ccf9540b7b7952e32c6d8e1edb37387857cf4f43f91bf5356842bf26e809731f

Analysis

max time kernel
119s
max time network
151s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_3925cdc1d6cb600054718d10c1bb4600_wormlocker.exe
Size

1.8MB
MD5

3925cdc1d6cb600054718d10c1bb4600
SHA1

993a9eefe488a3978ffa0933cabd392acc4c1d24
SHA256

ccf9540b7b7952e32c6d8e1edb37387857cf4f43f91bf5356842bf26e809731f
SHA512

4773272f13b300662e8f3b552f3e3fa9a0b6795e7bd14f13e6398de2bd09931b4c6635136b46f2b7f33cc5f399c47c3dff138d9a9adb4868fbdcb0875bb9e3f9
SSDEEP

49152:0pb/gUlz7chwGu8RXWxfLfVYY0Us9diyRXXVqPUqa:0pb4UShwG4xzfVhNsbtFq

Score

8^/10

discovery evasion exploit

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
2100	takeown.exe
2032	icacls.exe

Executes dropped EXE 1 IoCs

pid	Process
3004	WormLocker2.0.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2100	takeown.exe
2032	icacls.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\ransom_voice.vbs	2024-09-14_3925cdc1d6cb600054718d10c1bb4600_wormlocker.exe
File opened for modification	C:\Windows\System32\WormLocker2.0.exe	2024-09-14_3925cdc1d6cb600054718d10c1bb4600_wormlocker.exe
File created	C:\Windows\System32\LogonUItrue.exe	2024-09-14_3925cdc1d6cb600054718d10c1bb4600_wormlocker.exe
File opened for modification	C:\Windows\System32\LogonUItrue.exe	2024-09-14_3925cdc1d6cb600054718d10c1bb4600_wormlocker.exe
File created	C:\Windows\System32\LogonUI.exe	2024-09-14_3925cdc1d6cb600054718d10c1bb4600_wormlocker.exe
File opened for modification	C:\Windows\System32\LogonUIinf.exe	2024-09-14_3925cdc1d6cb600054718d10c1bb4600_wormlocker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WormLocker2.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000f64c8018ee2b434f0dd9a3c951fa26a87bd80951529b6eb4aef1339890b047ec000000000e800000000200002000000075929820ca13bb8fe868dc34961889ffc7b4fcdf7e4c99f47b30b9c4e9a5e21690000000103eac449db6d0997a106b8d745bfc346418104056273f38a1cde19c27aded16d6dcd57fb0b196fce267d3bb88b0dfb6b35625cb44f3abaea956df2b78e8070aab09593bc9203731317c32b16ba7da551b9d9e3d0b07c04080c23da4d4a6954c815404f60af868b008716495afd61a55aee4aac71461f3c34bdde06f6da3b468bf508af5563ebefd60dfe7b759a6b2cd40000000a5b59238d1e9fcd8afdfaaaa957edbecc29645a8c6e065bb115ca0bdd8a518cfe8069da9efb080115ee6df6628897cb57826acb76ee6cd785e6f6c90ea78ace2	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432496779"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C3762FB1-72BE-11EF-9438-E643F72B7232} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb9000000000200000000001066000000010000200000005565365db23d7bceca0733b7fc742c8d613814012d2ea2a974d002a689a8a2aa000000000e80000000020000200000006a995701e403e62676274f8d018ac807a4d1165e3d66a85419fb1f16d3649d032000000017c417edcecd5821db474b09318681bbcd8d8f7d9b1cc7f2980cd84a3b4fd34f40000000dacfafc208dd6ba59134f0ad66cacf1f0abf26b9c9f2a88c30c20ed7a827de0066538d7de76c7fc3b5247f31d7d5c18b59df6accfcb7a21fa96465a00fdc5db8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3058db9ccb06db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2100	takeown.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2636	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2636	iexplore.exe
2636	iexplore.exe
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE
2788	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1516	2088	2024-09-14_3925cdc1d6cb600054718d10c1bb4600_wormlocker.exe	31
PID 2088 wrote to memory of 1516	2088	2024-09-14_3925cdc1d6cb600054718d10c1bb4600_wormlocker.exe	31
PID 2088 wrote to memory of 1516	2088	2024-09-14_3925cdc1d6cb600054718d10c1bb4600_wormlocker.exe	31
PID 1516 wrote to memory of 2100	1516	cmd.exe	33
PID 1516 wrote to memory of 2100	1516	cmd.exe	33
PID 1516 wrote to memory of 2100	1516	cmd.exe	33
PID 1516 wrote to memory of 2032	1516	cmd.exe	34
PID 1516 wrote to memory of 2032	1516	cmd.exe	34
PID 1516 wrote to memory of 2032	1516	cmd.exe	34
PID 2088 wrote to memory of 3004	2088	2024-09-14_3925cdc1d6cb600054718d10c1bb4600_wormlocker.exe	35
PID 2088 wrote to memory of 3004	2088	2024-09-14_3925cdc1d6cb600054718d10c1bb4600_wormlocker.exe	35
PID 2088 wrote to memory of 3004	2088	2024-09-14_3925cdc1d6cb600054718d10c1bb4600_wormlocker.exe	35
PID 2088 wrote to memory of 3004	2088	2024-09-14_3925cdc1d6cb600054718d10c1bb4600_wormlocker.exe	35
PID 3004 wrote to memory of 2636	3004	WormLocker2.0.exe	36
PID 3004 wrote to memory of 2636	3004	WormLocker2.0.exe	36
PID 3004 wrote to memory of 2636	3004	WormLocker2.0.exe	36
PID 3004 wrote to memory of 2636	3004	WormLocker2.0.exe	36
PID 2636 wrote to memory of 2788	2636	iexplore.exe	37
PID 2636 wrote to memory of 2788	2636	iexplore.exe	37
PID 2636 wrote to memory of 2788	2636	iexplore.exe	37
PID 2636 wrote to memory of 2788	2636	iexplore.exe	37

C:\Users\Admin\AppData\Local\Temp\2024-09-14_3925cdc1d6cb600054718d10c1bb4600_wormlocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_3925cdc1d6cb600054718d10c1bb4600_wormlocker.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32 /grant "Admin:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2032
- C:\Windows\System32\WormLocker2.0.exe
  "C:\Windows\System32\WormLocker2.0.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WormLocker2.0.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
c49a668d231326bdc335980b1d46e433

SHA1
7d02b65202296d8697e850a55b3172c1234f2832

SHA256
18671a0efda54dd654266a92f2ef70384b967841cf553fedef7a504db7a0acf6

SHA512
df190c967ab42bd1bd923f548c1f94dc6097688e9fda504c6a80ccca1783ebca09bf86e2f46f432c13d8ec3bffdf11cdf6ffbcbf3cd7e213ee71f6875180562c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
350a1c6836e7ba4f4d0d44a6bf15f7f5

SHA1
6cee868df2b8511da43954f6729455c87b54e2da

SHA256
43730601da8a9a4a4874d04e3b2784dcba36a0a2761667882d00c93479957d13

SHA512
1e81beeff9e8324ea4c09e8df9435645f95fdf2bfdc62f3d8701c6ca31f2177ee7e7604e11214907f3720265015c062fcfd31dd7087ebad2aae062d0f7eb799f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d06daf80fe39517e544886890aab80db

SHA1
6e7d85a1ecc8231a763c91b19786f943a720c68d

SHA256
40a30ff53adca9a53e330b1aa8346880ebdb27bb5d15f41826c12866399797a6

SHA512
6ba378db2508911e41cb1678bc836e95f41b4f9b5387a880d324d0574c947f406a426ca513b2399ed3f4d4bcee05986729cb2f1b6fb4ae596868eccd15f8f5da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
540e784893f9c8661fe42bcea906460d

SHA1
ec9d69f50279ccf0617083f15c9fd7fcc447ed60

SHA256
625fc0c6604357b00c510a63cb49a858da5f41b2275a5627849cedc5b239676c

SHA512
e58ab61807d885fb516defa23f03514fb191f25d33aa66dd6028d662fbc108cc74a95cfedfe5e9c757b2d5c257e903d756f4499b897dc4b5d3fcdec85ad8c9f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37dcb42f0e608491cdc52c50c4498f2d

SHA1
a92771a3cf1c402fc6c6f9161bf2469eeaace95f

SHA256
3dbe7d1e95d4d3fe5c427a489398e09d42f061eca8d0992802d1f00366691002

SHA512
0abe5af16cd1f3cbfb69c95cd1e8c5d6e62514c1c0ba602ee5c1d478bb2bc532351eda76dc21a3004f9b671f33c09c079044f41dc42a4d27ce04cbece2d5d072

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f754b5cd951dd6f34db0cb4f8a1e00fe

SHA1
7086c231c7b23e9abdd29cbfdde7053fb481b027

SHA256
865e8f83fb08586d6fd8260b7e1f01c67eea533804b8fa3f7d46aa72006bc3dd

SHA512
d604b3a877060c27410e723688bd420808be76be8ab2cd67513cb40f34e5e4b3dcbb893ae8e2dd0b1f03f4eb27bd506987989a864903edcd462ea8e4c08e7c84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
464f8567990f19a151a1c5c010ab0f77

SHA1
804d8f21dbfa24c355eb3bead73fc00f469f7b7e

SHA256
18f5b35854639f2de06339b842d71cd99d0e114f1aea42f881750d8bb71de883

SHA512
20573b4ea07a135286376d1f614c41fa8eaa7c26fffdf789565a28ef98a22ede74aebe47db3a9d4b935b5368c0812b73130da766a356d837ba1052f20f17bcce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84e9d50f71bbff8495a9daf36d742f9a

SHA1
5638e60b52068559a3bb133cb3426b42474ef2eb

SHA256
e9e5a787d30db47ffd2541fe0b25aa808ea8acfe72f1765893530885687d8c27

SHA512
d6a77ee4586f1a35a3803341a0141b1d3f2d70b20bb7adee0a1c61b4877b11083c8f9cbe8e3594e0868952129425c9a2a008a7e7773fcfd18a062264757fac4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac5cec089c90b3981dd94b2de75d1075

SHA1
06d4f8158d98e62b7d0cd96b1ffea3f49ba1e3d2

SHA256
75d92d9d71eed35b14866283210161d6307a12cc8280dc130a485e69ecd300ec

SHA512
4c5c881e4fbfb3b91e3f8f1018e08f5ba2ddc376dd50c230f3a3edaf5de7b6dff8b45a127d0cff08c9414c87b885726f618a8d10de982d7ed5d5e0ffe37d6145

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
888ca876ef4b24d217ee3af30b037601

SHA1
0d0186aaf6423c22f4d150110cafebee1e898992

SHA256
1908469cca5cad169923516f990402f614ed402317865289b95592b17d133648

SHA512
17cbb888a09ef94be91fc11443fe812f0d22c5f70718207a2a357c8a1aa7b4f84c97a79bc9fe7a9630a812e402f206a9d414d8503ac181bfb81d514b6cde4c6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
374d6cd2c1a80e99b818b41ddc3fece9

SHA1
906c45453973c236da68cffede89b2f771320141

SHA256
c4ed74ca5d1e6aa698720887e4fa6a0a8640a3503f235d1c41f84d12a5ea59e2

SHA512
7000a2a4cf47a5465e647692035b7bf4ea6e3c203866470271a64c28fe6992297b8cfd9beda4982c83a9bc9828b4df702dceae1c2e389b4c862c7bfe2700e426

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08f16fd5132239201e5bd33bdbbccbaf

SHA1
6975e5fcf264b0153e65a12f51de108af066a9bf

SHA256
5207e902c6cb6eb7a3844a9cc4c03b3890d84372b74f70f7683c1e0b57361dab

SHA512
e21ecb7b80da6f54d8190397b8f549bc2997e117e7829dec17e89149ce4e8af1a6310c7f1142ff3d19189a029b6e63f3c75178bd3af4b06980be1ce04fbc20b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6154c544def4e62c2736ef553a817a98

SHA1
d6bc20bbe954f520476d4e63bb856431abe69760

SHA256
defa3342cda601e24081013647b65d7fb5ad0ac352e59f88efe8f34750c411ff

SHA512
b57da36638ddc666d4739ac20f1084814cbc7a1accd5338dd1bf8be0353e648dc5829a2dfba85d0fe88b8cd543d51d49e89abc0bfde217d9ff1c287378ce1409

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe25c32ccaacb031b3a91b6a3eed8cb9

SHA1
1c1674a02ffd0271d12a1c3a9aed1bdc4f5ee734

SHA256
354379bb92c589d43a9e47f6609e2202d9ed348a8305e3137e86f7fdc8de6dce

SHA512
b2a0ef2f62537af8ebfc951530e0333b06014b169e90542af7b14f74bfdb63b29ed2ebe24218d43ba47281243e568c763c62cf0644ce2513bedef60c10a8b35a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa85c19aee612e22bca5747aba7f35b9

SHA1
2f98048bae6af585b9d3f1aa4fff316997f4adda

SHA256
cbd267a6b494c2ee7927d7aeeab71084fc1fea4f62f004e787b768b7463d7a3b

SHA512
437543de5112f678ad564c470017bc9dad239807ad3b27684ed5eb939748aea0ba535847ac68493ea5c0754f5134bae1bdc1edaabdb383d88e479ac4f55374e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14c2ea99cbc21244b91170f9b611a228

SHA1
4eff4f8c7cd8afa913ff7368d889552da8eecad4

SHA256
fe1f9f02f151516eb5f65286b7ff67df9c145136e712251b0bb0484e5a24ca85

SHA512
9993ab36a5788edd4316efb5cd088504e5e8d5a59e624db96f4f627cc8204478f9658d0b6c70d5f34c0868b06a74c09bca8bf545c038117692d4edfe520bf530

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7d531ab9f4d2971f988ad4dfd26ad43

SHA1
420ecb41e12662f13e6d0b107571e6da8f2d4963

SHA256
fb32a08233fa1fe94c7d3ab49ff497eb0441cfee50faeb8df0e8b2e0df5ecbef

SHA512
2c5a3d7cb282437cdee25075b26378c6a0f9237a76a0402a8d5d9f53e31f0ff84b786aa460f38ab4d0322308cb7654fd62213361710dac783fa694c60ef8dd72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
464c333201bc91c2878c19899c1c9380

SHA1
82ecc14b13d87a30e3edbf2470cb0f06f4f771f5

SHA256
e36f86ad32d30d6fae9348b97e8b72d77ee7575f6a5815ecc62c72fe887bf64c

SHA512
5bd9306295b95010113c8e5edf755c1df54a26ee90479c755b5728ec0f4d26faabc9303276e9a459973a7ca51ebb5561a7f9e6aa90d4201711b099ec0a40d453

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a8b01a27c0b6fce847775c8a3b2b625

SHA1
8c0a8123d85297668b466e2887a0cd60ebfd2181

SHA256
ac25fefcc9017bd20178f8ff0e81ce3c74a48c738724a139170cca028ea7d5c3

SHA512
9f9946ff239c4e70b0636fd04d4fadc58886678a018efff9a6871747c57c9681fc1e5cd38cb5b7d9b372d9cca12d15a0a2ff5108fadcc37b4edfd32531ab136a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d63839ae7fac34092eba673e35b88343

SHA1
2a1e031958c7d54c3b0da11853e2f09f3270a478

SHA256
e777200723fa1a35d14f0dd3e3b7feb2cd993ee24fcee33484a83ff0aa4fba9f

SHA512
bcb5316110b745bf408d84627923ce29976f001e45ab3e7e34d4aa262877f8dbd165eef53274e61f1184330458406aaf70cd8344f9ee1cb14c71b8efee805158

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8262f622c1ad3973b281e21327522af

SHA1
2f315cdc764d511c73d4b9033928e17a92eba5ad

SHA256
072673d849455de5631d7ba43e1e152cb21cf4b8f3e9ade835e1d3cd7a3cfb0f

SHA512
be323b3a93f4f12bd8e90ae66189874ec8d0957feb5fbe4bb23cc939772a09d33403d5be7a48388b9527287fd54ec1e4d08225b2003850396a0cecce9306a0d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1a91889a0f1f625aa5aef430d81f386

SHA1
f22c2d3df350bfdbd16f94c7f941181818acd19d

SHA256
0d916a408262b56bcda2a8b644233e15a504d7df94f4bb6f7f90c68920667441

SHA512
a08605be0ff5f5b54a5b2f94903a3611eb08c88ff8e1d0d4734f2493d9d4cb44f0c2f8e0810277d51898cd4636ccbf32e078aabef9e5417249b3c5922b58bb4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db01ee83ed29be8b195c665be8b5500f

SHA1
e8c238cfeeb04317e866d7079cf2eb1c02ea6056

SHA256
f4d7c14f88e4788097a129ebd1036a7c829b15a963931b2831fb76a77ce48bf3

SHA512
c219cf7fb62c4a513d8f1520e7d8c632d9a64c87fb7ea61cf524aa8db50f1ba3a4f1f102647dc473e8fb72a421253597a8561a877ddb781559967d7afcf5d6f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4b6a196801cfb6d8b4da54e30bbb2c6

SHA1
b24950cc36b47e1181c7c8883edf0cf015be4695

SHA256
5b8228b483cce88011f084d890813e53fed11e82194a42988d7f17db02a76669

SHA512
012dc8fb01963430d8b7d61948b5ceb2914bdfc883485d595e29cedd87fc4a8b405afb92a7f7bc76447b5dc965cde717833bea99dc282ee531467cb1989f94a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8c9b5c6e05a0feb759d9fb9474aeb8c

SHA1
b3ab9403a7f7644f7a1befff6d90be910ebc2e50

SHA256
5e2bc31bd8fc3d79d70ef67e43f0fcdb28d9774e5b6e08b6f3e28ab21ae3ed96

SHA512
cd09dbf9c623c4e744e4cd47de2b94468ba67ce2788acd29a7caa3dd5f83a6b1e712f3301b92a05e42fe2fabfa10b21f2006638f4ac2a0b3aeb364bb8bd673d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ed6aa510453c04ecd954e260e5d0682

SHA1
dc011321e08140b222938254d3cad36a189e79ab

SHA256
b7036daf0de6f4ece59c4a52e9831baf4cb41c0e3d7eaba868a381bff2ba8d84

SHA512
944addf4cea24de2aa0a61391a0bc30d268277d84cabb21fc556f0a5591ea35c4fc881df9dbf1149fc446755e97c1c08b6a7574c41e65e2141812032f49bc24a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef82ac77336da2eb7a7a2480f219898a

SHA1
1f864a17cc14000c9032c02e5ac922f37c74fa14

SHA256
ed476e3ff87e5cf7908b075dc51a4ab8772e17eeaefe37ac05b1b84250f51e4d

SHA512
b42428602f793405e95e20f3e65bd57d692f7798be553cf223370a20bb72b06ab8e6c41f18ed4eae8e19381856e4ff27f684480c229ca453c4a049efb7260ece

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09faa98a1e67aa8d6846c951debc90fb

SHA1
b9adc17154dfb5171462227e107dfbca0b4b4307

SHA256
4df72435f716c70c7a46fe0f6b1f94fab32ec1d6287e54940d974c3e69eb85f2

SHA512
d73c8bd4fe4c6ea6ff429e58c485c07d5f30d642469761874c5fbbb46062b926cda9f4b222d6ab55f6511a36655ea69fdd33f3ff6f4f264c3c723e01b269b91e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab40CA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4169.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\System32\WormLocker2.0.exe

Filesize
1.6MB

MD5
3420636d8883f01e68c7e7515ee942d9

SHA1
a1f86c942e6020c146fe930a7a41e46459a053e7

SHA256
0a401f3e86bd052e63baeae1b535df3659699c7bbab5dfaeae09037a997d981a

SHA512
1d7fd12f319e198cfa28ed48c28b02bf4d1a590b50b2851e0a49a14adcdfd999aafc6c67c2d996dfa8eaeaf5513b41302a97b21f5dba9d910467c890bfdb0e74

Download Submit
memory/2088-0-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

Filesize
4KB

Download
memory/2088-15-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2088-10-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2088-3-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

Filesize
4KB

Download
memory/2088-2-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2088-1-0x00000000011F0000-0x00000000013C6000-memory.dmp

Filesize
1.8MB

Download