chimera | 83875ea85b183c609c5ddcd92afe62265745192a417b80524f12741fc028aca0

Resubmissions

24-11-2024 00:19

241124-amn9zazrdk 10

03-05-2024 16:55

240503-vffz8sec77 10

15-04-2024 14:29

240415-rtx9wsgf63 10

10-04-2024 15:57

240410-td2cqadc92 10

Analysis

max time kernel
2s
max time network
47s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
24-11-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Computer Raper.exe
Size

85.4MB
MD5

bdb24ed9f869fcd462b316148514fc5b
SHA1

83935122b626378a3149e9036cd751514add4b52
SHA256

83875ea85b183c609c5ddcd92afe62265745192a417b80524f12741fc028aca0
SHA512

12fdb77a75debeacbc4b98cac45d09a7bcc378bd9bd51bbc035838b99c1d595660d5c0961a2d041b2e8359f3b5b096f589d39453ada9874436411b94b8b0d611
SSDEEP

1572864:NUkskQ1oOZrCqix58TkbajhXBFEQT9VotzcJ97:N/NQbCbmXXEUvoM97

Score

10^/10

chimera gandcrab mimikatz backdoor evasion ransomware upx

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-1361837696-2276465416-1936241636-1000\FFSAJFUZL-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .FFSAJFUZL The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/a95c96b5ec64b6b8 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAKUYUpIeVwdCWcZ91bwYwEllNxL7PBcey2OyB39Ifk1/21O8MlEScOzzQuVguR0m5MfyqfspQ0jub5Rbml/MeHYb+PpeZ1iGW04sGcEVRAMj15hW3aJsEkSzeXIz3fCxSe2yMsMY+gwbbEW8zg8buGITiZxVPFNRKvSZqyn8X7dU6IXQ19QJNFmrSqTNoxhehGjWrROGk2rVd3QfTrv1tzelX5DURFlRLe3C968ZpEFiIuFwpMCvTMvy+Zj4hP+atC2654durAR9U0OkgrD8uvOrwiHqkO1Q0UXZeAeO3M15ZXMW1uadvFbvz0e6kOJqeBTTjiz+8y90FCHDErQ6VSP6aGRMhG0wpMesOuZ7LvQEdbPvwKPLSPBPuQ7jakFLgqU5o5p7dHgFrf3cypOE9XRQ+gmmR609q+Cf117SvQsCMgQ12MyoHcgNC67fxvoHRZHdK/Xaj7Q2gEIbNFJVzDbHguVXw/jND3BvGZ/cA8hs/kFnQVrzQe0FLyIUshU6EiyEunp+/SARdKc2wOPN61Ha+DcvZ0H8ir4fZQQ9gFr8j6w8hGJgxnN9+akVsy8R6MS/KKk4gnbXiVZ2vbOpgdq0z/pSGd7t6OC7po3JqExRIn0TIf3pBgwEo2q0CG8rt1GK4oWtNkORX6FYAE10tcoqpEwjw9MNMkD2SyC/zy286GbA2rReYY9gURTLH3OM4jTtZ5g+1DwrxIyy5ROnvbys8XtT26IlUx95+CrCVZ7mwZCzxebDk9bmUccl7Ur0Z8mnGvsbK+ojx6N4cqBc7MAY8EwQV/nLN/uK2orgREhWUY7MbQ3Q/knwDMek7xigKCqknJ7HE9WuWmn9V+ebrWmS6d/uTzEwOkyMjG0TazAjuV8hf9uKzZ1G5FEQHFrJGblJQYpWV2UQLLJQmNcqL3KujBFiFs9XhUcUxyCSYhTjjIGK1Rw3nyfONdmwQdPvgTK3+WLPJPRGNW3uJKeTd0U4py5oEgkz078ApXKfeY/2i2E7woHOdqeSvBuo1uTykV5P/okXj/7AOM8AnN8SFIOyJsMKH1b43N/iHWuorG0OgDT40tVAYB8KA2gEUImpt991zAEoHLWB4eH2CY9hUYgXTR+7eMmdpz15sGqVO/sW2r5b65tAUiYFojURMFzDqGoonfOC9Bt1fUUSJQ+X4MFcUVPrsKlWHqG4Pn2PXww5P3Lvub4cLvGBWXKREXCWowKMIY4tMPbJAgEzQ+ZTsFJkStkoEg4kBNcOXaH0hlUputtRdH+ynuWY1sIssk/37meAfiCdjvldnYwuz6NdQ7+DDcStHL5FCGq7B/m4ka8v3CZUARokT5w1X8rN7+9h6sSASOwm7g90cSNXSdwrfVo378VHaU6vHCpiZwcohGc5xQnYs8zhK5mTDrH2vKs60gG1OXHvn+dVAXhw4oVHJn6vNlh+rK3l3+l8+Rgs+QRbRNyA4mjc4Iowl0HbsTXDSfw9BzJNo6qb5W7+9VO1io6Ffj+sdCnmW+sULGNq9sia5R4TOaC9macrJFty5Xe/r61+vCPCCHHt3jSlYi3UH8eYTATHHRDG0riTNHnI7X+/slIWX5fIPsUOBBftu/mAzueTDk0NIvWMDia14u0rVL/Qmt7bbeAiCe9lG4BnDk7d10xPF9dWioBF2+NShRZ2uQk82vMViyoVUuvfVlkAxuCp7PlK14jjtNJm5rhMCqUPHqNqAuvFrcQlwR1IRkvBXqH8D/U1tKJZobQk87VW+iF/ac+P63lgIRrNV90dqRruDwJYNGtwjcG6dFJSl7b8xdSPhfB6pPwQLBvPMxXW2if1l9Ex794FGJrgmUjAwsvM/W/k/AOgnZfMLIskNhvov7wPSDKk1xdbs+bcOTPicTIYbyE4vbxZ9+myorKre2cAnbCbUdObQAnb1TbTUtZyLbhP08NNMZFSxrPRWjli36SEYrTgXHL1R3QxjhkuZ8qQNdmPJheErsmtSwHHoqsDqFL47t/K+IGtRoJauc4P4BHwyo7PGes2WASFblCrKpo0RO+ZxyflwYjiho3t0dPzXzk/yCpiOFrQi8rDm8QrVCbNXIlqaZVJ8CjzGsa6GUtV5ZP2mvc40MLnomJA+SHamQD3Xycr13GXGJpsHO1mqytc2h8t1oyrGrc8H45fhcmiMXQYxjyiAVLhbVOOtF/fZ1p0C6p+4e/BObxUQ6zLvvjx5HdQTitpJkcRUXLlASzXz5ze4/9nFenxIuv3Ckor4B61y+M= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmDq9MzJN5DCAu+Vp+DGRWnIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemWoy1rWnPOZxV8SSVjOsTAmmL/7s4CzGBkpOKj7RToVZfeU0wFSACDBtKyJP9BcBnpq7cZhR723XrGVmYCRgUfRP9Dy+fM2LL3jX6Owrw1W4OYvT0bJ2/bnLzB06veHSySz26B+oWfFo533PDqxlSg7ubDoQVp+6k2VyOmsqBtvY7wKrt0yoC8O1fylWzmQ7ql4Gew6gTqwNkzeb5UfuNxXLW2jrLjVwFni8jPDKIqgjY3pWN3+hglhvFqi4oFZEvhEsSM+AN7hzdQWIEz1U0GTyeyMcZ0O1go/+eQSe20E23SaCuLrfdcRPB6VJMorLqwb8AmOcGyVvrCSEaKsTrSHnIyaYEIrb5s07lHfcy/ShKIdDA3FyYH6qAJw1UbUxI7G7XVYm+fKMPMuEsCdCZihzgpfE7oT7wA2q18= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/a95c96b5ec64b6b8

Signatures

Chimera
Ransomware which infects local and network files, often distributed via Dropbox links.
ransomware chimera

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

Processes:

resource	yara_rule
behavioral1/memory/2872-74-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Chimera family
chimera
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Gandcrab family
gandcrab
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource	yara_rule
C:\Windows\F86A.tmp	mimikatz

Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

1032 netsh.exe
1448 netsh.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 bot.whatismyipaddress.com
16 ip-addr.es
23 ip-addr.es

pid	process
1032	netsh.exe
1448	netsh.exe

flow	ioc
8	bot.whatismyipaddress.com
16	ip-addr.es
23	ip-addr.es

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Birele.exe	upx
behavioral1/memory/1792-138-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/1792-152-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/1792-1096-0x0000000000400000-0x0000000000438000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\RedBoot.exe	upx

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

4040 taskkill.exe
25164 taskkill.exe
25156 taskkill.exe
Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

3156 reg.exe
4116 reg.exe
3460 reg.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

SCHTASKS.exe

pid process

3248 SCHTASKS.exe

pid	process
4040	taskkill.exe
25164	taskkill.exe
25156	taskkill.exe

pid	process
3156	reg.exe
4116	reg.exe
3460	reg.exe

pid	process
3248	SCHTASKS.exe

C:\Users\Admin\AppData\Local\Temp\Computer Raper.exe
"C:\Users\Admin\AppData\Local\Temp\Computer Raper.exe"
1⤵
PID:4024
- C:\Users\Admin\AppData\Roaming\AgentTesla.exe
  "C:\Users\Admin\AppData\Roaming\AgentTesla.exe"
  2⤵
  PID:4756
- C:\Users\Admin\AppData\Roaming\HawkEye.exe
  "C:\Users\Admin\AppData\Roaming\HawkEye.exe"
  2⤵
  PID:2872
- C:\Users\Admin\AppData\Roaming\butterflyondesktop.exe
  "C:\Users\Admin\AppData\Roaming\butterflyondesktop.exe"
  2⤵
  PID:4944
- - C:\Users\Admin\AppData\Local\Temp\is-AC20P.tmp\butterflyondesktop.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-AC20P.tmp\butterflyondesktop.tmp" /SL5="$301D2,2719719,54272,C:\Users\Admin\AppData\Roaming\butterflyondesktop.exe"
    3⤵
    PID:708
- C:\Users\Admin\AppData\Roaming\$uckyLocker.exe
  "C:\Users\Admin\AppData\Roaming\$uckyLocker.exe"
  2⤵
  PID:3768
- C:\Users\Admin\AppData\Roaming\7ev3n.exe
  "C:\Users\Admin\AppData\Roaming\7ev3n.exe"
  2⤵
  PID:3688
- - C:\Users\Admin\AppData\Local\system.exe
    "C:\Users\Admin\AppData\Local\system.exe"
    3⤵
    PID:2304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
      4⤵
      PID:5064
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3248
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      PID:22548
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      PID:22588
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
      4⤵
      PID:22652
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
      4⤵
      PID:22772
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
      4⤵
      PID:22780
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
      4⤵
      PID:22788
- C:\Users\Admin\AppData\Roaming\Annabelle.exe
  "C:\Users\Admin\AppData\Roaming\Annabelle.exe"
  2⤵
  PID:640
- C:\Users\Admin\AppData\Roaming\BadRabbit.exe
  "C:\Users\Admin\AppData\Roaming\BadRabbit.exe"
  2⤵
  PID:2052
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    PID:4064
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      PID:4876
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        
        PID:24236
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2278635185 && exit"
      4⤵
      PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 00:38:00
      4⤵
      PID:4760
  - - C:\Windows\F86A.tmp
      "C:\Windows\F86A.tmp" \\.\pipe\{795EFCEB-48C5-4999-A165-7A5BFDF68004}
      4⤵
      PID:1776
- C:\Users\Admin\AppData\Roaming\Birele.exe
  "C:\Users\Admin\AppData\Roaming\Birele.exe"
  2⤵
  PID:1792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM explorer.exe
    3⤵
    - Kills process with taskkill
    PID:4040
- C:\Users\Admin\AppData\Roaming\Cerber5.exe
  "C:\Users\Admin\AppData\Roaming\Cerber5.exe"
  2⤵
  PID:2008
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    PID:1032
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\system32\netsh.exe advfirewall reset
    3⤵
    - Modifies Windows Firewall
    PID:1448
- C:\Users\Admin\AppData\Roaming\CoronaVirus.exe
  "C:\Users\Admin\AppData\Roaming\CoronaVirus.exe"
  2⤵
  PID:1844
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:764
- C:\Users\Admin\AppData\Roaming\CryptoLocker.exe
  "C:\Users\Admin\AppData\Roaming\CryptoLocker.exe"
  2⤵
  PID:4284
- - C:\Users\Admin\AppData\Roaming\CryptoLocker.exe
    "C:\Users\Admin\AppData\Roaming\CryptoLocker.exe" /w0000024C
    3⤵
    PID:4288
- C:\Users\Admin\AppData\Roaming\CryptoWall.exe
  "C:\Users\Admin\AppData\Roaming\CryptoWall.exe"
  2⤵
  PID:3880
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\syswow64\explorer.exe"
    3⤵
    PID:2996
  - - C:\Windows\SysWOW64\svchost.exe
      -k netsvcs
      4⤵
      PID:4128
- C:\Users\Admin\AppData\Roaming\DeriaLock.exe
  "C:\Users\Admin\AppData\Roaming\DeriaLock.exe"
  2⤵
  PID:1164
- C:\Users\Admin\AppData\Roaming\Dharma.exe
  "C:\Users\Admin\AppData\Roaming\Dharma.exe"
  2⤵
  PID:1176
- - C:\Users\Admin\AppData\Local\Temp\ac\nc123.exe
    "C:\Users\Admin\AppData\Local\Temp\ac\nc123.exe"
    3⤵
    PID:1344
- - C:\Users\Admin\AppData\Local\Temp\ac\mssql.exe
    "C:\Users\Admin\AppData\Local\Temp\ac\mssql.exe"
    3⤵
    PID:4932
- - C:\Users\Admin\AppData\Local\Temp\ac\mssql2.exe
    "C:\Users\Admin\AppData\Local\Temp\ac\mssql2.exe"
    3⤵
    PID:24912
- C:\Users\Admin\AppData\Roaming\Fantom.exe
  "C:\Users\Admin\AppData\Roaming\Fantom.exe"
  2⤵
  PID:4692
- C:\Users\Admin\AppData\Roaming\GandCrab.exe
  "C:\Users\Admin\AppData\Roaming\GandCrab.exe"
  2⤵
  PID:4320
- C:\Users\Admin\AppData\Roaming\InfinityCrypt.exe
  "C:\Users\Admin\AppData\Roaming\InfinityCrypt.exe"
  2⤵
  PID:4720
- C:\Users\Admin\AppData\Roaming\Krotten.exe
  "C:\Users\Admin\AppData\Roaming\Krotten.exe"
  2⤵
  PID:3604
- C:\Users\Admin\AppData\Roaming\NoMoreRansom.exe
  "C:\Users\Admin\AppData\Roaming\NoMoreRansom.exe"
  2⤵
  PID:4512
- C:\Users\Admin\AppData\Roaming\NotPetya.exe
  "C:\Users\Admin\AppData\Roaming\NotPetya.exe"
  2⤵
  PID:4488
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
    3⤵
    PID:1156
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 01:23
      4⤵
      PID:1784
  - - C:\Users\Admin\AppData\Local\Temp\1D86.tmp
      "C:\Users\Admin\AppData\Local\Temp\1D86.tmp" \\.\pipe\{53364332-A52A-4FAF-9113-61BC09712BB2}
      4⤵
      PID:4464
- C:\Users\Admin\AppData\Roaming\Petya.A.exe
  "C:\Users\Admin\AppData\Roaming\Petya.A.exe"
  2⤵
  PID:544
- C:\Users\Admin\AppData\Roaming\PolyRansom.exe
  "C:\Users\Admin\AppData\Roaming\PolyRansom.exe"
  2⤵
  PID:3616
- - C:\Users\Admin\CaogcEEM\TaAEoMww.exe
    "C:\Users\Admin\CaogcEEM\TaAEoMww.exe"
    3⤵
    PID:748
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /FI "USERNAME eq Admin" /F /IM FMIokAcw.exe
      4⤵
      Kills process with taskkill
      PID:25164
- - C:\ProgramData\KYQckgEQ\FMIokAcw.exe
    "C:\ProgramData\KYQckgEQ\FMIokAcw.exe"
    3⤵
    PID:4332
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /FI "USERNAME eq Admin" /F /IM TaAEoMww.exe
      4⤵
      Kills process with taskkill
      PID:25156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Roaming\PolyRansom"
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3156
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    - Modifies registry key
    PID:3460
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - Modifies registry key
    PID:4116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWIckEIA.bat" "C:\Users\Admin\AppData\Roaming\PolyRansom.exe""
    3⤵
    PID:4364
- C:\Users\Admin\AppData\Roaming\PowerPoint.exe
  "C:\Users\Admin\AppData\Roaming\PowerPoint.exe"
  2⤵
  PID:3408
- - C:\Users\Admin\AppData\Local\Temp\sys3.exe
    C:\Users\Admin\AppData\Local\Temp\\sys3.exe
    3⤵
    PID:2368
- C:\Users\Admin\AppData\Roaming\RedBoot.exe
  "C:\Users\Admin\AppData\Roaming\RedBoot.exe"
  2⤵
  PID:25020

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a2c055 /state1:0x41c64e6d
1⤵
PID:3672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Briano\UWPHook\MaterialDesignColors.dll

Filesize
292KB

MD5
39367419516f5f3df9ab1f9e5d0bbcd5

SHA1
762c9acdb09bfdf40e700645131999202abbc871

SHA256
976eea4567656d536a6344b3834f958f2b9e27401b94c643681770437d5abc68

SHA512
20ea8a64a14579ef5403eae8a6345afa0f9b12229fdb8bc869f7a8cdd4e785093b9f60f9445be738266a161d75f53a8b8e42a69b2f9b4cbf4684f5dbf5113ae9

Download Submit
C:\Program Files (x86)\Briano\UWPHook\MaterialDesignThemes.Wpf.dll

Filesize
7.1MB

MD5
fbd761926164043ac71ee9b83ab37fd1

SHA1
38d44b0f40fa31124ba139adeb6f7adc7e53ee19

SHA256
013a42b8c6ffa29e2198eed4faf6168247b6550a4c4ed5d82023a1d82a08e27e

SHA512
c2a0be2d8b5b98dc19ad167aadc1e68905ad259e3b0e020cfb95a8a816964549c98a9c5bc44b8f4640147bfd8555e799216b8dba13bf0eefed9582782da552d2

Download Submit
C:\Program Files\7-Zip\7z.dll.id-EC64B6B8.[[email protected]].ncov

Filesize
192KB

MD5
ef2e0d18474b2151ef5876b1e89c2f1d

SHA1
aef9802fcf76c67d695bc77322bae5400d3bbe82

SHA256
3381de4ca9f3a477f25989dfc8b744e7916046b7aa369f61a9a2f7dc0963ec9e

SHA512
e81185705a3bd73645bf2b190bbf3aee060c1c72f98fa39665f254a755b0a5723ce8296422874eb50c7b5e8d6bcd90175b0ba28061221039172a3f50e8902cc8

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
0e4ba2280f55428c6b6291d6038164a5

SHA1
cd3deb5c5787bbe7ac664ac024e5892ef8809be2

SHA256
2895a5d7629c59dbe1e7fddf0776b62abc391b2c35ae6d1d070e255f85690f78

SHA512
2e64d01daf05fd1067e2a613076aab094562e8d1dd289f4d12d6900cd0041852c691421e86ef5349b8e70ab0950583a6100bc3316b867d4cf61c28c85502e8a4

Download Submit
C:\ProgramData\KYQckgEQ\FMIokAcw.exe

Filesize
184KB

MD5
bc4ec937a17bb5c3843bcb9772790aae

SHA1
6fdd87b8b62506b2fde3d3bd6d1952cd2e95cdff

SHA256
671f3ffcf6ba4b4899baf1a54b1c7a57331a121739235290d015f268a96d3b4d

SHA512
d6fb1dc37570949f5143693e8119b9181af1083a60e33baeaca75e63f28c318b1f9cc801af3a8ef4685c5fa5b346ef5ba7e539964b258e14e2048c5fa682a25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\mssql.exe

Filesize
7.9MB

MD5
bd4ed319850726f6b99efbc1d2529b23

SHA1
c867fd0c3c4c26174bb5c76ef2a02671b3ea2062

SHA256
518eee37bcdf6b6dd0a46aef3e878c4d4f04ad852f2fd7007cb515e621caefe4

SHA512
e88c411d2c29e56c105461dd72e3ed0b226eda9569768223e36deb5e794467c0642a9e3e6284d0ef7d4ecef699c2c604aa0754057895fb56ff03ea62dcb164fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\mssql2.exe

Filesize
6.7MB

MD5
f7d94750703f0c1ddd1edd36f6d0371d

SHA1
cc9b95e5952e1c870f7be55d3c77020e56c34b57

SHA256
659e441cadd42399fc286b92bbc456ff2e9ecb24984c0586acf83d73c772b45d

SHA512
af0ced00dc6eeaf6fb3336d9b3abcc199fb42561b8ce24ff2e6199966ad539bc2387ba83a4838301594e50e36844796e96c30a9aa9ad5f03cf06860f3f44e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac\nc123.exe

Filesize
125KB

MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AC20P.tmp\butterflyondesktop.tmp

Filesize
688KB

MD5
c765336f0dcf4efdcc2101eed67cd30c

SHA1
fa0279f59738c5aa3b6b20106e109ccd77f895a7

SHA256
c5177fdc6031728e10141745cd69edbc91c92d14411a2dec6e8e8caa4f74ab28

SHA512
06a67ac37c20897967e2cad453793a6ef1c7804d4c578404f845daa88c859b15b0acb51642e6ad23ca6ba6549b02d5f6c98b1fa402004bdbf9d646abab7ec891

Download Submit
C:\Users\Admin\AppData\Local\system.exe

Filesize
315KB

MD5
680ac34f3ab87d9c200d995268047edd

SHA1
2c995cd3463f8ff463184392151d45f227d4ef4e

SHA256
419d51ca665ff41eaa3184b1183f3cad2eee80398a2a1059674bf347bb3b3404

SHA512
11342526ff24fe7c37c44bcae60bf60a0a08ec99c4f121bf466ef7f090a64b41c0f4e9d9b41fea7d11a34a31a57fa0edfcddc519ddd6776f9df769370ca8e576

Download Submit
C:\Users\Admin\AppData\Roaming\$uckyLocker.exe

Filesize
414KB

MD5
c850f942ccf6e45230169cc4bd9eb5c8

SHA1
51c647e2b150e781bd1910cac4061a2cee1daf89

SHA256
86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f

SHA512
2b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9

Download Submit
C:\Users\Admin\AppData\Roaming\7ev3n.exe

Filesize
315KB

MD5
9f8bc96c96d43ecb69f883388d228754

SHA1
61ed25a706afa2f6684bb4d64f69c5fb29d20953

SHA256
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

SHA512
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

Download Submit
C:\Users\Admin\AppData\Roaming\AgentTesla.exe

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\AppData\Roaming\Annabelle.exe

Filesize
10.7MB

MD5
bb8c03d788e031bffac2686d2b4bb764

SHA1
323ce52992ebb12b2d3cde60f2f49ddaec919866

SHA256
c2ac8863f87a1294942066d6db5c2005a89cbacd9280cbe24e5e39095d92db96

SHA512
5a45eb7649998fae8aed6eb63ca00196d90426794a30841f4cf803c147dfce764f7170ffaae3272506089114575c3d76896b47b65c00fd3a3a9053402a122a55

Download Submit
C:\Users\Admin\AppData\Roaming\Annabelle.exe

Filesize
11.0MB

MD5
d967a0c455556d43b1d3855777efc7ad

SHA1
343e7feba6c3a5b20277ab0c157a32d3cd194628

SHA256
b1fefdcdba4370d185da3a3d87a32cfb34311b9f7e40565dad062152ac45dd48

SHA512
77462cbb10f09f9353307a6ef3e86c6eebf2c47b344889759098fada5a4eafd4e48ce377df8ef41eec8d5843f1d597885f91fd2c2c3875fa6489ea0bfd37a853

Download Submit
C:\Users\Admin\AppData\Roaming\Annabelle.exe

Filesize
12.1MB

MD5
bc725e33b8b2274e3db8fc176e97f183

SHA1
2de48a1b9840ebeb05b0edca7c7019ee695a6b17

SHA256
e64f27a76ac0765e8cd163ef2f70e9529a98ef65b36aaa26919c9053169ef49c

SHA512
a8b9c82037ece2ed1ba89c3d2ff32fb2d35c8375311ef2368a2ee057375107abd104ecf6ce3b9262c24370b0da2be68ef06421e76b1bbac803625a57c9643212

Download Submit
C:\Users\Admin\AppData\Roaming\BadRabbit.exe

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Roaming\Birele.exe

Filesize
116KB

MD5
41789c704a0eecfdd0048b4b4193e752

SHA1
fb1e8385691fa3293b7cbfb9b2656cf09f20e722

SHA256
b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

SHA512
76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

Download Submit
C:\Users\Admin\AppData\Roaming\Cerber5.exe

Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
C:\Users\Admin\AppData\Roaming\CoronaVirus.exe

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\AppData\Roaming\CryptoLocker.exe

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\AppData\Roaming\CryptoWall.exe

Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Users\Admin\AppData\Roaming\DeriaLock.exe

Filesize
484KB

MD5
0a7b70efba0aa93d4bc0857b87ac2fcb

SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Download Submit
C:\Users\Admin\AppData\Roaming\Dharma.exe

Filesize
10.0MB

MD5
125608ae2f396f9a115a205ed7ebbbe8

SHA1
acc507aaa54f2908ed78cb2d3565962f7eca179a

SHA256
bc620fc56b9515b71721fc9afe47bfdf512c89ed269637f420504e72b3455572

SHA512
2d279ff46be97bea1e11f2ac5702caa336942df38ee464b6c1fe50d73d5556c249350ae88423b4409f430334e9c9552b05495fd6f5d7aa4dcf5ba4aa34cb5ee8

Download Submit
C:\Users\Admin\AppData\Roaming\Dharma.exe

Filesize
9.6MB

MD5
003120c478e76cf9edaa216b767d59f3

SHA1
e9a904671e840251de105a38bc209936c575046a

SHA256
45d6ee3eb2c49e725cb7c2f75fc9ce5049d3083a8a817acdd87b58a246a4d801

SHA512
4046e683d51d6b228638a079b71b0f40238f96466d7e2f1cbbf8336d496dd64a5667ec3915480cce717de54ba19d648c9d538068ecfdeabe3abd84d7d4a19de8

Download Submit
C:\Users\Admin\AppData\Roaming\Dharma.exe

Filesize
8.4MB

MD5
c566a2b4a7a1e004d49d7eee6ac01281

SHA1
150d6691e9e5857d536e37f1b566bf96a565a2e6

SHA256
cd7d1bf5b69eba9878816c6138367241b3df94a42157f22723c02b9568207e01

SHA512
b8732dea4365e8b10ddfcd8c51dff7fcc424731abe2f3fd264bbc96821bbc74989d6cfb890f1e6482939159f680f958deca143e69c29839807032654dc0fd450

Download Submit
C:\Users\Admin\AppData\Roaming\Fantom.exe

Filesize
261KB

MD5
7d80230df68ccba871815d68f016c282

SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6

SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Download Submit
C:\Users\Admin\AppData\Roaming\GandCrab.exe

Filesize
291KB

MD5
e6b43b1028b6000009253344632e69c4

SHA1
e536b70e3ffe309f7ae59918da471d7bf4cadd1c

SHA256
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a

SHA512
07da214314673407a7d3978ee6e1d20bf1e02f135bf557e86b50489ecc146014f2534515c1b613dba96e65489d8c82caaa8ed2e647684d61e5e86bd3e8251adf

Download Submit
C:\Users\Admin\AppData\Roaming\HawkEye.exe

Filesize
232KB

MD5
60fabd1a2509b59831876d5e2aa71a6b

SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa

SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

Download Submit
C:\Users\Admin\AppData\Roaming\InfinityCrypt.exe

Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\AppData\Roaming\Krotten.exe

Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\AppData\Roaming\Locky.AZ.exe

Filesize
181KB

MD5
0826df3aaa157edff9c0325f298850c2

SHA1
ed35b02fa029f1e724ed65c2de5de6e5c04f7042

SHA256
2e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b

SHA512
af6c5734fd02b9ad3f202e95f9ff4368cf0dfdaffe0d9a88b781b196a0a3c44eef3d8f7c329ec6e3cbcd3e6ab7c49df7d715489539e631506ca1ae476007a6a6

Download Submit
C:\Users\Admin\AppData\Roaming\NoMoreRansom.exe

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Roaming\NotPetya.exe

Filesize
390KB

MD5
5b7e6e352bacc93f7b80bc968b6ea493

SHA1
e686139d5ed8528117ba6ca68fe415e4fb02f2be

SHA256
63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a

SHA512
9d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6

Download Submit
C:\Users\Admin\AppData\Roaming\Petya.A.exe

Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
C:\Users\Admin\AppData\Roaming\PolyRansom.exe

Filesize
220KB

MD5
3ed3fb296a477156bc51aba43d825fc0

SHA1
9caa5c658b1a88fee149893d3a00b34a8bb8a1a6

SHA256
1898f2cae1e3824cb0f7fd5368171a33aba179e63501e480b4da9ea05ebf0423

SHA512
dc3d6e409cee4d54f48d1a25912243d07e2f800578c8e0e348ce515a047ecf5fa3089b46284e0956bbced345957a000eecdc082e6f3060971759d70a14c1c97e

Download Submit
C:\Users\Admin\AppData\Roaming\PowerPoint.exe

Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
C:\Users\Admin\AppData\Roaming\RedBoot.exe

Filesize
1.2MB

MD5
e0340f456f76993fc047bc715dfdae6a

SHA1
d47f6f7e553c4bc44a2fe88c2054de901390b2d7

SHA256
1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887

SHA512
cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc

Download Submit
C:\Users\Admin\AppData\Roaming\butterflyondesktop.exe

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Admin\CaogcEEM\TaAEoMww.exe

Filesize
201KB

MD5
c7a8c03eec3072895daecde9bcbda0a7

SHA1
ec2bbd68bf1fa6dd45422a490a4a145996053dd8

SHA256
710913405a705ceaafe18043c328bbaed55936aa1549d678456bb29cd362f117

SHA512
dc42e73d17ddbd9144de043dfcaeec8ba15cb98203e70a9bb9a939b45a441e7455827a59b3c2f958357b9e3c4d28606b243f2d7879bdcd2623fa7306080061ad

Download Submit
C:\Windows\F86A.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\perfc.dat

Filesize
353KB

MD5
dec4a653645b61e2a571a4455ac5c88e

SHA1
3462a834d62f07093e3128380f7638259372264b

SHA256
bd2bab2ee246af92d3cb868bf0bb4f337b6604c192a243ec9cfa992310341188

SHA512
2ea846b7e8542fd11914e3cc65d3c21f4cc705c83d4a6b9ee00f23e7c86ab3f4b4717ce2f0aa273976752b84a6af15a8b530be01b697b68d23d42aaa7400e675

Download Submit
C:\Windows\perfc.dat

Filesize
353KB

MD5
71b6a493388e7d0b40c83ce903bc6b04

SHA1
34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

SHA256
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

SHA512
072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1361837696-2276465416-1936241636-1000\FFSAJFUZL-MANUAL.txt

Filesize
8KB

MD5
508dc52f7bcc147e13b7fda74353a0da

SHA1
293cf6d91c6ef6eccec4a915f939730f18d9c18e

SHA256
c4821d38354d802f10ad9751a39b1cbfdc230801114d852728640e9e50dc3193

SHA512
0bc1a0512424fe99cdd748048670cac51bc00aba1e042edbc4cecfb5a863b095f7adf11b1c7d5e6214bedb910d707937afce37993e315d75fc181928e8c9cee4

Download Submit
memory/640-150-0x00000214D5770000-0x00000214D6764000-memory.dmp

Filesize
16.0MB

Download
memory/748-1098-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1164-608-0x0000000005630000-0x00000000056CC000-memory.dmp

Filesize
624KB

Download
memory/1164-607-0x0000000000CB0000-0x0000000000D32000-memory.dmp

Filesize
520KB

Download
memory/1164-683-0x00000000057D0000-0x0000000005826000-memory.dmp

Filesize
344KB

Download
memory/1792-1096-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1792-138-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1792-152-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1844-349-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2368-1138-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/2872-74-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2872-36-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2872-23-0x0000000074F92000-0x0000000074F93000-memory.dmp

Filesize
4KB

Download
memory/2872-59-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2872-82-0x0000000074F90000-0x0000000075541000-memory.dmp

Filesize
5.7MB

Download
memory/2996-517-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2996-696-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3408-1097-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/3616-1131-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3616-993-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3768-130-0x00000000049F0000-0x00000000049FA000-memory.dmp

Filesize
40KB

Download
memory/3768-81-0x0000000004930000-0x00000000049C2000-memory.dmp

Filesize
584KB

Download
memory/3768-72-0x0000000000030000-0x000000000009E000-memory.dmp

Filesize
440KB

Download
memory/3768-79-0x0000000004EE0000-0x0000000005486000-memory.dmp

Filesize
5.6MB

Download
memory/4024-0-0x00007FF997DF3000-0x00007FF997DF5000-memory.dmp

Filesize
8KB

Download
memory/4024-1-0x0000000000170000-0x00000000056E6000-memory.dmp

Filesize
85.5MB

Download
memory/4024-660-0x00007FF997DF3000-0x00007FF997DF5000-memory.dmp

Filesize
8KB

Download
memory/4064-663-0x0000000000930000-0x0000000000998000-memory.dmp

Filesize
416KB

Download
memory/4064-654-0x0000000000930000-0x0000000000998000-memory.dmp

Filesize
416KB

Download
memory/4128-691-0x0000000000D60000-0x0000000000D85000-memory.dmp

Filesize
148KB

Download
memory/4332-1100-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4692-794-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4692-777-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4692-799-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4692-744-0x0000000004AC0000-0x0000000004AF2000-memory.dmp

Filesize
200KB

Download
memory/4692-769-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4692-781-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4692-801-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4692-760-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4692-761-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4692-763-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4692-765-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4692-767-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4692-771-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4692-773-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4692-775-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4692-751-0x0000000004940000-0x0000000004972000-memory.dmp

Filesize
200KB

Download
memory/4692-779-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4692-783-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4692-785-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4692-787-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4692-789-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4692-791-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4692-795-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4692-797-0x0000000004940000-0x000000000496B000-memory.dmp

Filesize
172KB

Download
memory/4720-750-0x00000000003F0000-0x000000000042C000-memory.dmp

Filesize
240KB

Download
memory/4756-151-0x0000000003CB0000-0x0000000003CCA000-memory.dmp

Filesize
104KB

Download
memory/4756-89-0x0000000003CB0000-0x0000000003CCA000-memory.dmp

Filesize
104KB

Download
memory/4756-78-0x0000000003B50000-0x0000000003B66000-memory.dmp

Filesize
88KB

Download
memory/4944-56-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download