wrote to memory of 2548	548	cmd.exe	cmd.exe
PID 548 wrote to memory of 2548	548	cmd.exe	cmd.exe
PID 548 wrote to memory of 2548	548	cmd.exe	cmd.exe
PID 548 wrote to memory of 2548	548	cmd.exe	cmd.exe
PID 548 wrote to memory of 2836	548	cmd.exe	netsh.exe
PID 548 wrote to memory of 2836	548	cmd.exe	netsh.exe
PID 548 wrote to memory of 2836	548	cmd.exe	netsh.exe
PID 548 wrote to memory of 2836	548	cmd.exe	netsh.exe
PID 2548 wrote to memory of 2656	2548	cmd.exe	reg.exe
PID 2548 wrote to memory of 2656	2548	cmd.exe	reg.exe
PID 2548 wrote to memory of 2656	2548	cmd.exe	reg.exe
PID 2548 wrote to memory of 2656	2548	cmd.exe	reg.exe
PID 1264 wrote to memory of 1868	1264	cmd.exe	timeout.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

1432 attrib.exe
3304 attrib.exe
3488 attrib.exe
1836 attrib.exe

pid	process
1432	attrib.exe
3304	attrib.exe
3488	attrib.exe
1836	attrib.exe

C:\Users\Admin\AppData\Local\Temp\FileCrypter.exe
"C:\Users\Admin\AppData\Local\Temp\FileCrypter.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe
"C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4FE4.tmp\4FE5.tmp\4FF6.bat C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"
3⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\system32\mode.com
MODE CON: COLS=100 LINES=25
4⤵
PID:580

C:\Windows\system32\mode.com
MODE CON: COLS=100 LINES=25
4⤵
PID:1596

C:\Windows\system32\certutil.exe
certutil -decode "Image.bin" "Encrypted.jpeg"
4⤵
PID:2848

C:\Windows\system32\timeout.exe
timeout /t 3
4⤵
- Delays execution with timeout.exe
PID:1868

C:\Windows\system32\timeout.exe
timeout /t 3
4⤵
- Delays execution with timeout.exe
PID:1584

C:\Windows\system32\timeout.exe
timeout /t 3
4⤵
- Delays execution with timeout.exe
PID:3016

C:\Windows\system32\timeout.exe
timeout /t 5
4⤵
- Delays execution with timeout.exe
PID:2772

C:\Windows\system32\timeout.exe
timeout /t 5
4⤵
- Delays execution with timeout.exe
PID:2976

C:\Windows\system32\wscript.exe
wscript "0.vbs"
4⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:2028

C:\Windows\System32\RUNDLL32.EXE
"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
5⤵
PID:2904

C:\Windows\system32\wscript.exe
wscript "0.vbs"
4⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:1664

C:\Windows\System32\RUNDLL32.EXE
"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
5⤵
PID:3144

C:\Windows\system32\wscript.exe
wscript "0.vbs"
4⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:2520

C:\Windows\System32\RUNDLL32.EXE
"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
5⤵
PID:3080

C:\Windows\system32\wscript.exe
wscript "0.vbs"
4⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:2916

C:\Windows\System32\RUNDLL32.EXE
"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
5⤵
PID:3128

C:\Windows\system32\wscript.exe
wscript "0.vbs"
4⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:1736

C:\Windows\System32\RUNDLL32.EXE
"C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
5⤵
PID:3052

C:\Windows\system32\timeout.exe
timeout /t 4
4⤵
- Delays execution with timeout.exe
PID:884

C:\Windows\system32\wscript.exe
wscript "m.vbs"
4⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe
"C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN rhaegal
4⤵
PID:1816

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN rhaegal
5⤵
PID:1804

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3749942816 && exit"
4⤵
PID:2776

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3749942816 && exit"
5⤵
- Creates scheduled task(s)
PID:1732

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:28:00
4⤵
PID:692

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:28:00
5⤵
- Creates scheduled task(s)
PID:988

C:\Windows\5CFF.tmp
"C:\Windows\5CFF.tmp" \\.\pipe\{41EEE1D2-6D90-4EA6-9D8F-8A7969E0B513}
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Users\Admin\AppData\Local\Temp\FMLN.exe
"C:\Users\Admin\AppData\Local\Temp\FMLN.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\50DE.tmp\50DF.tmp\50E0.bat C:\Users\Admin\AppData\Local\Temp\FMLN.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\mode.com
mode con: cols=170 lines=45
4⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
"C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\512C.tmp\512D.tmp\512E.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
3⤵
- Loads dropped DLL
- Drops autorun.inf file
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
5⤵
- Adds Run key to start application
PID:2656

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set publicprofile state off
4⤵
- Modifies Windows Firewall
PID:2836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:2940

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
4⤵
PID:2100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:1512

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\SysWOW64\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:916

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:560

C:\Windows\SysWOW64\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\SysWOW64\attrib.exe
attrib -r -a -s -h *.*
4⤵
- Drops autorun.inf file
- Views/modifies file attributes
PID:1432

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:2280

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:1268

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:524

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:432

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:2864

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:2988

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:864

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:2892

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:2076

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
4⤵
- Executes dropped EXE
PID:1976

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7436.tmp\7437.tmp\7448.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
5⤵
- Drops autorun.inf file
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
6⤵
PID:2680

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
7⤵
PID:2232

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
6⤵
- Modifies Windows Firewall
PID:2856

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
6⤵
PID:2080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
6⤵
PID:2576

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
7⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
6⤵
PID:3056

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
6⤵
PID:1668

C:\Windows\system32\ipconfig.exe
ipconfig /release
6⤵
- Gathers network information
PID:1160

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
6⤵
- Drops autorun.inf file
- Views/modifies file attributes
PID:3304

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
6⤵
PID:3456

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
6⤵
PID:3632

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
6⤵
PID:3760

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
6⤵
PID:3884

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
6⤵
PID:3192

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
6⤵
PID:3420

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
6⤵
PID:3852

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
6⤵
PID:2344

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
6⤵
PID:3492

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
6⤵
PID:4088

C:\Windows\system32\msg.exe
msg * Virus Detectado
6⤵
PID:1648

C:\Windows\system32\msg.exe
msg * Virus Detectado
6⤵
PID:3356

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
6⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
6⤵
PID:1840

C:\Windows\system32\notepad.exe
notepad
6⤵
PID:3120

C:\Windows\system32\calc.exe
calc
6⤵
PID:3052

C:\Windows\explorer.exe
explorer.exe
6⤵
PID:1140

C:\Windows\system32\mspaint.exe
mspaint.exe
6⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
6⤵
PID:980

C:\Windows\system32\notepad.exe
notepad
6⤵
PID:3140

C:\Windows\system32\calc.exe
calc
6⤵
PID:3536

C:\Windows\explorer.exe
explorer.exe
6⤵
PID:2488

C:\Windows\system32\mspaint.exe
mspaint.exe
6⤵
PID:3060

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:2284

C:\Windows\SysWOW64\calc.exe
calc
4⤵
PID:2012

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:2592

C:\Windows\SysWOW64\mspaint.exe
mspaint.exe
4⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2336

C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
4⤵
- Executes dropped EXE
PID:1156

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\75AD.tmp\75AE.tmp\75AF.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
5⤵
- Drops autorun.inf file
PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
6⤵
PID:2936

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
7⤵
PID:1040

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
6⤵
- Modifies Windows Firewall
PID:2952

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
6⤵
PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
6⤵
PID:2312

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
7⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
6⤵
PID:2128

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
6⤵
PID:1044

C:\Windows\system32\ipconfig.exe
ipconfig /release
6⤵
- Gathers network information
PID:1896

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
6⤵
- Views/modifies file attributes
PID:3488

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
6⤵
PID:3996

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
6⤵
PID:3080

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
6⤵
PID:2916

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
6⤵
PID:3588

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
6⤵
PID:1684

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
6⤵
PID:2000

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
6⤵
PID:2704

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
6⤵
PID:4012

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:872

C:\Windows\SysWOW64\calc.exe
calc
4⤵
PID:988

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:2164

C:\Windows\SysWOW64\mspaint.exe
mspaint.exe
4⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2412

C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
4⤵
- Executes dropped EXE
PID:656

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7733.tmp\7734.tmp\7735.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
5⤵
- Drops autorun.inf file
PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
6⤵
PID:2368

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
7⤵
PID:2564

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
6⤵
- Modifies Windows Firewall
PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
6⤵
PID:2084

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
6⤵
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
6⤵
PID:2068

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
7⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
6⤵
PID:1140

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
6⤵
PID:2288

C:\Windows\system32\ipconfig.exe
ipconfig /release
6⤵
- Gathers network information
PID:2704

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
6⤵
- Views/modifies file attributes
PID:1836

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
6⤵
PID:3744

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
6⤵
PID:4020

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
6⤵
PID:3408

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
6⤵
PID:3944

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
6⤵
PID:3524

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
6⤵
PID:3868

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:2532

C:\Windows\SysWOW64\calc.exe
calc
4⤵
PID:2700

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
PID:2852

C:\Windows\SysWOW64\mspaint.exe
mspaint.exe
4⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2764

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:2884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13715493832029987037335331756214325375712897291039110561921180950106-1082107760"
1⤵
PID:2164

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.vbs
Filesize
383B

MD5
e8ac1f187bb02b76ff45f3a3977c6669

SHA1
a6246d99d7f0347e246399576342e7e118d6cb2a

SHA256
8b163a7e7bc1048d74b3b0298b85bc453cf349c9adb53d76adf391ef0491db26

SHA512
f7f67854fdd19718a5fe8aaf99cf722ffb73a8151c8d3f214e89b44b0c4cba24c5fbfd390246e9cb2423919d0b4f694117c09b7697853168156d77efbb83397b

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000.eky
Filesize
49B

MD5
60019def991ce2c43c439625da620ae1

SHA1
11a4146032b8e26c7ef2d0d29c27351fc266e79b

SHA256
b7a8cbbbdc6b998f7d3447069542c050aa111e6dc403cc79686b4f59da0d2f0b

SHA512
3f1b7a8d5969ab8b42d66a6372d504807389ca8d8d00f8a72b778e98f6497110ea527426862dbffec3f5ad33e68d03e082be1631da45cb81ad99dd604f30ceda

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000.pky
Filesize
46B

MD5
cecb76b53af837070c7e0f800caa8ab7

SHA1
2011e46e241520555cb200466e182824e2976598

SHA256
e4901cbd286e61c1d550090f2f1896e1634a1174f91ebee9c5bef44e3cbd956a

SHA512
24554103a9c68dea293b63c3bfe1e5210b461766a5fd2e47fe884602e66a8cf26b174fce404ad600cf8891e1661c6d1e95250439f508421906e948acc7fcc667

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000.ple
Filesize
51B

MD5
74d9354a3937130babf616a4178ab025

SHA1
f271df4f0c53a77b1b8491212d042b98d95cfeb4

SHA256
f18e47be3c0f002b1f0f1364fb1b28360a81d0f12ede07b1fa847831597e1ebe

SHA512
5cfb53fd598dd3d504432640e2dbffaa061af77092336e2c53a0cb6d2e5212519ef94cd8488669aa551856d9ac7de9489a3ad492f396fb64b18fe34eaf5e95b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000.res
Filesize
50B

MD5
49574e784b6bdfb8bd243f822f7d3ef4

SHA1
6cfd3d22f9800e24e4e9b524927305c1f343f0d3

SHA256
3619586779ddabf59f03ad14c304b11f850a374f4ef032b90e9ebf567d0dfcdd

SHA512
e3626043082e65ec4c6f25f12b38a72306b1ce78e0dfdf0486e7a3e3b736fc4749126071802f12c7f7555765b6f7ecea21f5a82409e360f2f9826f91aed3636f

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000.vhc
Filesize
49B

MD5
1d6e4f5253e9271a79494706a6bb5bd0

SHA1
182aa5850b7c4517337f5af574e82faea843d80d

SHA256
0b1688dd538fcf7579403b2ab245af919bede2cbeba380d9f0536aab9f193966

SHA512
37b75db70e6e239e0abd0b579c395ef09c58b1ab51eb121684fcd628710b9703854bfc4286e0661baec7609c727f5eb5f6829c7b10f8d518db200f1344943209

Download Submit
C:\Users\Admin\AppData\Local\Temp\4FE4.tmp\4FE5.tmp\4FF6.bat
Filesize
33KB

MD5
4b42191175209ea23203acc526307c00

SHA1
a77abea54f5b2a0084fd1574a1c5b6e1df1df054

SHA256
4ce518699c3f97015eb2f81b09325c8f67213d0efaec73bbf924a5bdf3d5152c

SHA512
fb35705095153a587a253160a92268c8e03605f87ecbb45dd3a0c4ca59e255046188cb9476d99f8164458506d2e5057e6127f0e0fe7997471e7381cc4a08ec42

Download Submit
C:\Users\Admin\AppData\Local\Temp\50DE.tmp\50DF.tmp\50E0.bat
Filesize
54KB

MD5
93841169c4264ce13735e8b116d06226

SHA1
1ceac2fe01f6bdb37bdeb73ba13cd7ed99d0f608

SHA256
82bf8fbb4b79fdd9a21518373ddd57fc2d6c53599458a055f64e20d40dc85f2b

SHA512
ce98cac504828ac676d1069f6d0cedc55ff68bf51d2b01df0108ec632bdc0aa1f809ef6ddb000fa1c59ea66723c903cf37412d98f59ff7032777a45b2c72e871

Download Submit
C:\Users\Admin\AppData\Local\Temp\512C.tmp\512D.tmp\512E.bat
Filesize
17KB

MD5
190e7cfa7d6de532ba4498ca3d38b47d

SHA1
7d4ea5ce61962c0445d955a44dd31226fa8c736e

SHA256
faee2b0ac2218435a6973b87277b29010c988efefdcd7fe0e107808c2cc0f282

SHA512
5a87b4bac67957acbc6dfab08cf9b3e1110e4b496b66110a44f7b2d0ec75b950d7569b6220c4a5ab3597db032e70b16d5a5e6ee4ab23102f6d12fea7bdc11598

Download Submit
C:\Users\Admin\AppData\Local\Temp\5680_31879.bat
Filesize
127B

MD5
71f2ece5d6de26f528ff0e1c9382f1c9

SHA1
12b4fe9e4f1d4e0ea494393282baeb58f5991c8e

SHA256
648b31ac461f2539e111298e9d5f8e154ed8852a4f8c57cceec17504da8cdb01

SHA512
0236aa82c44f9cdc7230d2b46c910c794820202e697031c893ed8502883f310bc202beee7d4a502f5508c8f6c320f9479e48be30f24f344624a0224a1f549c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe
Filesize
122KB

MD5
d6e36f6b145a4601a84835b7e8a0bbc2

SHA1
3c7e26433f5f42fe69fbe4b3c2e6d9d7b196697c

SHA256
46038db7643482e1d25939e6c7be35a7e7529fd716570e25e4137f6a79a1c316

SHA512
e10acbaa6e1cd5cc4350dc789841e2638fb50b152aebc65bee2c07ad94f7e6ae1ce6bd51c5f5f6952f970ee364f2515417608e872c3b97b0cf749bb86fa0b72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
60B

MD5
11aa52a7eca2cf8fdcd1584b5a8b6026

SHA1
01ae6066e6b3879cb0caf306cc91077b7c0bea1e

SHA256
8dfd0a6db2df60455840dbbbcc4f8b70d730ba1c2afbf300316898b3dd3e9b11

SHA512
07f37c050eb59e7a1a228ca851d05ca9b62bb3de97f988fb36c374c827833c8c551e5cb51eb05130861c0b35515ca77ae667ca97ee4f08c86cdf9f6fb64533c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
180B

MD5
b2206e980c51067d6e9dd7575d842bdc

SHA1
5aa6f76eee9efd569089be7f363e30ebf0531a22

SHA256
add106f3d6e9cfd2fac3d14a74d6791a9caa257b9c7e105a9a5fc2a309337ecd

SHA512
89ab3ca635f8fdcb1206f0a1d585355a730506cc1d72ca666f1e9d650b24107368349b44ab0b3d3132442a2fc61c0c9404d00b717a61f305d9c93d5d638d9bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
184B

MD5
0e758e4075696160e66b27af14b8b5ae

SHA1
7bbcebdbac764771850bb1e32722e65afff1e40b

SHA256
5e690d98d13602812c921d20a6328acd24ceed8bf7e9c1ff550d67f5020c34d7

SHA512
afcca00d5f9a3c70e0f5eba685df432a149bc135c986d6e4dbeedf3235074f1cd17dd5087eb620636b33c5ced0412e5e2608b75da1c7f0107a3c5846a9b796cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
74B

MD5
b39df423c6e5978065a9a8ec4879a3b4

SHA1
96441a7a7d8090f7a96a1160f539531f66568e88

SHA256
12a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967

SHA512
2d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
222B

MD5
05a4d4594b598cfe885bf862787b8cde

SHA1
dfb26e156e88af25bd00db0bc788b81c521a4db9

SHA256
fd8427db8c0c5ad2c7a8fc36c18f9400e25bdd7dfd1d267ec11a7a94bdbd1cab

SHA512
ac1f87eabd69e1939f463c8710cdd1ba8a886ad6509d26d0fac4e09ab82056cf952b7a0cf2ecb55bb0549fdb0aff6457133eeb6b7b222df58f773f91df101136

Download Submit
C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe
Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Encrypt.sk
Filesize
357B

MD5
955afc984c7d08b2bc7bcf4fb8b4a739

SHA1
4c23a29640cada6423065ec8b1fe12f4cd7e3fec

SHA256
b7b12f78dfcfce7968e1e612410d4535127fb029815c73779f9a29ae7da897d5

SHA512
6909a0343dc1868f496ae3b2948f260c2f8c0bcf77d18f3ab0028c9996fdb649c2ea4e8f657fde4f050424f2d86a3cf2669852a331392362bb4d9e1b364bbefe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Encrypted.jpeg
Filesize
15KB

MD5
20aba01130e85571476712c784af05b0

SHA1
54c9002381bafbfa648dd3f5c77b1830efc1dc85

SHA256
72bdac2468fa4e19f8915817f380ceeb96ff94a64a3e29e64ac79b65bed2f6ac

SHA512
c84a603b359d3e7097229161d22a69c574a582cbbd21c8343fa06986b5058125763196b8d4e2f7bf51400ffaba63e9c565e42c32759b973439f46e5a9f84b19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
54B

MD5
888e64c554686bbbc0499057cce1af36

SHA1
5a7f51c66e3ae7dd0e0231c9817aee8c9fc54006

SHA256
616cf19739e00c69e9606d9c94869f6fcb6a7b3860e7b8af9bc896f3081dad0d

SHA512
9882375fdd09d489258447d49b8b63d0bc8db57cdb7186500c00c79d57f30af5f37a69e8fab70683a7c9d730e3484ef537ee57bb1892a84f92e9aba639d1d227

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
162B

MD5
d5980bf4b018e4c397df95afe8941c66

SHA1
ce53c669a898d09479831bc59bc31a5fba2a6f2b

SHA256
9afd004a8cb9b9e8b1eeab780fb0c4ffa39c3ec2ded034b1a7cd69db7f67872a

SHA512
c995f9d3252b9a7af52a398562261baf3297fee64fade9de22895cce017e5aa097c7935a0519e474253a181e1e018348a1ade3d953bfaff5dc43e30e2d9fde5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
216B

MD5
7659392a12010d8c761cb9888f6fd5ac

SHA1
b8829c26628740b77ab7405c231f420e860d8c1f

SHA256
71bd0bffdeca9dce2b4e9e1d767a0732657032171f3ad33903dec353ef95a431

SHA512
5caf94b288649b687f411cbb5519168e09e161f8d9545a6bad1b0d08876a542d153a115f8b44e3f15d973812ce8ec7471bba7d8bd0b9a22d0abf6fdf2914a2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMLN.exe
Filesize
258KB

MD5
c87988e35ec34779191f42b6213fdec1

SHA1
81036dcf6ea331243f2d512b8ac9611a95a18ea1

SHA256
96f3ce153153f922fb18e4722b0348aee2c76022bcdee75fadab97023003fe10

SHA512
ba32f9bc18fb187fa4dc03bb1db903255c16af62dc903521ddd8fb120e5599bbccb4fa12255f0195a5e51b6a99ee5228bc0515f299c0ebb1b1a5134e61aab9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Image.bin
Filesize
21KB

MD5
f6f72da7cd731682ff5442ba541457e2

SHA1
60bddfc609fad2f80c0688905e795e51003d9433

SHA256
00a5048d9f74271e4cd5c36cf1434c789a8c16206ff5fca1c785156e01693bc1

SHA512
2a09df3df3d89ec413f31f7a20254513db6323e7c7e5e041161f55dfefcc80d22870c512f71aad77e7e9ef775b635a707ddf60b0bb4ef458bff6e15f1e425e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
69B

MD5
72946942abf5cf295f726b816c531ebf

SHA1
8ac5ccae8003c3776c2e0ee0959a76c8bc913495

SHA256
d9fc0446467e00e640f0dd0bf36882943a6993dcc1038ba8f73239152896eb25

SHA512
2f42b10e2c1359a690e1a69e307008e3beb4712e4c071d916fb1380c61cb2ed3ae48c86af44c6f1c9d613e85dd75d8cfd66fd01de0649444ee6d5193d9789d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
207B

MD5
d3715d7f77349116a701484780269375

SHA1
589c48410637ac33431569b867070a51c4de5b1c

SHA256
ea0bdd86d283aba33d619aeecb5087ad9132b58e8ae7121e3c3774504abb976a

SHA512
9526a79ac4f9a18104f8e84d684136eef9b6bbccfe772d1d1030d9be02de2f7221cdee248ec748971551a42ed1d8fb1c8a9d820b837164f68376cdee1dc8ff3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
211B

MD5
4d6f1b0da81629f8a31411bdb8b30cf6

SHA1
1bf9f2f3d7607fd39dc68f06b4742dce96541f56

SHA256
fba01bc71e9bf757fa27fe5f797662757b0e2b64478bff49cf5ac0027be6e648

SHA512
4deb7ad24a5ddc7df17ba567550b96c12038b01c6930c9b01c472d2c26afae152bed81414c1aaf078c7c9962828d958b1f99d1395ca8dc42714aa68c5e5f1007

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
276B

MD5
089381a847f01ba0962ae00f0d92d5e8

SHA1
9f3240f89871639778a318e0cadccafcf9d7c55e

SHA256
2cda289b5067c9daf8b4dffdf323b2fe9d0a47bfdbb91b4a017029bc74729c05

SHA512
89fbf1b423f17101970290b070d740b8d58beecc6723e64edb7ae23b9285afe3a612b8e8f5ec202d60aca3875a28dbc556a43af9fe4113ac0bdba1fa83c5213a

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt
Filesize
564B

MD5
df6412cc0f77ce16caf3602c53d7a4be

SHA1
aa34421e95cb3a642842a63f5cfd46763e9b9a8c

SHA256
51bc53f8dba5178e0063e41e54197c4d7a566df509e67cc40c02137fd7ee2ac6

SHA512
335b790a29f91853899eae21d5973c839e5a9edfc49496ce6de909ec20bdfc9841dd14042727dd6b3dec091337fcdbb8ae8f1e44f4d8619723a2e882e50e667b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
Filesize
106KB

MD5
8b6a377f9a67d5482a8eba5708f45bb2

SHA1
7197436525e568606850ee5e033c43aea1c3bc91

SHA256
6ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f

SHA512
644e51798399168530b05e629b414dd80cac678bd3c8d4a5d164f55736a2b2fd380d3ca4640f7a034c8f043c06b1527b473e2d17da088d5e97de6ea04120dd72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
173B

MD5
0c998e3681eb9f67fbacda38281c5fa7

SHA1
bd3e89780f374c54c5dfbe3fab83a926ca5803de

SHA256
3c656f47268598c5bbe3ee4661b4f8c7dc09420cf393a6e417541db3c6020205

SHA512
11e3fd1d141bd23a2b0f17665f0f57e5a606fdd82555a7bd88cd533863ce4269d8395f8963d1cdfde93efbb0817486db48c3b593f8de35e150e2395daadb762e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
519B

MD5
03f0ef4961ee3f5ebc91e222ad5c3a55

SHA1
130947f0716f672e1c0577f60471dfbd9d1f3435

SHA256
b2cf1c83480bb2e69599e063be75ef8188b20c82a03998098d13d42c11502d21

SHA512
641784c8422a15360449ae9d79722e4d6d5752ef8db0a6cd8e1d71e78c5994dc9e790f5e875a7314be603feb42badc587bf79e8f682aa94b2335443ea8592671

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
692B

MD5
6989502044e4a9fca67e9ded25de9956

SHA1
9a8d099caad939d32599530b27f7db641cbdb8da

SHA256
b370b54e95376f4b6df27592bc23343c82ebbfad3d52e71a38a2aac504bda04c

SHA512
9f0e6d59d9adc531f5c162b964205e0dd63c6a956291af48d24e6b8988a940b6f2cc7644a9163277e6383a6d9f8ddb00c9687d73426ea776c691e73f66e95a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
4KB

MD5
17b2117ad2d2e11ea919aa5ec0123e0e

SHA1
72a06878125058f3060c62bdd5e4643a6eb6afa4

SHA256
6ebc648973bb6c54729969ec9ffb82f80787e859573a84e8a836fae0c5839ac6

SHA512
9ec14dfb5a8c2ed1d59c3c7a9a827c97792dfe4d21b928e2dadd5c3810ddc9f2834951bf61a09ae8b124f565603f1195ee7848c99fb2d805048d3381ea66f5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
5KB

MD5
028d5a36a16cfb64545d14cf508f6ede

SHA1
fcaecded3fb92e09f157f183b01fbcfaf6eaadb4

SHA256
052b1cd60cd997fde793838ef3f3d9c89092c96254a2d5ac1ef7c5d00148ca6b

SHA512
cfdc128e16556ccd0ce685b894e734ad15e65d3f0422b6dd2f7b6b7cbd8cac1452c951532d71a5ddd72c868b56d0cf5923873dacc1ee118ea3035a409a765475

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
13KB

MD5
83213ceb52e34039599d178721d760f7

SHA1
acf9e8859367c1445682a220a59a372e94a31077

SHA256
e6ef01c0840f6e20fafe3b1390ada167ccf2f157f0e1cdc222c9163ee5cfdd4c

SHA512
1a16c37b4d6e5a0aa873ded31966cac6c0ee624a8c527f5aa3e9b9d710aad3b14b5c0ca9b49b5ef82ce80d133d8f8966f6444edcbcdf7d2a69d46d59bb91beba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
18KB

MD5
c7813b4d51ca2f8931c49db0efe988c7

SHA1
4e6b2845bfde3e8197527574a9f2aa48489db0fd

SHA256
eefd5110eca1fabd97ced651a5edf879cbdb92a5530e5214e6e33c4438d740a0

SHA512
1735a950e1df511129b82e49b30877e3dbae1f12179b995b0d91b32f8f0ad25f5dd5547d63048be70d3a4d701316535fd50d17507ac1e444a476c4149e09aeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd
Filesize
462B

MD5
4dc05ac0050c0d2f98299a019fda2577

SHA1
9e606ec3d928474adfda99e10a3ef39e5c727683

SHA256
55fbdc6e73e70bf1466c6f00fe182c51aca8ead2fd1e3ee408cf9eff91f1a5da

SHA512
ebe2a623abbb7da77102687d1cbdd6255317ef32de0c0e6920c933c25a8a6069cd6be9f44248d91bdca87270db50468bf5e16ea629dd7277d9e15f34075cb268

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd
Filesize
693B

MD5
c58af879c4bc06725fbfdd6bb786bdca

SHA1
99885cc5fd8c13599b64d3a6c3b6d60ae2e06cb7

SHA256
812512204d03cd54638c2f2bf89973bcc46a2b141755f81fd3490211b5dcbc8e

SHA512
791bc1545afbf811ab2abc09d267cbcef0e8d5263c3bb08bb6e68f951edc56045fd0031b8843e6edd486c8c69443a17a21b6015bd6ecb2a864a044e144895a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd
Filesize
231B

MD5
da5f8d71afd8ce9598ec5e5443c459d9

SHA1
abd2267aaea39b0a9208bc7f094df5fb2754d233

SHA256
a1d679d97c8ab326b9578d18de310789709482bf270d350786e1b30895c92c80

SHA512
1318f1471a536244523141d14c8c73b8dc52de3843eb8b8b3e9b2ae0348eb4f41c085931b8053c5fc68182f0a493d15de7bb086cc872f48203e8f9916886452b

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.vbs
Filesize
71B

MD5
cbaa7c6cb3c383b11dd691b316f2a91b

SHA1
0f2d66cea7cc24e0dda9972e05a7b236a9bcbc9e

SHA256
5f1ffcde4ee668c3350fdd9730df67adc35c704342ac2224924069c9bae2be95

SHA512
fe74a8ccd7875e7bf9588d386fd886810dc0edd01216bf5a886add985fcbb813296a606ec83028a90d30b4df348125827300a98f2ec6081a5d981d09316a44f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
49B

MD5
cfb046d3c9513b92c1b287da26f97c28

SHA1
ea8208c4dad826b7fdb3b5b728863a95e86d4383

SHA256
a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b

SHA512
dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340

Download Submit
C:\Windows\5CFF.tmp
Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat
Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/592-183-0x0000000000210000-0x0000000000278000-memory.dmp

Filesize
416KB

Download
memory/592-122-0x0000000000210000-0x0000000000278000-memory.dmp

Filesize
416KB

Download
memory/592-108-0x0000000000210000-0x0000000000278000-memory.dmp

Filesize
416KB

Download
memory/2336-738-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/2336-707-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/2412-723-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/2412-744-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/2764-710-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download